通过偏移量在 ZIP 文件中定位 EOCD [英] Locating EOCD in ZIP files by offset
问题描述
我正在尝试编写一组 yara 签名,这些签名将根据创建的工件标记 zip 文件.
I'm trying to write a collection of yara signatures that will tag zip files based on artifacts of their creation.
我知道 EOCD 有一个幻数 0x06054b50,并且它位于存档结构的末尾.它有一个可变长度的注释字段,最大长度为 0xFFFF,因此 EOCD 可以达到 0xFFFF+ ~20 个字节.然而,在 zip 结构之后可能有数据可以摆脱任何偏移依赖扫描.
I understand the EOCD has a magic number of 0x06054b50, and that it is located at the end of the archive structure. It has a variable length comment field, with a max length of 0xFFFF, so the EOCD could be up to 0xFFFF+ ~20 bytes. However, there could be data after the zip structure that could throw off the any offset dependent scanning.
有没有办法在不扫描整个文件的情况下定位记录的魔术字节?如果 EOCD 之后可以有数据,您如何验证魔术字节不是巧合的存在?
Is there any way to locate the record without scanning the whole file for the magic bytes? How do you validate that the magic bytes aren't there by coincidence if there can be data after the EOCD?
推荐答案
这通常通过从文件末尾向后扫描直到找到 EOCD 签名来完成.是的,有可能找到嵌入在注释中的相同签名,因此您需要检查 EOCD 记录的其他部分,看看它们是否与您正在阅读的文件一致.
This is typically done by scanning backwards from the end of the file until you find the EOCD signature. Yes, it is possible to find the same signature embedded in the comment, so you need to check other parts of the EOCD record to see if they are consistent with the file you are reading.
例如,如果 EOCD 记录不在文件末尾,则 EOCD 中的 comment length 字段不能为零.它应该与文件中剩余的字节数相匹配.
For example, if the EOCD record isn't at the end of the file, the comment length field in the EOCD cannot be zero. It should match the number of bytes left in the file.
同样,如果这是一个单磁盘存档,中央目录起始偏移量需要指向 zip 存档大小内的某个位置.如果您想遵循该偏移量,您应该找到中央目录记录的签名.
Similarly, if this is a single disk archive, the offset of start of central directory needs to point to somewhere within the size of the zip archive. If you want to follow that offset you should find the signature for a central directory record.
等等.
请注意,我忽略了 Zip64 记录和加密记录的复杂性,但原理是相同的.您需要检查记录中的字段是否与正在读取的文件一致.
Note that I've ignored the complications of the Zip64 records and encryption records, but the principle is the same. You need to check the fields in the records are consistent with the file being read.
这篇关于通过偏移量在 ZIP 文件中定位 EOCD的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
