@@ -1,3 +1,14 @@

+Fri Jan 23 12:12:30 CET 2004 (tk)

+---------------------------------

+  * libclamav: added support for OLE2 / VBA streams scanning (!!), based on

+	       code written by Trog <trog@uncon.org>. It may be enabled

+	       with CL_OLE2 passed in options to cli_scandesc().

+  * clamscan: support for OLE2 scanning is enabled by default and may be

+	      disabled with --no-ole2

+  * clamd: support for OLE2 scanning is disabled by default and may be enabled

+	   with ScanOLE2 in clamav.conf.

+  * clamd: included Darwin fix from Nigel

+

 Fri Jan 23 10:50:51 GMT 2004 (njh)

 ----------------------------------

   * libclamav: Fixed memory leak in handling some multipart messages

@@ -211,6 +211,7 @@ void help(void)

     mprintf("    --no-summary                         Disable summary at end of scanning\n");

     mprintf("    --mbox                -m             Treat stdin as a mailbox\n");

     mprintf("\n");

+    mprintf("    --no-ole2                            Disable OLE2 support\n");

     mprintf("    --no-archive                         Disable libclamav archive support\n");

     mprintf("    --max-space=#n                       Extract first #n kilobytes only\n");

     mprintf("    --max-files=#n                       Extract first #n files only\n");

@@ -349,6 +349,11 @@ int scanfile(const char *filename, struct cl_node *root, const struct passwd *us

     else

 	options |= CL_ARCHIVE;

+    if(optl(opt, "no-ole2"))

+	options &= ~CL_OLE2;

+    else

+	options |= CL_OLE2;

+

     if(optc(opt, 'm'))

 	options |= CL_MAIL;

@@ -69,7 +69,7 @@ int main(int argc, char **argv)

 	    {"max-recursion", 1, 0, 0},

 	    {"disable-archive", 0, 0, 0},

 	    {"no-archive", 0, 0, 0},

-

+	    {"no-ole2", 0, 0, 0},

 	    {"mbox", 0, 0, 'm'},

 	    {"stdout", 0, 0, 0},

 	    {"unzip", 2, 0, 0},

@@ -127,6 +127,13 @@ MaxDirectoryRecursion 15

 #Debug

 ##

+## Document scanning

+##

+

+# This option enables scanning of Microsoft Office document macros.

+#ScanOLE2

+

+##

 ## Mail support

 ##

@@ -70,6 +70,10 @@ libclamav_la_SOURCES = \

 	table.c \

 	table.h \

 	text.c \

-	text.h

+	text.h \

+	ole2_extract.c \

+	ole2_extract.h \

+	vba_extract.c \

+	vba_extract.h

 lib_LTLIBRARIES = libclamav.la

@@ -169,7 +169,11 @@ libclamav_la_SOURCES = \

 	table.c \

 	table.h \

 	text.c \

-	text.h

+	text.h \

+	ole2_extract.c \

+	ole2_extract.h \

+	vba_extract.c \

+	vba_extract.h

 lib_LTLIBRARIES = libclamav.la

@@ -182,7 +186,8 @@ libclamav_la_DEPENDENCIES =

 am_libclamav_la_OBJECTS = matcher.lo md5.lo others.lo readdb.lo cvd.lo \

 	dsig.lo str.lo scanners.lo unrarlib.lo zzip-dir.lo zzip-err.lo \

 	zzip-file.lo zzip-info.lo zzip-io.lo zzip-stat.lo zzip-zip.lo \

-	strc.lo blob.lo mbox.lo message.lo strrcpy.lo table.lo text.lo

+	strc.lo blob.lo mbox.lo message.lo strrcpy.lo table.lo text.lo \

+	ole2_extract.lo vba_extract.lo

 libclamav_la_OBJECTS = $(am_libclamav_la_OBJECTS)

 DEFS = @DEFS@

@@ -195,11 +200,13 @@ am__depfiles_maybe = depfiles

 @AMDEP_TRUE@DEP_FILES = ./$(DEPDIR)/blob.Plo ./$(DEPDIR)/cvd.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/dsig.Plo ./$(DEPDIR)/matcher.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/mbox.Plo ./$(DEPDIR)/md5.Plo \

