| c561d2a3 |
/* |
| 1f301ecc |
* Extract VBA source code for component MS Office Documents |
| c561d2a3 |
*
* Copyright (C) 2004 trog@uncon.org
*
* This code is based on the OpenOffice and libgsf sources.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <stdlib.h>
#include <ctype.h> |
| 9c51d9ab |
#include <zlib.h>
#include "clamav.h" |
| c561d2a3 |
|
| 5880abba |
#if HAVE_CONFIG_H
#include "clamav-config.h"
#endif
|
| c561d2a3 |
#include "vba_extract.h" |
| fb2a7e38 |
#include "others.h" |
| c561d2a3 |
#define FALSE (0)
#define TRUE (1)
typedef struct vba_version_tag {
unsigned char signature[4];
const char *name;
int vba_version;
int is_mac;
} vba_version_t;
|
| 0ee38b0e |
static uint16_t vba_endian_convert_16(uint16_t value, int is_mac) |
| 2c51fe53 |
{ |
| 0ee38b0e |
if (is_mac) { |
| 5880abba |
#if WORDS_BIGENDIAN == 0 |
| 0ee38b0e |
return ((value >> 8) + (value << 8)); |
| d70b2d88 |
#else |
| 0ee38b0e |
return value; |
| d70b2d88 |
#endif |
| 0ee38b0e |
} else { |
| 5880abba |
#if WORDS_BIGENDIAN == 0 |
| 0ee38b0e |
return value; |
| d70b2d88 |
#else |
| 0ee38b0e |
return ((value >> 8) + (value << 8)); |
| 2c51fe53 |
#endif |
| 0ee38b0e |
} |
| d70b2d88 |
} |
| 2c51fe53 |
|
| 0ee38b0e |
static uint32_t vba_endian_convert_32(uint32_t value, int is_mac) |
| 2c51fe53 |
{ |
| 0ee38b0e |
if (is_mac) { |
| 2c51fe53 |
#if WORDS_BIGENDIAN == 0 |
| 0ee38b0e |
return ((value >> 24) | ((value & 0x00FF0000) >> 8) |
((value & 0x0000FF00) << 8) | (value << 24)); |
| 2c51fe53 |
#else |
| 0ee38b0e |
return value; |
| d70b2d88 |
#endif |
| 0ee38b0e |
} else { |
| 2c51fe53 |
#if WORDS_BIGENDIAN == 0 |
| 0ee38b0e |
return value; |
| 2c51fe53 |
#else |
| 0ee38b0e |
return ((value >> 24) | ((value & 0x00FF0000) >> 8) |
((value & 0x0000FF00) << 8) | (value << 24)); |
| 2c51fe53 |
#endif |
| 0ee38b0e |
} |
| 2c51fe53 |
} |
| d70b2d88 |
|
| c561d2a3 |
typedef struct byte_array_tag {
unsigned int length;
unsigned char *data;
} byte_array_t;
|
| 567a388c |
#define NUM_VBA_VERSIONS 13 |
| c561d2a3 |
vba_version_t vba_version[] = {
{ { 0x5e, 0x00, 0x00, 0x01 }, "Office 97", 5, FALSE},
{ { 0x5f, 0x00, 0x00, 0x01 }, "Office 97 SR1", 5, FALSE },
{ { 0x65, 0x00, 0x00, 0x01 }, "Office 2000 alpha?", 6, FALSE },
{ { 0x6b, 0x00, 0x00, 0x01 }, "Office 2000 beta?", 6, FALSE },
{ { 0x6d, 0x00, 0x00, 0x01 }, "Office 2000", 6, FALSE }, |
| d553aee3 |
{ { 0x6f, 0x00, 0x00, 0x01 }, "Office 2000", 6, FALSE }, |
| c561d2a3 |
{ { 0x70, 0x00, 0x00, 0x01 }, "Office XP beta 1/2", 6, FALSE },
{ { 0x73, 0x00, 0x00, 0x01 }, "Office XP", 6, FALSE }, |
| 567a388c |
{ { 0x76, 0x00, 0x00, 0x01 }, "Office 2003", 6, FALSE }, |
| 0ee38b0e |
{ { 0x79, 0x00, 0x00, 0x01 }, "Office 2003", 6, FALSE }, |
| c561d2a3 |
{ { 0x60, 0x00, 0x00, 0x0e }, "MacOffice 98", 5, TRUE },
{ { 0x62, 0x00, 0x00, 0x0e }, "MacOffice 2001", 5, TRUE }, |
| 7f765c70 |
{ { 0x63, 0x00, 0x00, 0x0e }, "MacOffice X", 6, TRUE }, |
| c561d2a3 |
};
#define VBA56_DIRENT_RECORD_COUNT (2 + /* magic */ \
4 + /* version */ \
2 + /* 0x00 0xff */ \
22) /* unknown */
#define VBA56_DIRENT_HEADER_SIZE (VBA56_DIRENT_RECORD_COUNT + \
2 + /* type1 record count */ \
2) /* unknown */
|
| 0ee38b0e |
static char *get_unicode_name(char *name, int size, int is_mac) |
| c561d2a3 |
{
int i, j;
char *newname; |
| 736af806 |
|
| 2c51fe53 |
if (*name == 0 || size <= 0) { |
| c561d2a3 |
return NULL;
} |
| 736af806 |
|
| b4eec9b7 |
newname = (char *) cli_malloc(size*4); |
| c561d2a3 |
if (!newname) {
return NULL;
}
j=0; |
| 2c51fe53 |
for (i=0 ; i < size; i += (is_mac ? 1 : 2) ) { |
| c561d2a3 |
if (isprint(name[i])) {
newname[j++] = name[i];
} else {
if (name[i] < 10 && name[i] >= 0) {
newname[j++] = '_';
newname[j++] = name[i] + '0';
}
newname[j++] = '_';
}
}
newname[j] = '\0';
return newname;
} |
| ee5c926e |
static void vba56_test_middle(int fd)
{
char test_middle[20]; |
| acec93b9 |
/* MacOffice middle */
static const uint8_t middle1_str[20] = { |
| 3894b926 |
0x00, 0x01, 0x0d, 0x45, 0x2e, 0xe1, 0xe0, 0x8f, 0x10, 0x1a,
0x85, 0x2e, 0x02, 0x60, 0x8c, 0x4d, 0x0b, 0xb4, 0x00, 0x00 |
| ee5c926e |
}; |
| acec93b9 |
/* MS Office middle */
static const uint8_t middle2_str[20] = {
0x00, 0x00, 0xe1, 0x2e, 0x45, 0x0d, 0x8f, 0xe0, 0x1a, 0x10,
0x85, 0x2e, 0x02, 0x60, 0x8c, 0x4d, 0x0b, 0xb4, 0x00, 0x00
}; |
| ee5c926e |
|
| 66fcd9f8 |
if (cli_readn(fd, &test_middle, 20) != 20) { |
| ee5c926e |
return;
} |
| 736af806 |
|
| acec93b9 |
if ((memcmp(test_middle, middle1_str, 20) != 0) &&
(memcmp(test_middle, middle2_str, 20) != 0)) { |
| 3894b926 |
cli_dbgmsg("middle not found\n"); |
| ee5c926e |
lseek(fd, -20, SEEK_CUR); |
| 3894b926 |
} else {
cli_dbgmsg("middle found\n"); |
| ee5c926e |
}
return;
}
|
| 0ee38b0e |
static int vba_read_project_strings(int fd, int is_mac) |
| 3894b926 |
{
uint16_t length;
unsigned char *buff, *name;
uint32_t offset;
for (;;) { |
| 66fcd9f8 |
if (cli_readn(fd, &length, 2) != 2) { |
| 3894b926 |
return FALSE;
}
length = vba_endian_convert_16(length, is_mac);
if (length < 6) {
lseek(fd, -2, SEEK_CUR);
break;
}
cli_dbgmsg ("length: %d, ", length);
buff = (unsigned char *) cli_malloc(length);
if (!buff) {
cli_errmsg("cli_malloc failed\n");
return FALSE;
}
offset = lseek(fd, 0, SEEK_CUR); |
| 66fcd9f8 |
if (cli_readn(fd, buff, length) != length) { |
| 3894b926 |
cli_dbgmsg("read name failed - rewinding\n");
lseek(fd, offset, SEEK_SET); |
| 66fcd9f8 |
free(buff); |
| 3894b926 |
break;
}
name = get_unicode_name(buff, length, is_mac); |
| 0205b586 |
if (name) {
cli_dbgmsg("name: %s\n", name);
} else {
cli_dbgmsg("name: [null]\n");
} |
| 3894b926 |
free(buff);
|
| 0ee38b0e |
/* Ignore twelve bytes from entries of type 'G'. |
| 3894b926 |
Type 'C' entries come in pairs, the second also
having a 12 byte trailer */
/* TODO: Need to check if types H(same as G) and D(same as C) exist */ |
| 9a3524a6 |
if (name && (!strncmp ("*\\G", name, 3) || !strncmp ("*\\H", name, 3)
|| !strncmp("*\\C", name, 3) || !strncmp("*\\D", name, 3))) { |
| 66fcd9f8 |
if (cli_readn(fd, &length, 2) != 2) { |
| 3894b926 |
return FALSE;
}
length = vba_endian_convert_16(length, is_mac); |
| acec93b9 |
