diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c index 45e995f54d..447973d976 100644 --- a/libclamav/ole2_extract.c +++ b/libclamav/ole2_extract.c @@ -86,6 +86,11 @@ typedef struct ole2_header_tag { uint16_t log2_big_block_size __attribute__((packed)); /* usually 9 (2^9 = 512) */ uint32_t log2_small_block_size __attribute__((packed)); /* usually 6 (2^6 = 64) */ + /* + * This is technically incorrect. log2_small_block_size should be a uint16_t, and reserved should + * be 6 bytes. This makes everything line up, but could potentially cause issues when switching byte order + * for log2_small_block_size. Consider changing. + */ int32_t reserved[2] __attribute__((packed)); int32_t bat_count __attribute__((packed)); @@ -410,6 +415,7 @@ print_ole2_property(property_t *property) static void print_ole2_header(ole2_header_t *hdr) { +#if 0 if (!hdr || !cli_debug_flag) { return; } @@ -437,6 +443,40 @@ print_ole2_header(ole2_header_t *hdr) cli_dbgmsg("XBat start:\t\t%d\n", hdr->xbat_start); cli_dbgmsg("XBat block count:\t%d\n", hdr->xbat_count); cli_dbgmsg("\n"); + + + +#endif + fprintf(stderr, "\n"); + fprintf(stderr, "Magic:\t\t\t0x%x%x%x%x%x%x%x%x\n", + hdr->magic[0], hdr->magic[1], hdr->magic[2], hdr->magic[3], + hdr->magic[4], hdr->magic[5], hdr->magic[6], hdr->magic[7]); + + fprintf(stderr, "CLSID:\t\t\t{%x%x%x%x-%x%x-%x%x-%x%x-%x%x%x%x%x%x}\n", + hdr->clsid[0], hdr->clsid[1], hdr->clsid[2], hdr->clsid[3], + hdr->clsid[4], hdr->clsid[5], hdr->clsid[6], hdr->clsid[7], + hdr->clsid[8], hdr->clsid[9], hdr->clsid[10], hdr->clsid[11], + hdr->clsid[12], hdr->clsid[13], hdr->clsid[14], hdr->clsid[15]); + + fprintf(stderr, "Minor version:\t\t0x%x\n", hdr->minor_version); + fprintf(stderr, "DLL version:\t\t0x%x\n", hdr->dll_version); + fprintf(stderr, "Byte Order:\t\t%d\n", hdr->byte_order); + fprintf(stderr, "Big Block Size:\t%i\n", hdr->log2_big_block_size); + fprintf(stderr, "Small Block Size:\t%i\n", hdr->log2_small_block_size); + fprintf(stderr, "BAT count:\t\t%d\n", hdr->bat_count); + fprintf(stderr, "Prop start:\t\t%d\n", hdr->prop_start); + fprintf(stderr, "SBAT cutoff:\t\t%d\n", hdr->sbat_cutoff); + fprintf(stderr, "SBat start:\t\t%d\n", hdr->sbat_start); + fprintf(stderr, "SBat block count:\t%d\n", hdr->sbat_block_count); + fprintf(stderr, "XBat start:\t\t%d\n", hdr->xbat_start); + fprintf(stderr, "XBat block count:\t%d\n", hdr->xbat_count); + fprintf(stderr, "\n"); + + + + + + return; } @@ -636,6 +676,7 @@ static int ole2_cmp_name(const char *const name, uint32_t name_size, const char decoded[j] = ((unsigned char)name[i + 1]) << 4; decoded[j] += name[i]; } + //fprintf(stderr, "%s::%d::%s\n", __FUNCTION__, __LINE__, decoded); return strcasecmp(decoded, keyword); } diff --git a/libclamav/ole2_extract_images.h b/libclamav/ole2_extract_images.h index 59b5fa2526..ea656abd69 100644 --- a/libclamav/ole2_extract_images.h +++ b/libclamav/ole2_extract_images.h @@ -793,15 +793,106 @@ static void processOfficeArtFBSE(cli_ctx * ctx, ole2_header_t *hdr, OfficeArtRec offset += fbse.cbName; if (imageHeader->recLen == (sizeof(OfficeArtFBSEKnown) + fbse.cbName + fbse.size)) { +fprintf(stderr, "%s::%d::Blip is embedded\n", __FUNCTION__, __LINE__); /* The BLIP is embedded in this record*/ processOfficeArtBlip(ctx, &(ptr[offset])); } else { /* The BLIP is in the 'WordDocument' stream. */ size_t size = fbse.size; const uint8_t * const ptr = load_pointer_to_stream_from_fmap(hdr, wordDocBlock, fbse.foDelay, size); +fprintf(stderr, "%s::%d::Blip is in WordDocument stream, delay = %u (0x%x)\n", __FUNCTION__, __LINE__, fbse.foDelay, fbse.foDelay); processOfficeArtBlip(ctx, ptr); } +#if 0 + size_t i; + fprintf(stderr, "%s::%d::", __FUNCTION__, __LINE__); + for (i = 0; i < 16; i++) { + fprintf(stderr, "%02x ", ptr[i + offset]); + } + fprintf(stderr, "\n"); +#endif + + + +#if 1 + fprintf(stderr, "%s::%d::before cpy\n", __FUNCTION__, __LINE__); + copy_OfficeArtRecordHeader(imageHeader, &(ptr[offset])); + offset += sizeof(OfficeArtRecordHeader); + + copy_OfficeArtFBSEKnown (&fbse, &(ptr[offset])); + offset += sizeof(OfficeArtFBSEKnown ); + recInst = getRecInst(imageHeader); + + fprintf(stderr, "%s::%d::recInst = %d\n", __FUNCTION__, __LINE__, recInst); + fprintf(stderr, "%s::%d::fbse.btWin32 = %d\n", __FUNCTION__, __LINE__, fbse.btWin32); + fprintf(stderr, "%s::%d::fbse.btMacOS = %d\n", __FUNCTION__, __LINE__, fbse.btMacOS); + + //here; + + + if ((recInst != fbse.btWin32) && (recInst != fbse.btMacOS)) { + cli_dbgmsg("ERROR Invalid recInst 0x%x\n", recInst); + return; + } + fprintf(stderr, "%s::%d\n", __FUNCTION__, __LINE__); + if (imageHeader->recType != 0xf007) { + cli_dbgmsg("ERROR Invalid recType 0x%x\n", imageHeader->recType); + return; + } + fprintf(stderr, "%s::%d\n", __FUNCTION__, __LINE__); + + offset += fbse.cbName; + + if (imageHeader->recLen == (sizeof(OfficeArtFBSEKnown) + fbse.cbName + fbse.size)) { +fprintf(stderr, "%s::%d::Blip is embedded\n", __FUNCTION__, __LINE__); + /* The BLIP is embedded in this record*/ + processOfficeArtBlip(ctx, &(ptr[offset])); + } else { + /* The BLIP is in the 'WordDocument' stream. */ + size_t size = fbse.size; + const uint8_t * const ptr = load_pointer_to_stream_from_fmap(hdr, wordDocBlock, fbse.foDelay, size); +fprintf(stderr, "%s::%d::Blip is in WordDocument stream, delay = %u (0x%x)\n", __FUNCTION__, __LINE__, fbse.foDelay, fbse.foDelay); + processOfficeArtBlip(ctx, ptr); + } + +#endif + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + fprintf(stderr, "%s::%d::Looks like this might be IT!!!!\n", __FUNCTION__, __LINE__); + } static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, FibRgFcLcb97 * header, const uint8_t * ptr, property_t * wordDocBlock) { @@ -875,6 +966,7 @@ static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, FibRgFcL * * */ #define OFFICE_ART_FBSE_REC_TYPE 0x2 + fprintf(stderr, "%s::%d::imageCnt = %d\n", __FUNCTION__, __LINE__, imageCnt); for (i = 0; i < imageCnt; i++) { OfficeArtRecordHeader imageHeader; copy_OfficeArtRecordHeader(&imageHeader, &(ptr[offset])); @@ -884,11 +976,17 @@ static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, FibRgFcL /* OfficeArtFBSE * https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-odraw/2f2d7f5e-d5c4-4cb7-b230-59b3fe8f10d6 */ + fprintf(stderr, "%s::%d::calling processOfficeArtFBSE\n", __FUNCTION__, __LINE__); processOfficeArtFBSE(ctx, ole2Hdr, &imageHeader, &(ptr[offset]), wordDocBlock); } else { + fprintf(stderr, "%s::%d::calling processOfficeArtBlip\n", __FUNCTION__, __LINE__); processOfficeArtBlip(ctx, &(ptr[offset])); } } + + //here; + + } @@ -943,6 +1041,7 @@ void ole2_process_image_directory( cli_ctx * ctx, ole2_header_t * hdr, ole2_imag /*Call Extract */ size_t offset = get_stream_data_offset(hdr, tableStream, tableStream->start_block); + /*TODO: Fix hardcoded 4k*/ ptr = fmap_need_off_once(hdr->map, offset, 4096); if (NULL == ptr) { cli_dbgmsg("ERROR: Invalid offset for File Information Block %ld (0x%lx)\n", offset, offset); diff --git a/libclamav/xlm_extract.c b/libclamav/xlm_extract.c index 6a09d22985..9de9da2bfa 100644 --- a/libclamav/xlm_extract.c +++ b/libclamav/xlm_extract.c @@ -4626,6 +4626,8 @@ cl_error_t cli_extract_xlm_macros_and_images(const char *dir, cli_ctx *ctx, char unsigned char *drawinggroup = NULL; size_t drawinggroup_len = 0; + fprintf(stderr, "%s::%d::INHREE\n", __FUNCTION__, __LINE__); + biff8_opcode previous_biff8_opcode = 0x0; // Initialize to 0x0, which isn't even in our enum. // This variable will allow the OPC_CONTINUE record // to know which record it is continuing.