-@AMDEP_TRUE@	./$(DEPDIR)/message.Plo ./$(DEPDIR)/others.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/message.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/ole2_extract.Plo ./$(DEPDIR)/others.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/readdb.Plo ./$(DEPDIR)/scanners.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/str.Plo ./$(DEPDIR)/strc.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/strrcpy.Plo ./$(DEPDIR)/table.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/text.Plo ./$(DEPDIR)/unrarlib.Plo \

+@AMDEP_TRUE@	./$(DEPDIR)/vba_extract.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/zzip-dir.Plo ./$(DEPDIR)/zzip-err.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/zzip-file.Plo ./$(DEPDIR)/zzip-info.Plo \

 @AMDEP_TRUE@	./$(DEPDIR)/zzip-io.Plo ./$(DEPDIR)/zzip-stat.Plo \

@@ -273,6 +280,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mbox.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/message.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ole2_extract.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/others.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/readdb.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scanners.Plo@am__quote@

@@ -282,6 +290,7 @@ distclean-compile:

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/table.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/text.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unrarlib.Plo@am__quote@

+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/vba_extract.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/zzip-dir.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/zzip-err.Plo@am__quote@

 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/zzip-file.Plo@am__quote@

@@ -46,6 +46,7 @@ extern "C"

 #define	CL_EMALFZIP	102 /* malformed zip */

 #define CL_EGZIP	103 /* gzip handler error */

 #define CL_EBZIP	104 /* bzip2 handler error */

+#define CL_EOLE2	105 /* OLE2 handler error */

 #define CL_EACCES	200 /* access denied */

 #define CL_ENULLARG	300 /* null argument error */

@@ -62,10 +63,11 @@ extern "C"

 #define CL_EDSIG	-11 /* digital signature verification error */

 /* options */

-#define CL_RAW		  00

-#define CL_ARCHIVE	  01

-#define CL_MAIL		0100

-#define CL_DISABLERAR  01000

+#define CL_RAW		0

+#define CL_ARCHIVE	1

+#define CL_MAIL		2

+#define CL_DISABLERAR	4

+#define CL_OLE2		8

 struct cli_patt {

     short int *pattern;

new file mode 100644

@@ -0,0 +1,495 @@

+/*

+ *  Extract component parts of OLE2 files (e.g. MS Office Documents)

+ *

+ *  Copyright (C) 2004 trog@uncon.org

+ *

+ *  This code is based on the OpenOffice and libgsf sources.

+ *                  

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <fcntl.h>

+#include <stdio.h>

+#include <string.h>

+#include <unistd.h>

+#include <stdint.h>

+#include <ctype.h>

+#include <stdlib.h>

+#include <clamav.h>

+

+#define FALSE (0)

+#define TRUE (1)

+

+#define MIN(a, b)  (((a) < (b)) ? (a) : (b))

+

+int big_block_size, small_block_size;

+int sbat_start=-1;

+

+typedef struct ole2_header_tag

+{

+	unsigned char magic[8];			/* should be: 0xd0cf11e0a1b11ae1 */

+	unsigned char clsid[16];

+	uint16_t minor_version;

+	uint16_t dll_version;

+	int16_t byte_order;			/* -2=intel */

+

+	uint16_t log2_big_block_size;		/* usually 9 (2^9 = 512) */

+	uint32_t log2_small_block_size;		/* usually 6 (2^6 = 128) */

+

+	int32_t reserved[2];

+	int32_t bat_count;

+	int32_t prop_start;

+

+	uint32_t signature;

+	uint32_t sbat_cutoff;			/* cutoff for files held in small blocks (4096) */

+

+	int32_t sbat_start;

+	int32_t sbat_block_count;

+	int32_t xbat_start;

+	int32_t xbat_count;

+	int32_t bat_array[109];

+} ole2_header_t __attribute__ ((packed));

+

+typedef struct property_tag

+{

+	unsigned char name[64];			/* in unicode */

+	int16_t name_size;

+	unsigned char type;			/* 1=dir 2=file 5=root */

+	unsigned char color;			/* black or red */

+	int32_t prev;

+	int32_t next;

+	int32_t child;

+

+	unsigned char clsid[16];

+	uint16_t user_flags;

+

+	uint32_t create_lowdate;

+	uint32_t create_highdate;

+	uint32_t mod_lowdate;

+	uint32_t mod_highdate;

+	int32_t start_block;

+	int32_t size;

+	unsigned char reserved[4];