if ((length != 0) && (length != 65535)) { |
| 3894b926 |
lseek(fd, -2, SEEK_CUR); |
| 66fcd9f8 |
free(name); |
| 3894b926 |
continue;
}
buff = (unsigned char *) cli_malloc(10); |
| acf6a6ea |
if (!buff) {
free(name);
close(fd);
return FALSE;
} |
| 66fcd9f8 |
if (cli_readn(fd, buff, 10) != 10) { |
| 3894b926 |
cli_errmsg("failed to read blob\n"); |
| 0ee38b0e |
free(buff); |
| 3894b926 |
free(name);
close(fd);
return FALSE; |
| 0ee38b0e |
} |
| 3894b926 |
free(buff);
} else {
/* Unknown type - probably ran out of strings - rewind */
lseek(fd, -(length+2), SEEK_CUR); |
| c21c8f24 |
if (name) {
free(name);
} |
| 3894b926 |
break;
}
free(name);
offset = lseek(fd, 0, SEEK_CUR); |
| d15bc08f |
cli_dbgmsg("offset: %u\n", offset); |
| 3894b926 |
vba56_test_middle(fd);
}
return TRUE;
} |
| ee5c926e |
|
| c561d2a3 |
vba_project_t *vba56_dir_read(const char *dir)
{
unsigned char magic[2];
unsigned char version[4]; |
| 0ee38b0e |
unsigned char *buff; |
| c561d2a3 |
unsigned char vba56_signature[] = { 0xcc, 0x61 }; |
| 2c51fe53 |
uint16_t record_count, length; |
| c561d2a3 |
uint16_t ooff; |
| d15bc08f |
uint16_t byte_count; |
| c561d2a3 |
uint32_t offset; |
| 8a05efc5 |
uint32_t LidA; /* Language identifiers */ |
| c561d2a3 |
uint32_t LidB;
uint16_t CharSet;
uint16_t LenA;
uint32_t UnknownB;
uint32_t UnknownC;
uint16_t LenB;
uint16_t LenC;
uint16_t LenD; |
| 2c51fe53 |
int i, j, fd, is_mac; |
| c561d2a3 |
vba_project_t *vba_project;
char *fullname;
|
| 1f301ecc |
cli_dbgmsg("in vba56_dir_read()\n");
|
| acf6a6ea |
fullname = (char *) cli_malloc(strlen(dir) + 14);
if (!fullname) {
return NULL;
} |
| c561d2a3 |
sprintf(fullname, "%s/_VBA_PROJECT", dir);
fd = open(fullname, O_RDONLY);
if (fd == -1) { |
| 1f301ecc |
cli_dbgmsg("Can't open %s\n", fullname);
free(fullname); |
| c561d2a3 |
return NULL;
} |
| 1f301ecc |
free(fullname); |
| c561d2a3 |
|
| 66fcd9f8 |
if (cli_readn(fd, &magic, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
} |
| d70b2d88 |
if (memcmp(magic, vba56_signature, 2) != 0) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
|
| 66fcd9f8 |
if (cli_readn(fd, &version, 4) != 4) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
for (i=0 ; i < NUM_VBA_VERSIONS ; i++) { |
| d70b2d88 |
if (memcmp(version, vba_version[i].signature, 4) == 0) { |
| c561d2a3 |
break;
}
}
if (i == NUM_VBA_VERSIONS) { |
| 7f765c70 |
cli_dbgmsg("Unknown VBA version signature %x %x %x %x\n", |
| c561d2a3 |
version[0], version[1], version[2], version[3]); |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
cli_dbgmsg("VBA Project: %s, VBA Version=%d\n", vba_version[i].name,
vba_version[i].vba_version);
|
| 2c51fe53 |
is_mac = vba_version[i].is_mac; |
| c561d2a3 |
/*****************************************/
/* two bytes, should be equal to 0x00ff */ |
| 66fcd9f8 |
if (cli_readn(fd, &ooff, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
|
| 66fcd9f8 |
if (cli_readn(fd, &LidA, 4) != 4) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
|
| 66fcd9f8 |
if (cli_readn(fd, &LidB, 4) != 4) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
|
| 66fcd9f8 |
if (cli_readn(fd, &CharSet, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
} |
| 66fcd9f8 |
if (cli_readn(fd, &LenA, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
|
| 66fcd9f8 |
if (cli_readn(fd, &UnknownB, 4) != 4) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
} |
| 66fcd9f8 |
if (cli_readn(fd, &UnknownC, 4) != 4) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
|
| 66fcd9f8 |
if (cli_readn(fd, &LenB, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
} |
| 66fcd9f8 |
if (cli_readn(fd, &LenC, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
} |
| 66fcd9f8 |
if (cli_readn(fd, &LenD, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
|
| 2c51fe53 |
LidA = vba_endian_convert_32(LidA, is_mac);
LidB = vba_endian_convert_32(LidB, is_mac);
CharSet = vba_endian_convert_16(CharSet, is_mac);
LenA = vba_endian_convert_16(LenA, is_mac);
LenB = vba_endian_convert_16(LenB, is_mac);
LenC = vba_endian_convert_16(LenC, is_mac);
LenD = vba_endian_convert_16(LenD, is_mac); |
| d70b2d88 |
|
| c561d2a3 |
cli_dbgmsg(" LidA: %d\n LidB: %d\n CharSet: %d\n", LidA, LidB, CharSet);
cli_dbgmsg(" LenA: %d\n UnknownB: %d\n UnknownC: %d\n", LenA, UnknownB, UnknownC);
cli_dbgmsg(" LenB: %d\n LenC: %d\n LenD: %d\n", LenB, LenC, LenD);
record_count = LenC;
|
| 3894b926 |
if (!vba_read_project_strings(fd, is_mac)) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
} |
| 3894b926 |
|
| c561d2a3 |
/* junk some more stuff */
do { |
| 66fcd9f8 |
if (cli_readn(fd, &ooff, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
} while(ooff != 0xFFFF); |
| 268a0802 |
/* check for alignment error */
lseek(fd, -3, SEEK_CUR); |
| 66fcd9f8 |
if (cli_readn(fd, &ooff, 2) != 2) { |
| 268a0802 |
close(fd);
return NULL;
}
if (ooff != 0xFFFF) {
lseek(fd, 1, SEEK_CUR);
} |
| c561d2a3 |
|
| 66fcd9f8 |
if (cli_readn(fd, &ooff, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
/* no idea what this stuff is */
if (ooff != 0xFFFF) { |
| 2c51fe53 |
ooff = vba_endian_convert_16(ooff, is_mac); |
| c561d2a3 |
lseek(fd, ooff, SEEK_CUR);
} |
| 66fcd9f8 |
if (cli_readn(fd, &ooff, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
}
if (ooff != 0xFFFF) { |
| 2c51fe53 |
ooff = vba_endian_convert_16(ooff, is_mac); |
| c561d2a3 |
lseek(fd, ooff, SEEK_CUR);
}
lseek(fd, 100, SEEK_CUR);
|
| 66fcd9f8 |
if (cli_readn(fd, &record_count, 2) != 2) { |
| e0ae32a9 |
close(fd); |
| c561d2a3 |
return NULL;
} |
| 2c51fe53 |
record_count = vba_endian_convert_16(record_count, is_mac); |
| c561d2a3 |
cli_dbgmsg("\nVBA Record count: %d\n", record_count); |
| d15bc08f |
if (record_count > 1000) {
/* Almost certainly an error */
cli_dbgmsg("\nVBA Record count too big");
close(fd);
return NULL;
} |
| c561d2a3 |
vba_project = (vba_project_t *) cli_malloc(sizeof(struct vba_project_tag)); |
| acf6a6ea |
if (!vba_project) {
close(fd);
return NULL;
} |
| c561d2a3 |
vba_project->name = (char **) cli_malloc(sizeof(char *) * record_count); |
| acf6a6ea |
if (!vba_project->name) {
free(vba_project);
close(fd);
return NULL;
} |
