/// <summary>
/// Takes signature string and checks it against file header buffer
/// </summary>
/// <param name="buffer"></param>
/// <param name="hexSignature"></param>
/// <param name="extension"></param>
/// <param name="description"></param>
/// <returns>bool signature found</returns>
public static bool CheckSignature(byte[] buffer, string hexSignature, string extension, string description)
{
//check that the signature read is complete enough to yeld useful info
if (!String.IsNullOrEmpty(extension) || !String.IsNullOrEmpty(description))
{
// Console.Write("Checking Extension: {0}\t", extension);
if (!String.IsNullOrEmpty(hexSignature))//checks for a hexSig to look for
{
byte[] hexSigBuffer = new byte[hexSignature.Trim().Split(' ').Length];
FASignature.GetHexSignatureBytes(hexSignature, ref hexSigBuffer);
for (int i = 0; i < hexSigBuffer.Length; i++)
{
//Console.WriteLine($"Buf:{buffer[i]} \t Sig:{hexSigBuffer[i]}");
if (buffer[i] != hexSigBuffer[i])
{
return(false);
}
}
return(true);
}
}
return(false);
}
/// <summary>
/// Haldling function for Zip files. Attempts to identify them further.
/// </summary>
/// <param name="filename"></param>
/// <returns></returns>
public static FASignature IdentifyZip(string filename)
{
/******Experimental functionality to help identify Office suite files
* TODO research safety of unzipping random files. practicality. etc.
* not 100% confidence in uniqueness of ID
*/
FASignature retSig = null;
const string tempDirectory = @"..\..\..\..\Temp\TestFolder";
// Extract identified zip file to temp dir
ZipFile.ExtractToDirectory(filename, tempDirectory);
//MS Word
if (Directory.Exists(tempDirectory + "\\word"))
{
Console.WriteLine("MS Word Identified");
retSig = new FASignature("", "docx", 0, "Microsoft Word Document");
}
//MS Excel
else if (Directory.Exists(tempDirectory + @"\xl\worksheets"))
{
Console.WriteLine("MS Excel Identified");
retSig = new FASignature("", "xlsx", 0, "Microsoft Excel Document");
}
//MS PPT
else if (Directory.Exists(tempDirectory + @"\ppt\slides"))
{
Console.WriteLine("MS Powerpoint Identified");
retSig = new FASignature("", "xlsx", 0, "Microsoft Powerpoint Document");
}
//ODT
else if (Directory.Exists(tempDirectory + "\\META-INF"))
{
Console.WriteLine("Settings Exists");
XDocument xDoc = XDocument.Load(tempDirectory + @"\settings.xml");
if (xDoc.Root.Name.LocalName == "document-settings")
{
Console.WriteLine("Open Document Format Extension: .odt");
retSig = new FASignature("", "odt", 0, "Open Document Text");
}
}
//TODO eexamine and identify more filetypes using this extension
else
{
Console.WriteLine("Zip of otherwise not currently implemented filetype.");
}
//cleanup after yourself...
if (Directory.Exists(tempDirectory))
{
Directory.Delete(tempDirectory, recursive: true);
}
return(retSig);
}
/// <summary>
/// Takes as FAsignature and checks it against file header buffer
/// </summary>
/// <param name="buffer">file header buffer</param>
/// <param name="faSig">signature</param>
/// <returns>bool signature found</returns>
public static bool CheckSignature(byte[] buffer, FASignature faSig)
{
if (!String.IsNullOrEmpty(faSig.Extension))
{
if (!String.IsNullOrEmpty(faSig.HexSignature))//checks for a hexSig to look for
{
byte[] hexSigBuffer = faSig.GetHexSignature();
for (int i = 0; i < hexSigBuffer.Length; i++)
{
//Console.WriteLine($"Buf:{buffer[i]} \t Sig:{hexSigBuffer[i]}");
if (buffer[i + faSig.Offset] != hexSigBuffer[i])
{
return(false);
}
}
return(true);
}
}
return(false);
}
/// <summary>
/// Currently reads formats list from an excel file. Looks for a possible match
/// </summary>
/// <param name="filename">File name to check</param>
public static List <FASignature> ReadFileHeaders(String filename)
{
List <FASignature> detectedSignatures = new List <FASignature>();
using (FileStream fileStream = File.OpenRead(filename))
{
//FileHeader fileHeader = new FileHeader();
try
{
byte[] buffer = new byte[FILE_HEADER_SIZE];
//fileStream.Seek(0, SeekOrigin.Begin);
fileStream.Read(buffer, 0, FILE_HEADER_SIZE);
const string fileName = @"..\..\..\..\FileExtensions.xlsx";
//var sheet = "Wikipedia";
var sheet = "FileSignatures.net";
//this likes .xls, but not the newer format .xlsx
var connXLSX = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source={0}; Extended Properties='Excel 12.0 Xml; HDR=YES'";
//var connXLS = "Provider=Microsoft.Jet.OLEDB.4.0; data source={0}; Extended Properties=Excel 8.0;";
var connectionString = string.Format(connXLSX, fileName);
DataTable db = null;
OleDbDataAdapter adapter;
DataSet ds;
try
{
string query = $"SELECT * FROM [{sheet}$]"; //TODO adjust query to specify columns.
adapter = new OleDbDataAdapter(query, connectionString);
ds = new DataSet();
string tablename = "fileextensions";
adapter.Fill(ds, tablename);
db = ds.Tables[tablename];
}
catch (Exception ex) //handle chance file is currently open.
{
Console.WriteLine("Please save and close Excel file extension file then retry.");
Console.WriteLine(ex.Message);
}
int rc = 0;
if (null != db && null != db.Rows)
{
foreach (DataRow dataRow in db.Rows)
{
//handle for nulls; pass to check function
string hexSignature = "";
string extension = "";
string description = "";
int offset;
//fill variables to pass into object instance
if (!dataRow.IsNull(0))
{
hexSignature = dataRow.Field <string>(0).Trim();
}
if (!dataRow.IsNull(3))
{
extension = dataRow.Field <string>(3);
}
offset = (!dataRow.IsNull(2)) ? (int)dataRow.Field <double>(2) : 0;
if (!dataRow.IsNull(4))
{
description = dataRow.Field <string>(4);
}
FASignature faSig = new FASignature(hexSignature, extension, 0, description);
if (hexSignature.Length > 0 && (extension.Length > 0 || description.Length > 0))
{
if (CheckSignature(buffer, faSig))
{
detectedSignatures.Add(faSig);
}
}
rc++;
}
}
}
catch (Exception ex)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("{0}", ex.Message);
Console.ResetColor();
throw ex;
}
}
return(detectedSignatures);
}