+} property_t __attribute__ ((packed));

+

+char magic_id[] = { 0xd0, 0xcf, 0x11, 0xe0, 0xa1, 0xb1, 0x1a, 0xe1};

+

+

+/* Function: readn

+	Try hard to read the requested number of bytes

+*/

+int readn(int fd, void *buff, unsigned int count)

+{

+	int retval;

+	unsigned int todo;

+	void *current;

+

+	todo = count;

+	current = buff;

+

+	do {

+		retval = read(fd, current, todo);

+		if (retval == 0) {

+			return (count - todo);

+		}

+		if (retval < 0) {

+			return -1;

+		}

+		todo -= retval;

+		current += retval;

+	} while (todo > 0);

+

+	return count;

+}

+

+/* Function: writen

+	Try hard to write the specified number of bytes

+*/

+int writen(int fd, void *buff, unsigned int count)

+{

+	int retval;

+	unsigned int todo;

+	void *current;

+

+	todo = count;

+	current = buff;

+

+	do {

+		retval = write(fd, current, todo);

+		if (retval < 0) {

+			return -1;

+		}

+		todo -= retval;

+		current += retval;

+	} while (todo > 0);

+

+	return count;

+}

+

+void print_property_name(char *name, int size)

+{

+	int i, count=0;

+

+	if (*name == 0 || size == 0) {

+		cli_dbgmsg("[unused]                         ");

+		return;

+	}

+	/* size-2 to ignore trailing NULL */

+	for (i=0 ; i<size-2; i+=2) {

+		if (isprint(name[i])) {

+			cli_dbgmsg("%c", name[i]);

+			count++;

+		} else {

+			cli_dbgmsg("_%d_", name[i]);

+			count += 3;

+		}

+	}

+	for (i=0 ; i < (34-count) ; i++) {

+		cli_dbgmsg(" ");

+	}

+}

+

+char *get_property_name(char *name, int size)

+{

+	int i, j;

+	char *newname;

+

+	if (*name == 0 || size == 0) {

+		return NULL;

+	}

+

+	newname = (char *) cli_malloc(size);

+	if (!newname) {

+		return NULL;

+	}

+	j=0;

+	/* size-2 to ignore trailing NULL */

+	for (i=0 ; i < size-2; i+=2) {

+		if (isprint(name[i])) {

+			newname[j++] = name[i];

+		} else {

+			if (name[i] < 10 && name[i] >= 0) {

+				newname[j++] = '_';

+				newname[j++] = name[i] + '0';

+			}

+			newname[j++] = '_';

+		}

+	}

+	newname[j] = '\0';

+	return newname;

+}

+

+void print_ole2_property(property_t *property)

+{

+	//print_property_name(property->name, property->name_size);

+	switch (property->type) {

+	case 2:

+		cli_dbgmsg(" [file]");

+		break;

+	case 1:

+		cli_dbgmsg(" [dir ]");

+		break;

+	case 5:

+		cli_dbgmsg(" [root]");

+		break;

+	default:

+		cli_dbgmsg(" [%d]", property->type);

+	}

+	switch (property->color) {

+	case 0:

+		cli_dbgmsg(" r");

+		break;

+	case 1:

+		cli_dbgmsg(" b");

+		break;

+	default:

+		cli_dbgmsg(" u");

+	}

+	cli_dbgmsg(" %d %x\n", property->size, property->user_flags);

+}

+

+void print_ole2_header(ole2_header_t *hdr)

+{

+	int i;

+	

+	if (!hdr) {

+		return;

+	}

+	

+	cli_dbgmsg("\nMagic:\t\t\t0x");

+	for (i=0 ; i<8; i++) {

+		cli_dbgmsg("%x", hdr->magic[i]);

+	}

+	cli_dbgmsg("\n");

+

+	cli_dbgmsg("CLSID:\t\t\t{");

+	for (i=0 ; i<16; i++) {

+		cli_dbgmsg("%x ", hdr->clsid[i]);

+	}

+	cli_dbgmsg("}\n");

+

+	cli_dbgmsg("Minor version:\t\t0x%x\n", hdr->minor_version);

+	cli_dbgmsg("DLL version:\t\t0x%x\n", hdr->dll_version);

+	cli_dbgmsg("Byte Order:\t\t%d\n", hdr->byte_order);