| c561d2a3 |
vba_project->dir = strdup(dir);
vba_project->offset = (uint32_t *) cli_malloc (sizeof(uint32_t) *
record_count); |
| acf6a6ea |
if (!vba_project->offset) {
free(vba_project->dir);
free(vba_project->name);
free(vba_project);
close(fd);
return NULL;
} |
| c561d2a3 |
vba_project->count = record_count;
for (i=0 ; i < record_count ; i++) { |
| 66fcd9f8 |
if (cli_readn(fd, &length, 2) != 2) { |
| e0ae32a9 |
goto out_error; |
| c561d2a3 |
} |
| 2c51fe53 |
length = vba_endian_convert_16(length, is_mac); |
| ee5c926e |
buff = (unsigned char *) cli_malloc(length); |
| c561d2a3 |
if (!buff) {
cli_dbgmsg("cli_malloc failed\n"); |
| e0ae32a9 |
goto out_error; |
| c561d2a3 |
} |
| 66fcd9f8 |
if (cli_readn(fd, buff, length) != length) { |
| c561d2a3 |
cli_dbgmsg("read name failed\n"); |
| e0ae32a9 |
free(buff);
goto out_error; |
| c561d2a3 |
} |
| 2c51fe53 |
vba_project->name[i] = get_unicode_name(buff, length, is_mac); |
| 0205b586 |
if (!vba_project->name[i]) {
offset = lseek(fd, 0, SEEK_CUR);
vba_project->name[i] = (char *) cli_malloc(18);
snprintf(vba_project->name[i], 18, "clamav-%.10d", offset);
} |
| c561d2a3 |
cli_dbgmsg("project name: %s, ", vba_project->name[i]);
free(buff);
/* some kind of string identifier ?? */ |
| 66fcd9f8 |
if (cli_readn(fd, &length, 2) != 2) { |
| e0ae32a9 |
free(vba_project->name[i]);
goto out_error; |
| c561d2a3 |
} |
| 2c51fe53 |
length = vba_endian_convert_16(length, is_mac); |
| c561d2a3 |
lseek(fd, length, SEEK_CUR);
/* unknown stuff */ |
| 66fcd9f8 |
if (cli_readn(fd, &ooff, 2) != 2) { |
| e0ae32a9 |
free(vba_project->name[i]);
goto out_error; |
| c561d2a3 |
} |
| 2c51fe53 |
ooff = vba_endian_convert_16(ooff, is_mac); |
| c561d2a3 |
if (ooff == 0xFFFF) {
lseek(fd, 2, SEEK_CUR); |
| 66fcd9f8 |
if (cli_readn(fd, &ooff, 2) != 2) { |
| e0ae32a9 |
free(vba_project->name[i]);
goto out_error; |
| c561d2a3 |
} |
| 2c51fe53 |
ooff = vba_endian_convert_16(ooff, is_mac); |
| c561d2a3 |
lseek(fd, ooff, SEEK_CUR);
} else {
lseek(fd, 2 + ooff, SEEK_CUR);
}
lseek(fd, 8, SEEK_CUR); |
| d15bc08f |
if (cli_readn(fd, &byte_count, 2) != 2) { |
| e0ae32a9 |
free(vba_project->name[i]);
goto out_error; |
| c561d2a3 |
} |
| d15bc08f |
byte_count = vba_endian_convert_16(byte_count, is_mac); |
| c561d2a3 |
for (j=0 ; j<byte_count; j++) {
lseek(fd, 8, SEEK_CUR);
} |
| d15bc08f |
lseek(fd, 5, SEEK_CUR); |
| 66fcd9f8 |
if (cli_readn(fd, &offset, 4) != 4) { |
| e0ae32a9 |
free(vba_project->name[i]);
goto out_error; |
| c561d2a3 |
} |
| 2c51fe53 |
offset = vba_endian_convert_32(offset, is_mac); |
| c561d2a3 |
vba_project->offset[i] = offset; |
| d15bc08f |
cli_dbgmsg("offset:%u\n", offset); |
| c561d2a3 |
lseek(fd, 2, SEEK_CUR);
}
{ /* There appears to be some code in here */
off_t foffset;
foffset = lseek(fd, 0, SEEK_CUR);
cli_dbgmsg("\nOffset: 0x%x\n", (unsigned int)foffset);
}
close(fd);
return vba_project; |
| e0ae32a9 |
out_error:
/* Note: only to be called from the above loop
when i == number of allocated stings */
for (j=0 ; j<i ; j++) {
free(vba_project->name[j]);
}
free(vba_project->name);
free(vba_project->dir);
free(vba_project->offset);
free(vba_project);
close(fd);
return NULL; |
| c561d2a3 |
}
#define VBA_COMPRESSION_WINDOW 4096
|
| 0ee38b0e |
static void byte_array_append(byte_array_t *array, unsigned char *src, unsigned int len) |
| c561d2a3 |
{
if (array->length == 0) { |
| ee5c926e |
array->data = (unsigned char *) cli_malloc(len); |
| acf6a6ea |
if (!array->data) {
return;
} |
| c561d2a3 |
array->length = len; |
| e0ae32a9 |
memcpy(array->data, src, len); |
| c561d2a3 |
} else {
array->data = realloc(array->data, array->length+len); |
| acf6a6ea |
if (!array->data) {
return;
} |
| e0ae32a9 |
memcpy(array->data+array->length, src, len); |
| c561d2a3 |
array->length += len;
}
}
|
| c6b7542f |
unsigned char *vba_decompress(int fd, uint32_t offset, int *size) |
| c561d2a3 |
{
unsigned int i, pos=0, shift, win_pos, clean=TRUE, mask, distance;
uint8_t flag;
uint16_t token, len;
unsigned char buffer[VBA_COMPRESSION_WINDOW];
byte_array_t result;
result.length=0;
result.data=NULL;
lseek(fd, offset+3, SEEK_SET); /* 1byte ?? , 2byte length ?? */
|
| 66fcd9f8 |
while (cli_readn(fd, &flag, 1) == 1) { |
| c561d2a3 |
for (mask = 1; mask < 0x100; mask<<=1) {
if (flag & mask) { |
| 66fcd9f8 |
if (cli_readn(fd, &token, 2) != 2) { |
| e0ae32a9 |
if (result.data) {
free(result.data);
} |
| c6b7542f |
if (size) {
*size = 0;
} |
| e0ae32a9 |
return NULL; |
| c561d2a3 |
} |
| 2c51fe53 |
token = vba_endian_convert_16(token, FALSE); |
| c561d2a3 |
win_pos = pos % VBA_COMPRESSION_WINDOW;
if (win_pos <= 0x80) {
if (win_pos <= 0x20) {
shift = (win_pos <= 0x10) ? 12:11;
} else {
shift = (win_pos <= 0x40) ? 10:9;
}
} else {
if (win_pos <= 0x200) {
shift = (win_pos <= 0x100) ? 8:7;
} else if (win_pos <= 0x800) {
shift = (win_pos <= 0x400) ? 6:5;
} else {
shift = 4;
}
}
len = (token & ((1 << shift) -1)) + 3;
distance = token >> shift;
clean = TRUE;
for (i=0 ; i < len; i++) {
unsigned int srcpos;
unsigned char c;
srcpos = (pos - distance - 1) % VBA_COMPRESSION_WINDOW;
c = buffer[srcpos];
buffer[pos++ % VBA_COMPRESSION_WINDOW]= c;
}
} else {
if ((pos != 0) &&
((pos % VBA_COMPRESSION_WINDOW) == 0) && clean) {
|
| 66fcd9f8 |
if (cli_readn(fd, &token, 2) != 2) { |
| e0ae32a9 |
if (result.data) {
free(result.data);
} |
| c6b7542f |
if (size) {
*size = 0;
} |
| e0ae32a9 |
return NULL; |
| c561d2a3 |
}
clean = FALSE;
byte_array_append(&result, buffer, VBA_COMPRESSION_WINDOW);
break;
} |
| 66fcd9f8 |
if (cli_readn(fd, buffer+(pos%VBA_COMPRESSION_WINDOW), 1) == 1){ |
| c561d2a3 |
pos++;
}
clean = TRUE;
}
}
}
if (pos % VBA_COMPRESSION_WINDOW) {
byte_array_append(&result, buffer, pos % VBA_COMPRESSION_WINDOW);
} |
| c6b7542f |
if (size) {
*size = result.length;
} |
| c561d2a3 |
return result.data;
} |
| 45ef6256 |
/* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ */ |
| 9c51d9ab |
/* Code to extract Power Point Embedded OLE2 Objects
/* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ */
#define MIN(a, b) (((a) < (b)) ? (a) : (b))
typedef struct atom_header_tag {
off_t foffset;
uint16_t ver_inst;
