Parse Binary file with Powershell

Question

I am trying to search through a binary file. After reviewing the file via a hex editor I found patterns throughout the file. You can see them here. As you can see they are before and after the file listing.

/% ......C:\Users\\Desktop\test1.pdf..9

/% ......C:\Users\\Desktop\testtesttesttest.pdf..9

What I woudld like to do is find ..9 (HEX = 000039), and then "backup" until I find, /% ...... (hex = 2F25A01C1000000000), then move forward x amount of bytes so I can get the complete path. The code I have now is below:

$file = 'C:\Users\<username>\Desktop\bc03160ee1a59fc1.automaticDestinations-ms'
$begin_pattern = '2F25A01C1000000000' #/% ......
$end_pattern = '000039' #..9
$prevBytes = '8'
$bytes = [string]::join('', (gc $file -en byte | % {'{0:x2}' -f $_}))
[regex]::matches($bytes, $end_pattern) |
% {
$i = $_.index - $prevBytes * 2
[string]::join('', $bytes[$i..($i + $prevBytes * 2 - 1)])
}

Some of the output roughly translates to this:

ffff2e0000002f000000300000003b0000003200000033000000340000003500000036000000370000003800 655c4465736b746f705c466f72656e7369635f426f6f6b735c5b656e5d646566745f6d616e75616c2e706466 0000000000000000000000000000010000000a00000000000000000020410a000000000000000a00000000

ÿÿ./0;2345678?e\Desktop\deft_manual.pdf?

?sic Science, Computers, and the Internet.pdf

?ware\Desktop\Dive Into Python 3.pdf?

Answer 1

You can use the System.IO.BinaryReader class from PowerShell.

$path = "<yourPathToTheBinaryFile>"

$binaryReader = New-Object System.IO.BinaryReader([System.IO.File]::Open($path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::ReadWrite))

Then you have access to all the methods like:

$binaryReader.BaseStream.Seek($pos, [System.IO.SeekOrigin]::Begin)

AFAIK, no easy way to "find" a pattern without reading the bytes (using ReadBytes) and implementing the search yourself.