+	cli_dbgmsg("Big Block Size:\t\t%i\n", hdr->log2_big_block_size);

+	cli_dbgmsg("Small Block Size:\t%i\n", hdr->log2_small_block_size);

+	cli_dbgmsg("BAT count:\t\t%d\n", hdr->bat_count);

+	cli_dbgmsg("Prop start:\t\t%d\n", hdr->prop_start);

+	cli_dbgmsg("SBAT cutoff:\t\t%d\n", hdr->sbat_cutoff);

+	cli_dbgmsg("SBat start:\t\t%d\n", hdr->sbat_start);

+	cli_dbgmsg("SBat block count:\t%d\n", hdr->sbat_block_count);

+	cli_dbgmsg("XBat start:\t\t%d\n", hdr->xbat_start);

+	cli_dbgmsg("XBat block count:\t%d\n\n", hdr->xbat_count);

+	return;

+}

+

+int ole2_read_block(int fd, ole2_header_t *hdr, void *buff, int blockno)

+{

+	int offset;

+

+	// other methods: (blockno+1) * 512 or (blockno * block_size) + 512;

+	offset = (blockno << hdr->log2_big_block_size) + 512;	/* 512 is header size */

+	if (lseek(fd, offset, SEEK_SET) != offset) {

+		return FALSE;

+	}

+	if (readn(fd, buff, big_block_size) != big_block_size) {

+		return FALSE;

+	}

+	return TRUE;

+}

+

+int ole2_get_next_bat_block(int fd, ole2_header_t *hdr, int current_block)

+{

+	int bat_array_index;

+	uint32_t bat[128];

+

+	bat_array_index = current_block / 128;

+	if (bat_array_index > hdr->bat_count) {

+		cli_dbgmsg("bat_array index error\n");

+		return -10;

+	}

+	ole2_read_block(fd, hdr, &bat, hdr->bat_array[bat_array_index]);

+	return bat[current_block-(bat_array_index * 128)];

+}

+

+int ole2_get_next_sbat_block(int fd, ole2_header_t *hdr, int current_block)

+{

+	int iter, current_bat_block;

+	uint32_t sbat[128];

+

+	current_bat_block = hdr->sbat_start;

+	iter = current_block / 128;

+	while (iter > 0) {

+		current_bat_block = ole2_get_next_bat_block(fd, hdr, current_bat_block);

+		iter--;

+	}

+	ole2_read_block(fd, hdr, &sbat, current_bat_block);

+	return sbat[current_block % 128];

+}

+

+int ole2_get_next_xbat_block(int fd, ole2_header_t *hdr, int current_block)

+{

+	int xbat_index, xbat_block_index, bat_index, bat_blockno;

+	uint32_t xbat[128], bat[128];

+

+	xbat_index = current_block / 128;

+

+	/* NB:	The last entry in each XBAT points to the next XBAT block.

+		This reduces the number of entries in each block by 1.

+	*/

+	xbat_block_index = (xbat_index - 109) / 127;

+	bat_blockno = (xbat_index - 109) % 127;

+

+	bat_index = current_block % 128;

+

+	ole2_read_block(fd, hdr, &xbat, hdr->xbat_start);

+

+	/* Follow the chain of XBAT blocks */

+	while (xbat_block_index > 0) {

+		ole2_read_block(fd, hdr, &xbat, xbat[127]);

+		xbat_block_index--;

+	}

+

+	ole2_read_block(fd, hdr, &bat, xbat[bat_blockno]);

+

+	return bat[bat_index];

+}

+

+int ole2_get_next_block_number(int fd, ole2_header_t *hdr, int current_block)

+{

+	if ((current_block / 128) > 108) {

+		return ole2_get_next_xbat_block(fd, hdr, current_block);

+	} else {

+		return ole2_get_next_bat_block(fd, hdr, current_block);

+	}

+}

+

+/* Retrieve the block containing the data for the given sbat index */

+int ole2_get_sbat_data_block(int fd, ole2_header_t *hdr, void *buff, int sbat_index)

+{

+	int block_count;

+	int current_block;

+

+	if (sbat_start < 0) {

+		cli_errmsg("No root start block\n");

+		return FALSE;

+	}

+

+	block_count = sbat_index / 8;			// 8 small blocks per big block

+	current_block = sbat_start;

+	while (block_count > 0) {

+		current_block = ole2_get_next_bat_block(fd, hdr, current_block);

+		block_count--;

+	}

+	/* current_block now contains the block number of the sbat array

+	   containing the entry for the required small block */

+

+	return(ole2_read_block(fd, hdr, buff, current_block));

+

+}

+

+/* Read the property tree.