uint8_t version;
uint16_t instance;
uint16_t type;
uint32_t length;
} atom_header_t;
typedef struct ppt_currentuser_tag {
atom_header_t atom_hdr;
uint32_t len;
uint32_t magic;
uint32_t current_edit_offset;
} ppt_currentuser_t;
typedef struct ppt_useredit_tag {
atom_header_t atom_hdr;
int32_t last_slide_id;
uint32_t version;
uint32_t last_edit_offset;
uint32_t persist_dir_offset;
uint32_t document_ref;
uint32_t max_persist;
int16_t last_view_type;
} ppt_useredit_t;
static int ppt_read_atom_header(int fd, atom_header_t *atom_header)
{
atom_header->foffset = lseek(fd, 0, SEEK_CUR);
if (cli_readn(fd, &atom_header->ver_inst, 2) != 2) {
cli_dbgmsg("read ppt_current_user failed\n");
return FALSE; |
| d9afa42b |
}
atom_header->ver_inst = vba_endian_convert_16(atom_header->ver_inst, FALSE); |
| 9c51d9ab |
atom_header->version = atom_header->ver_inst & 0x000f;
atom_header->instance = atom_header->ver_inst >> 4;
if (cli_readn(fd, &atom_header->type, 2) != 2) {
cli_dbgmsg("read ppt_current_user failed\n");
return FALSE;
}
if (cli_readn(fd, &atom_header->length, 4) != 4) {
cli_dbgmsg("read ppt_current_user failed\n");
return FALSE;
} |
| d9afa42b |
atom_header->type = vba_endian_convert_16(atom_header->type, FALSE);
atom_header->length = vba_endian_convert_32(atom_header->length, FALSE); |
| 9c51d9ab |
return TRUE;
}
static void ppt_print_atom_header(atom_header_t *atom_header)
{
cli_dbgmsg("Atom Hdr:\n");
cli_dbgmsg(" Version: 0x%.2x\n", atom_header->version);
cli_dbgmsg(" Instance: 0x%.4x\n", atom_header->instance);
cli_dbgmsg(" Type: 0x%.4x\n", atom_header->type);
cli_dbgmsg(" Length: 0x%.8x\n", atom_header->length);
}
static void ppt_print_useredit(ppt_useredit_t *ppt_useredit)
{
ppt_print_atom_header(&ppt_useredit->atom_hdr);
cli_dbgmsg("Last Slide ID: 0x%.4x\n", ppt_useredit->last_slide_id);
cli_dbgmsg("Version: 0x%.4x\n", ppt_useredit->version);
cli_dbgmsg("Last Edit Offset: 0x%.4x\n", ppt_useredit->last_edit_offset);
cli_dbgmsg("Persist Dir Offset: 0x%.4x\n", ppt_useredit->persist_dir_offset);
cli_dbgmsg("Document Ref: 0x%.4x\n", ppt_useredit->document_ref);
cli_dbgmsg("Max Persist: 0x%.4x\n", ppt_useredit->max_persist);
cli_dbgmsg("Last view type: 0x%.4x\n\n", ppt_useredit->last_view_type);
}
static int ppt_read_useredit(int fd, ppt_useredit_t *ppt_useredit)
{
if (!ppt_read_atom_header(fd, &ppt_useredit->atom_hdr)) {
return FALSE;
} |
| d9afa42b |
if (ppt_useredit->atom_hdr.type != 0x0FF5) {
cli_dbgmsg("read ppt_useredit failed, wrong atom type\n");
return FALSE;
} |
| 9c51d9ab |
if (cli_readn(fd, &ppt_useredit->last_slide_id, 4) != 4) {
cli_dbgmsg("read ppt_useredit failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_useredit->version, 4) != 4) {
cli_dbgmsg("read ppt_useredit failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_useredit->last_edit_offset, 4) != 4) {
cli_dbgmsg("read ppt_useredit failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_useredit->persist_dir_offset, 4) != 4) {
cli_dbgmsg("read ppt_useredit failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_useredit->document_ref, 4) != 4) {
cli_dbgmsg("read ppt_useredit failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_useredit->max_persist, 4) != 4) {
cli_dbgmsg("read ppt_useredit failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_useredit->last_view_type, 2) != 2) {
cli_dbgmsg("read ppt_useredit failed\n");
return FALSE;
} |
| d9afa42b |
ppt_useredit->last_slide_id = vba_endian_convert_32(ppt_useredit->last_slide_id, FALSE);
ppt_useredit->version = vba_endian_convert_32(ppt_useredit->version, FALSE);
ppt_useredit->last_edit_offset = vba_endian_convert_32(ppt_useredit->last_edit_offset, FALSE);
ppt_useredit->persist_dir_offset = vba_endian_convert_32(ppt_useredit->persist_dir_offset, FALSE);
ppt_useredit->document_ref = vba_endian_convert_32(ppt_useredit->document_ref, FALSE);
ppt_useredit->max_persist = vba_endian_convert_32(ppt_useredit->max_persist, FALSE);
ppt_useredit->last_view_type = vba_endian_convert_16(ppt_useredit->last_view_type, FALSE); |
| 9c51d9ab |
return TRUE;
}
static void ppt_print_current_user(ppt_currentuser_t *ppt_current_user)
{
ppt_print_atom_header(&ppt_current_user->atom_hdr);
cli_dbgmsg("Magic: 0x%.8x\n", ppt_current_user->magic);
cli_dbgmsg("Curr Edit Offset: 0x%.8x\n", ppt_current_user->current_edit_offset);
}
static int ppt_read_current_user(int fd, ppt_currentuser_t *ppt_current_user)
{
if (!ppt_read_atom_header(fd, &ppt_current_user->atom_hdr)) {
return FALSE;
} |
| d9afa42b |
if (ppt_current_user->atom_hdr.type != 0x0FF6) {
cli_dbgmsg("read ppt_current_user failed, wrong atom type\n");
return FALSE;
} |
| 9c51d9ab |
if (cli_readn(fd, &ppt_current_user->len, 4) != 4) {
cli_dbgmsg("read ppt_current_user failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_current_user->magic, 4) != 4) {
cli_dbgmsg("read ppt_current_user 1 failed\n");
return FALSE;
}
if (cli_readn(fd, &ppt_current_user->current_edit_offset, 4) != 4) {
cli_dbgmsg("read ppt_current_user 2 failed\n");
return FALSE;
}
/* Don't need to read the rest of the Current User file in order
to extract what we need */ |
| d9afa42b |
ppt_current_user->len = vba_endian_convert_32(ppt_current_user->len, FALSE);
ppt_current_user->magic = vba_endian_convert_32(ppt_current_user->magic, FALSE);
ppt_current_user->current_edit_offset = vba_endian_convert_32(ppt_current_user->current_edit_offset, FALSE);
if (ppt_current_user->magic != 0xE391C05F) {
cli_dbgmsg("read ppt_current_user failed, wrong magic\n");
return FALSE;
} |
| 9c51d9ab |
return TRUE;
}
static uint32_t *ppt_read_persist_dir(int fd, ppt_useredit_t *ppt_useredit)
{
uint32_t *persist_dir, noffsets, off_index;
atom_header_t atom_header;
int size, i, off_count=0;
if (lseek(fd, ppt_useredit->persist_dir_offset, SEEK_SET) !=
ppt_useredit->persist_dir_offset) {
return NULL;
}
if (!ppt_read_atom_header(fd, &atom_header)) {
return NULL;
}
ppt_print_atom_header(&atom_header); |
| d9afa42b |
if (atom_header.type != 0x1772) {
cli_dbgmsg("read ppt_current_user failed, wrong atom type\n");
return NULL;
} |
| 9c51d9ab |
size = sizeof(uint32_t) * (ppt_useredit->max_persist+1); |
| d9afa42b |
persist_dir = cli_malloc(size); |
| 9c51d9ab |
if (!persist_dir) {
return NULL;
}
memset(persist_dir, 0xFF, size);
while ((off_count < ppt_useredit->max_persist) &&
(lseek(fd, 0, SEEK_CUR) < atom_header.foffset+atom_header.length)) {
if (cli_readn(fd, &noffsets, 4) != 4) {
cli_dbgmsg("read ppt_current_user failed\n");
free(persist_dir);
return NULL;
} |
| d9afa42b |
noffsets = vba_endian_convert_32(noffsets, FALSE); |
| 9c51d9ab |
off_index = noffsets & 0x000FFFFF;
noffsets = noffsets >> 20;
cli_dbgmsg("nOffsets: %d\n", noffsets);
cli_dbgmsg("Offset index: %d\n",off_index);
for (i=0 ; i<noffsets; i++) {
if ((off_index+i-1) > ppt_useredit->max_persist)
{
cli_dbgmsg("ppt_read_persist_dir overflow\n");
free(persist_dir);
return NULL;
}
if (cli_readn(fd, &persist_dir[off_index+i-1], 4) != 4) {
cli_dbgmsg("read ppt_read_persist_dir failed\n");
free(persist_dir);
return NULL;
} |
| d9afa42b |
persist_dir[off_index+i-1] = vba_endian_convert_32(persist_dir[off_index+i-1], FALSE); |
| 9c51d9ab |
cli_dbgmsg("persist_dir[%d] = 0x%.8x\n", off_index+i-1, persist_dir[off_index+i-1]);
off_count++;
}
}
cli_dbgmsg("File offset: 0x%.8x\n\n", lseek(fd, 0, SEEK_CUR));
return persist_dir;
}
#define PPT_LZW_BUFFSIZE 8192
static int ppt_unlzw(const char *dir, int fd, uint32_t length)
{
int ofd, retval;
unsigned char inbuff[PPT_LZW_BUFFSIZE], outbuff[PPT_LZW_BUFFSIZE];
char *fullname;
uint32_t bufflen;
z_stream stream;
|
| d9afa42b |
fullname = cli_malloc(strlen(dir) + 17);
if (!fullname) {
return FALSE;
} |
| 9c51d9ab |
sprintf(fullname, "%s/ppt%.8x.doc", dir, lseek(fd, 0, SEEK_CUR));
ofd = open(fullname, O_WRONLY|O_CREAT|O_TRUNC, 0600);
free(fullname);
if (ofd == -1) {
cli_dbgmsg("ppt_unlzw Open outfile failed\n"); |
| d9afa42b |
return FALSE; |
| 9c51d9ab |
}
stream.zalloc = Z_NULL;
stream.zfree = Z_NULL;
stream.opaque = (void *)0;
stream.next_in = inbuff;
bufflen = stream.avail_in = MIN(length, PPT_LZW_BUFFSIZE);
if (cli_readn(fd, inbuff, stream.avail_in) != stream.avail_in) {
close(ofd);
return FALSE;
}
length -= stream.avail_in;
retval = inflateInit(&stream);
if (retval != Z_OK) {
cli_dbgmsg(" ppt_unlzw !Z_OK: %d\n", retval);
}
stream.next_out = outbuff;
stream.avail_out = PPT_LZW_BUFFSIZE;
do {
if (stream.avail_out == 0) {
if (cli_writen(ofd, outbuff, PPT_LZW_BUFFSIZE)
!= PPT_LZW_BUFFSIZE) {
close(ofd);
inflateEnd(&stream);
return FALSE;
}
stream.next_out = outbuff;
stream.avail_out = PPT_LZW_BUFFSIZE;
}
if (stream.avail_in == 0) {
stream.next_in = inbuff;
bufflen = stream.avail_in = MIN(length, PPT_LZW_BUFFSIZE);
if (cli_readn(fd, inbuff, stream.avail_in) != stream.avail_in) {
close(ofd);
inflateEnd(&stream);
return FALSE;
}
length -= stream.avail_in;
}
retval = inflate(&stream, Z_NO_FLUSH);
} while (retval == Z_OK);
if (cli_writen(ofd, outbuff, bufflen) != bufflen) {
close(ofd);
inflateEnd(&stream);
return FALSE;
}
inflateEnd(&stream);
close(ofd);
return TRUE;
}
char *ppt_vba_read(const char *dir)
{
ppt_currentuser_t ppt_current_user;
ppt_useredit_t ppt_useredit;
uint32_t *persist_dir;
char *fullname, *out_dir, *tmpdir;
int fd, i, ofd;
unsigned char *buffer;
atom_header_t atom_header;
uint32_t ole_id;
fullname = (char *) cli_malloc(strlen(dir) + 14);
if (!fullname) {
return NULL;
}
sprintf(fullname, "%s/Current User", dir);
fd = open(fullname, O_RDONLY);
free(fullname);
if (fd == -1) {
cli_dbgmsg("Open Current User failed\n");
return NULL;
}
if (!ppt_read_current_user(fd, &ppt_current_user)) {
close(fd);
return NULL;
}
ppt_print_current_user(&ppt_current_user);
close(fd);
fullname = (char *) cli_malloc(strlen(dir) + 21);
if (!fullname) {
return NULL;
}
sprintf(fullname, "%s/PowerPoint Document", dir);
fd = open(fullname, O_RDONLY);
free(fullname);
if (fd == -1) {
cli_dbgmsg("Open Current User failed\n");
return NULL;
}
if (lseek(fd, ppt_current_user.current_edit_offset, SEEK_SET) !=
ppt_current_user.current_edit_offset) {
cli_dbgmsg("lseek cli_ppt_vbaread failed\n");
close(fd);
return FALSE;
}
/* Create a directory to store the extracted OLE2 objects */
tmpdir = getenv("TMPDIR");
if(tmpdir == NULL)
#ifdef P_tmpdir
tmpdir = P_tmpdir;
#else
tmpdir = "/tmp";
#endif
/* generate the temporary directory */
out_dir = cl_gentemp(tmpdir);
if(mkdir(out_dir, 0700)) {
printf("ScanOLE2 -> Can't create temporary directory %s\n", dir);
close(fd);
return NULL;
}
do {
if (!ppt_read_useredit(fd, &ppt_useredit)) {
close(fd);
cli_rmdirs(out_dir);
free(out_dir);
return NULL;
}
ppt_print_useredit(&ppt_useredit);
persist_dir = ppt_read_persist_dir(fd, &ppt_useredit);
if (!persist_dir) {
close(fd);
cli_rmdirs(out_dir);
free(out_dir);
return NULL;
}
for (i=0 ; i < ppt_useredit.max_persist ; i++) {
if (persist_dir[i] != 0xFFFFFFFF) {
if (lseek(fd, persist_dir[i], SEEK_SET) == persist_dir[i]) {
if (!ppt_read_atom_header(fd, &atom_header)) {
close(fd);
free(persist_dir);
cli_rmdirs(out_dir);
free(out_dir);
return NULL;
}
ppt_print_atom_header(&atom_header);
if (atom_header.type == 0x1011) {
if (cli_readn(fd, &ole_id, 4) != 4) {
cli_dbgmsg("read ole_id failed\n");
close(fd);
free(persist_dir);
cli_rmdirs(out_dir);
free(out_dir);
return NULL;
} |
| d9afa42b |
ole_id = vba_endian_convert_32(ole_id, FALSE); |
| 9c51d9ab |
cli_dbgmsg("OleID: %d, length: %d\n",
ole_id, atom_header.length-4);
if (!ppt_unlzw(out_dir, fd, atom_header.length-4)) {
cli_dbgmsg("ppt_unlzw failed\n");
close(fd);
free(persist_dir);
cli_rmdirs(out_dir);
free(out_dir);
return NULL;
}
}
}
}
}
free(persist_dir);
if (lseek(fd, ppt_useredit.last_edit_offset, SEEK_SET) !=
ppt_useredit.last_edit_offset) {
cli_dbgmsg("lseek cli_ppt_vbaread failed\n");
close(fd);
return NULL;
}
} while (ppt_useredit.last_edit_offset != 0); |
| d9afa42b |
close(fd); |
| 9c51d9ab |
return out_dir;
}
/* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ */ |
| 45ef6256 |
/* Code to extract Word6 macros
/* +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ */
typedef struct mso_fib_tag {
uint16_t magic;
uint16_t version;
uint16_t product;
uint16_t lid;
uint16_t next;
uint16_t status;
/* block of 268 bytes - ignore */
uint32_t macro_offset;
uint32_t macro_len;
} mso_fib_t;
typedef struct macro_entry_tag {
unsigned char version;
unsigned char key;
uint16_t intname_i;
uint16_t extname_i;
uint16_t xname_i;
uint32_t unknown;
uint32_t len;
uint32_t state;
uint32_t offset;
} macro_entry_t;
typedef struct macro_info_tag {
uint16_t count;
struct macro_entry_tag *macro_entry;
} macro_info_t;
typedef struct macro_extname_tag {
uint8_t length;
unsigned char *extname;
uint16_t numref;
} macro_extname_t;
typedef struct macro_extnames_tag {
uint16_t count;
struct macro_extname_tag *macro_extname;
} macro_extnames_t;
typedef struct macro_intnames_tag {
uint16_t count;
struct macro_intname_tag *macro_intname;
} macro_intnames_t;
typedef struct macro_intname_tag {
uint16_t id;
uint8_t length;
unsigned char *intname;
} macro_intname_t;
typedef struct menu_entry_tag {
uint16_t context;
uint16_t menu;
uint16_t extname_i;
uint16_t unknown;
uint16_t intname_i;
uint16_t pos;
} menu_entry_t;
typedef struct menu_info_tag {
uint16_t count;
struct menu_entry_tag *menu_entry;
} menu_info_t;
typedef struct mac_token_tag {
unsigned char token;
unsigned char *str;
} mac_token_t;
typedef struct mac_token2_tag {
uint16_t token;
unsigned char *str;
} mac_token2_t;
static void wm_print_fib(mso_fib_t *fib)
{
cli_dbgmsg("magic: 0x%.4x\n", fib->magic);
cli_dbgmsg("version: 0x%.4x\n", fib->version);
cli_dbgmsg("product: 0x%.4x\n", fib->product);
cli_dbgmsg("lid: 0x%.4x\n", fib->lid);
cli_dbgmsg("macro offset: 0x%.4x\n", fib->macro_offset);
cli_dbgmsg("macro len: 0x%.4x\n\n", fib->macro_len);
}
static int wm_read_fib(int fd, mso_fib_t *fib)
{
if (cli_readn(fd, &fib->magic, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, &fib->version, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, &fib->product, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, &fib->lid, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, &fib->next, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, &fib->status, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
/* don't need the information is this block, so seek forward */
if (lseek(fd, 0x118, SEEK_SET) != 0x118) { |
| 567a388c |
cli_dbgmsg("lseek wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, &fib->macro_offset, 4) != 4) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, &fib->macro_len, 4) != 4) { |
| 567a388c |
cli_dbgmsg("read wm_fib failed\n"); |
| 45ef6256 |
return FALSE;
}
fib->magic = vba_endian_convert_16(fib->magic, FALSE);
fib->version = vba_endian_convert_16(fib->version, FALSE);
fib->product = vba_endian_convert_16(fib->product, FALSE);
fib->lid = vba_endian_convert_16(fib->lid, FALSE);
fib->next = vba_endian_convert_16(fib->next, FALSE);
fib->status = vba_endian_convert_16(fib->status, FALSE);
fib->macro_offset = vba_endian_convert_32(fib->macro_offset, FALSE);
fib->macro_len = vba_endian_convert_32(fib->macro_len, FALSE);
return TRUE;
}
static int wm_read_macro_entry(int fd, macro_entry_t *macro_entry)
{
if (cli_readn(fd, ¯o_entry->version, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->key, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->intname_i, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->extname_i, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->xname_i, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->unknown, 4) != 4) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->len, 4) != 4) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->state, 4) != 4) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
}
if (cli_readn(fd, ¯o_entry->offset, 4) != 4) { |
| 567a388c |
cli_dbgmsg("read macro_entry failed\n"); |
| 45ef6256 |
return FALSE;
} |
| a6f378c9 |
macro_entry->intname_i = vba_endian_convert_16(macro_entry->intname_i, FALSE);
macro_entry->extname_i = vba_endian_convert_16(macro_entry->extname_i, FALSE);
macro_entry->xname_i = vba_endian_convert_16(macro_entry->xname_i, FALSE);
macro_entry->len = vba_endian_convert_32(macro_entry->len, FALSE);
macro_entry->state = vba_endian_convert_32(macro_entry->state, FALSE);
macro_entry->offset = vba_endian_convert_32(macro_entry->offset, FALSE); |
| 45ef6256 |
return TRUE;
}
static macro_info_t *wm_read_macro_info(int fd)
{
int i;
macro_info_t *macro_info;
macro_info = (macro_info_t *) cli_malloc(sizeof(macro_info_t));
if (!macro_info) {
return NULL;
}
if (cli_readn(fd, ¯o_info->count, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_info failed\n"); |
| 45ef6256 |
return NULL;
} |
| a6f378c9 |
macro_info->count = vba_endian_convert_16(macro_info->count, FALSE); |
| 45ef6256 |
cli_dbgmsg("macro count: %d\n", macro_info->count);
macro_info->macro_entry = (macro_entry_t *)
cli_malloc(sizeof(macro_entry_t) * macro_info->count);
if (!macro_info->macro_entry) {
free(macro_info);
return NULL;
}
for (i=0 ; i < macro_info->count ; i++) {
if (!wm_read_macro_entry(fd,
¯o_info->macro_entry[i])) {
free(macro_info->macro_entry);
free(macro_info);
return NULL;
}
}
return macro_info;
}
static void wm_free_macro_info(macro_info_t *macro_info)
{
if (macro_info) {
free(macro_info->macro_entry);
free(macro_info);
}
return;
}
static int wm_read_oxo3(int fd)
{
uint8_t count;
if (cli_readn(fd, &count, 1) != 1) {
cli_dbgmsg("read oxo3 record1 failed\n");
return FALSE;
}
if (lseek(fd, count*14, SEEK_CUR) == -1) {
cli_dbgmsg("lseek oxo3 record1 failed\n");
return FALSE;
}
cli_dbgmsg("oxo3 records1: %d\n", count);
if (cli_readn(fd, &count, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read oxo3 record2 failed\n"); |
| 45ef6256 |
return FALSE;
}
if (count == 0) {
if (cli_readn(fd, &count, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read oxo3 failed\n"); |
| 45ef6256 |
return FALSE;
}
if (count != 2) {
lseek(fd, -1, SEEK_CUR);
return TRUE;
}
if (cli_readn(fd, &count, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read oxo3 failed\n"); |
| 45ef6256 |
return FALSE;
}
}
if (count > 0) {
if (lseek(fd, (count*4)+1, SEEK_CUR) == -1) { |
| 567a388c |
cli_dbgmsg("lseek oxo3 failed\n"); |
| 45ef6256 |
return FALSE;
}
}
cli_dbgmsg("oxo3 records2: %d\n", count);
return TRUE;
}
static menu_info_t *wm_read_menu_info(int fd)
{
int i;
menu_info_t *menu_info;
menu_entry_t *menu_entry;
menu_info = (menu_info_t *) cli_malloc(sizeof(menu_info_t));
if (!menu_info) {
return NULL;
}
if (cli_readn(fd, &menu_info->count, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read menu_info failed\n"); |
| 45ef6256 |
free(menu_info);
return NULL;
} |
| a6f378c9 |
menu_info->count = vba_endian_convert_16(menu_info->count, FALSE); |
| 567a388c |
cli_dbgmsg("menu_info count: %d\n", menu_info->count); |
| 45ef6256 |
menu_info->menu_entry =
(menu_entry_t *) cli_malloc(sizeof(menu_entry_t) * menu_info->count);
if (!menu_info->menu_entry) {
free(menu_info);
return NULL;
}
for (i=0 ; i < menu_info->count ; i++) {
menu_entry = &menu_info->menu_entry[i];
if (cli_readn(fd, &menu_entry->context, 2) != 2) {
goto abort;
}
if (cli_readn(fd, &menu_entry->menu, 2) != 2) {
goto abort;
}
if (cli_readn(fd, &menu_entry->extname_i, 2) != 2) {
goto abort;
}
if (cli_readn(fd, &menu_entry->unknown, 2) != 2) {
goto abort;
}
if (cli_readn(fd, &menu_entry->intname_i, 2) != 2) {
goto abort;
}
if (cli_readn(fd, &menu_entry->pos, 2) != 2) {
goto abort;
} |
| a6f378c9 |
menu_entry->context = vba_endian_convert_16(menu_entry->context, FALSE);
menu_entry->menu = vba_endian_convert_16(menu_entry->menu, FALSE);
menu_entry->extname_i = vba_endian_convert_16(menu_entry->extname_i, FALSE);
menu_entry->intname_i = vba_endian_convert_16(menu_entry->intname_i, FALSE);
menu_entry->pos = vba_endian_convert_16(menu_entry->pos, FALSE); |
| 45ef6256 |
cli_dbgmsg("menu entry: %d.%d\n", menu_entry->menu, menu_entry->pos);
}
return menu_info;
abort:
cli_dbgmsg("read menu_entry failed\n");
free(menu_info->menu_entry);
free(menu_info);
return NULL;
}
static void wm_free_menu_info(menu_info_t *menu_info)
{
if (menu_info) {
free(menu_info->menu_entry);
free(menu_info);
}
return;
}
static macro_extnames_t *wm_read_macro_extnames(int fd)
{
int i, is_unicode=0;
int16_t size;
uint8_t length_tmp;
off_t offset_end;
macro_extnames_t *macro_extnames;
macro_extname_t *macro_extname;
unsigned char *name_tmp;
macro_extnames = (macro_extnames_t *) cli_malloc(sizeof(macro_extnames_t));
if (!macro_extnames) {
return NULL;
}
macro_extnames->count = 0;
macro_extnames->macro_extname = NULL;
offset_end = lseek(fd, 0, SEEK_CUR);
if (cli_readn(fd, &size, 2) != 2) {
cli_dbgmsg("read macro_extnames failed\n");
free(macro_extnames);
return NULL;
} |
| a6f378c9 |
size = vba_endian_convert_16(size, FALSE); |
| 45ef6256 |
if (size == -1) { /* Unicode flag */
is_unicode=1;
if (cli_readn(fd, &size, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_extnames failed\n"); |
| 45ef6256 |
free(macro_extnames);
return NULL;
} |
| a6f378c9 |
size = vba_endian_convert_16(size, FALSE); |
| 45ef6256 |
}
cli_dbgmsg("ext names size: 0x%x\n", size);
offset_end += size;
while (lseek(fd, 0, SEEK_CUR) < offset_end) {
macro_extnames->count++; |
| 872c6fe8 |
macro_extnames->macro_extname = (macro_extname_t *)
cli_realloc(macro_extnames->macro_extname,
sizeof(macro_extname_t) * macro_extnames->count);
if (macro_extnames->macro_extname == NULL) {
cli_dbgmsg("read macro_extnames failed\n");
goto abort;; |
| 45ef6256 |
} |
| 872c6fe8 |
|
| 45ef6256 |
macro_extname = ¯o_extnames->macro_extname[macro_extnames->count-1];
if (is_unicode) { |
| a6f378c9 |
if (cli_readn(fd, ¯o_extname->length, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read macro_extnames failed\n"); |
| 872c6fe8 |
goto abort; |
| 45ef6256 |
} |
| a6f378c9 |
lseek(fd, 1, SEEK_CUR);
if (macro_extname->length > 0) {
name_tmp = (char *) cli_malloc(macro_extname->length*2);
if (name_tmp == NULL) { |
| 45ef6256 |
goto abort; |
| a6f378c9 |
}
if (cli_readn(fd, name_tmp, macro_extname->length*2) != |
| 45ef6256 |
macro_extname->length*2) { |
| 567a388c |
cli_dbgmsg("read macro_extnames failed\n"); |
| 45ef6256 |
free(name_tmp);
goto abort; |
| a6f378c9 |
}
macro_extname->extname =
get_unicode_name(name_tmp, macro_extname->length*2, FALSE);
free(name_tmp);
} else {
macro_extname->extname = strdup("[no name]");
macro_extname->length = 10; |
| 45ef6256 |
}
} else { |
| a6f378c9 |
if (cli_readn(fd, ¯o_extname->length, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read macro_extnames failed\n"); |
| 45ef6256 |
goto abort;
} |
| a6f378c9 |
if (macro_extname->length > 0) {
macro_extname->extname = (char *) cli_malloc(macro_extname->length+1);
if (!macro_extname->extname) { |
| 45ef6256 |
goto abort; |
| a6f378c9 |
}
if (cli_readn(fd, macro_extname->extname, macro_extname->length) != |
| 45ef6256 |
macro_extname->length) { |
| 567a388c |
cli_dbgmsg("read macro_extnames failed\n"); |
| 872c6fe8 |
free(macro_extname->extname); |
| 45ef6256 |
goto abort; |
| a6f378c9 |
}
macro_extname->extname[macro_extname->length] = '\0';
} else {
macro_extname->extname = strdup("[no name]");
macro_extname->length = 10; |
| 45ef6256 |
}
}
if (cli_readn(fd, ¯o_extname->numref, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_extnames failed\n"); |
| 45ef6256 |
return NULL; |
| a6f378c9 |
}
macro_extname->numref = vba_endian_convert_16(macro_extname->numref, FALSE); |
| 45ef6256 |
cli_dbgmsg("ext name: %s\n", macro_extname->extname);
}
return macro_extnames;
abort:
if (macro_extnames->macro_extname != NULL) { |
| 872c6fe8 |
for (i=0 ; i < macro_extnames->count-1 ; i++) { |
| 45ef6256 |
free(macro_extnames->macro_extname[i].extname);
} |
| 872c6fe8 |
free(macro_extnames->macro_extname); |
| 45ef6256 |
}
free(macro_extnames);
return NULL;
}
static void wm_free_extnames(macro_extnames_t *macro_extnames)
{
int i;
if (macro_extnames) {
for (i=0 ; i < macro_extnames->count ; i++) {
free(macro_extnames->macro_extname[i].extname);
}
free(macro_extnames->macro_extname);
free(macro_extnames);
}
return;
}
static macro_intnames_t *wm_read_macro_intnames(int fd)
{
int i;
macro_intnames_t *macro_intnames;
macro_intname_t *macro_intname;
uint16_t junk;
macro_intnames = (macro_intnames_t *) cli_malloc(sizeof(macro_intnames_t));
if (!macro_intnames) {
return NULL;
}
if (cli_readn(fd, ¯o_intnames->count, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_intnames failed\n"); |
| 45ef6256 |
return NULL;
} |
| a6f378c9 |
macro_intnames->count = vba_endian_convert_16(macro_intnames->count, FALSE); |
| 45ef6256 |
cli_dbgmsg("int names count: %d\n", macro_intnames->count);
macro_intnames->macro_intname =
(macro_intname_t *) cli_malloc(sizeof(macro_intname_t) * macro_intnames->count);
if (!macro_intnames->macro_intname) {
free(macro_intnames);
return NULL;
}
for (i=0 ; i < macro_intnames->count ; i++) {
macro_intname = ¯o_intnames->macro_intname[i];
if (cli_readn(fd, ¯o_intname->id, 2) != 2) { |
| 567a388c |
cli_dbgmsg("read macro_intnames failed\n"); |
| 45ef6256 |
macro_intnames->count = i;
goto abort; |
| a6f378c9 |
}
macro_intname->id = vba_endian_convert_16(macro_intname->id, FALSE); |
| 45ef6256 |
if (cli_readn(fd, ¯o_intname->length, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read macro_intnames failed\n"); |
| 45ef6256 |
macro_intnames->count = i;
goto abort;;
}
macro_intname->intname = (char *) cli_malloc(macro_intname->length+1);
if (!macro_intname->intname) {
macro_intnames->count = i;
goto abort;
}
if (cli_readn(fd, macro_intname->intname, macro_intname->length) != macro_intname->length) { |
| 567a388c |
cli_dbgmsg("read macro_intnames failed\n"); |
| 45ef6256 |
macro_intnames->count = i+1;
goto abort;
}
macro_intname->intname[macro_intname->length] = '\0';
if (cli_readn(fd, &junk, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read macro_intnames failed\n"); |
| 45ef6256 |
macro_intnames->count = i+1;
goto abort;
} |
| 567a388c |
cli_dbgmsg("int name: %s\n", macro_intname->intname); |
| 45ef6256 |
}
return macro_intnames;
abort:
for (i=0 ; i < macro_intnames->count ; i++) {
free(macro_intnames->macro_intname[i].intname);
}
free(macro_intnames->macro_intname);
free(macro_intnames);
return NULL;
}
static void wm_free_intnames(macro_intnames_t *macro_intnames)
{
int i;
if (macro_intnames) {
for (i=0 ; i < macro_intnames->count ; i++) {
free(macro_intnames->macro_intname[i].intname);
}
free(macro_intnames->macro_intname);
free(macro_intnames);
}
return;
}
vba_project_t *wm_dir_read(const char *dir)
{
int fd, done=FALSE, i;
mso_fib_t fib;
off_t end_offset;
unsigned char start_id, info_id;
macro_info_t *macro_info=NULL;
menu_info_t *menu_info=NULL;
macro_extnames_t *macro_extnames=NULL;
macro_intnames_t *macro_intnames=NULL;
vba_project_t *vba_project=NULL;
char *fullname;
|
| acf6a6ea |
fullname = (char *) cli_malloc(strlen(dir) + 14);
if (!fullname) {
return NULL;
} |
| 45ef6256 |
sprintf(fullname, "%s/WordDocument", dir);
fd = open(fullname, O_RDONLY);
free(fullname);
if (fd == -1) {
cli_dbgmsg("Open WordDocument failed\n");
return NULL;
}
if (!wm_read_fib(fd, &fib)) { |
| be734cdd |
close(fd); |
| 45ef6256 |
return NULL;
}
wm_print_fib(&fib);
if (lseek(fd, fib.macro_offset, SEEK_SET) != fib.macro_offset) {
cli_dbgmsg("lseek macro_offset failed\n"); |
| be734cdd |
close(fd); |
| 45ef6256 |
return NULL;
}
end_offset = fib.macro_offset + fib.macro_len;
if (cli_readn(fd, &start_id, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read start_id failed\n"); |
| be734cdd |
close(fd); |
| 45ef6256 |
return NULL;
}
cli_dbgmsg("start_id: %d\n", start_id);
while ((lseek(fd, 0, SEEK_CUR) < end_offset) && !done) {
if (cli_readn(fd, &info_id, 1) != 1) { |
| 567a388c |
cli_dbgmsg("read macro_info failed\n"); |
| be734cdd |
close(fd); |
| 45ef6256 |
return NULL;
}
switch (info_id) {
case 0x01:
macro_info = wm_read_macro_info(fd);
if (macro_info == NULL) {
done = TRUE;
}
break;
case 0x03:
if (!wm_read_oxo3(fd)) {
done = TRUE;
}
break;
case 0x05:
menu_info = wm_read_menu_info(fd);
if (menu_info == NULL) {
done = TRUE;
}
break;
case 0x10:
macro_extnames = wm_read_macro_extnames(fd);
if (macro_extnames == NULL) {
done = TRUE;
}
break;
case 0x11:
macro_intnames = wm_read_macro_intnames(fd);
if (macro_intnames == NULL) {
done = TRUE;
}
break;
case 0x12:
/* No sure about these, always seems to
come after the macros though, so finish
*/
done = 1;
break;
case 0x40:
/* end marker */
done = 1;
break;
default:
cli_dbgmsg("\nunknown type: 0x%x\n", info_id);
done = 1;
}
}
if (macro_info) {
vba_project = (vba_project_t *) cli_malloc(sizeof(struct vba_project_tag));
if (!vba_project) {
goto abort;
}
vba_project->name = (char **) cli_malloc(sizeof(char *) *macro_info->count);
if (!vba_project->name) {
free(vba_project);
vba_project = NULL;
goto abort;
}
vba_project->dir = strdup(dir);
vba_project->offset = (uint32_t *) cli_malloc(sizeof(uint32_t) *
macro_info->count);
if (!vba_project->offset) {
free(vba_project->name);
free(vba_project->dir);
free(vba_project);
vba_project = NULL;
goto abort;
}
vba_project->length = (uint32_t *) cli_malloc(sizeof(uint32_t) *
macro_info->count);
if (!vba_project->length) {
free(vba_project->offset);
free(vba_project->name);
free(vba_project->dir);
free(vba_project);
vba_project = NULL;
goto abort;
}
vba_project->key = (unsigned char *) cli_malloc(sizeof(unsigned char) *
macro_info->count);
if (!vba_project->key) {
free(vba_project->length);
free(vba_project->offset);
free(vba_project->name);
free(vba_project->dir);
free(vba_project);
vba_project = NULL;
goto abort;
}
vba_project->count = macro_info->count;
for (i=0 ; i < macro_info->count ; i++) {
vba_project->name[i] = strdup("WordDocument");
vba_project->offset[i] = macro_info->macro_entry[i].offset;
vba_project->length[i] = macro_info->macro_entry[i].len;
vba_project->key[i] = macro_info->macro_entry[i].key;
}
}
/* Fall through */
abort:
if (macro_info) {
wm_free_macro_info(macro_info);
}
if (menu_info) {
wm_free_menu_info(menu_info);
}
if (macro_extnames) {
wm_free_extnames(macro_extnames);
}
if (macro_intnames) {
wm_free_intnames(macro_intnames);
} |
| be734cdd |
close(fd); |
| 45ef6256 |
return vba_project;
}
unsigned char *wm_decrypt_macro(int fd, uint32_t offset, uint32_t len,
unsigned char key)
{
unsigned char *buff;
uint32_t i;
if (lseek(fd, offset, SEEK_SET) != offset) {
return NULL;
}
buff = (unsigned char *) cli_malloc(len);
if (!buff) {
return NULL;
}
if (cli_readn(fd, buff, len) != len) {
free(buff);
return NULL;
}
if (key != 0) {
for (i=0 ; i < len; i++) {
buff[i] = buff[i] ^ key;
}
}
return buff;
} |