+   It is read as just an array rather than a tree */

+void ole2_read_property_tree(int fd, ole2_header_t *hdr, const char *dir,

+				void (*handler)(int fd, ole2_header_t *hdr, property_t *prop, const char *dir))

+{

+	property_t prop_block[4];

+	int index, current_block;

+	

+	current_block = hdr->prop_start;

+

+	while(current_block >= 0) {

+		ole2_read_block(fd, hdr, prop_block, current_block);

+		for (index=0 ; index < 4 ; index++) {

+			if (prop_block[index].name[0] != 0) {

+				if (prop_block[index].type == 5) {

+					sbat_start = prop_block[index].start_block;

+				}

+				print_ole2_property(&prop_block[index]);

+				handler(fd, hdr, &prop_block[index], dir);

+			}

+		}

+		current_block = ole2_get_next_block_number(fd, hdr, current_block);

+	}

+	return;

+}

+

+/* Callback handlers

+   These are called for each entry in the container (property tree) */

+

+/* Null Handler - doesn't do anything */

+void handler_null(int fd, ole2_header_t *hdr, property_t *prop, const char *dir)

+{

+	return;

+}

+

+/* Write file Handler - write the contents of the entry to a file */

+void handler_writefile(int fd, ole2_header_t *hdr, property_t *prop, const char *dir)

+{

+	unsigned char buff[big_block_size];

+	int current_block, ofd, len, offset;

+	char *name, *newname;

+

+	if (prop->type != 2) {

+		// Not a file

+		return;

+	}

+

+	if (! (name = get_property_name(prop->name, prop->name_size))) {

+		return;

+	}

+

+	newname = (char *) cli_malloc(strlen(name) + strlen(dir) + 2);

+	sprintf(newname, "%s/%s", dir, name);

+	free(name);

+

+	ofd = open(newname, O_WRONLY|O_CREAT|O_TRUNC, S_IRWXU);

+	if (ofd < 0) {

+		return;

+	}

+	free(newname);

+	current_block = prop->start_block;

+	len = prop->size;

+

+	while((current_block >= 0) && (len > 0)) {

+		if (prop->size < hdr->sbat_cutoff) {

+			// Small block file

+			if (!ole2_get_sbat_data_block(fd, hdr, &buff, current_block)) {

+				cli_dbgmsg("ole2_get_sbat_data_block failed\n");

+				close(ofd);

+				return;

+			}

+			// buff now contains the block with 8 small blocks in it

+			offset = 64 * (current_block % 8);

+			if (writen(ofd, &buff[offset], MIN(len,64)) != MIN(len,64)) {

+				close(ofd);

+				return;

+			}

+

+			len -= MIN(len,64);

+			current_block = ole2_get_next_sbat_block(fd, hdr, current_block);

+		} else {

+			// Big block file

+			if (!ole2_read_block(fd, hdr, &buff, current_block)) {

+				close(ofd);

+				return;

+			}

+			if (writen(ofd, &buff, MIN(len,big_block_size)) != MIN(len,big_block_size)) {

+				close(ofd);

+				return;

+			}

+

+			current_block = ole2_get_next_block_number(fd, hdr, current_block);

+			len -= MIN(len,big_block_size);

+		}

+	}

+	close(ofd);

+	return;

+}

+

+int cli_ole2_extract(int fd, const char *dirname)

+{

+	ole2_header_t hdr;

+

+	cli_dbgmsg("in cli_ole2_extract()\n");

+

+	readn(fd, &hdr, sizeof(struct ole2_header_tag));

+

+	if (strncmp(hdr.magic, magic_id, 8) != 0) {

+		cli_dbgmsg("OLE2 magic failed!\n");

+		return CL_EOLE2;

+	}

+

+	if (hdr.log2_big_block_size != 9) {

+		cli_dbgmsg("WARNING: untested big block size - please report\n\n");

+	}

+	if (hdr.log2_small_block_size != 6) {

+		cli_dbgmsg("WARNING: untested small block size - please report\n\n");

+	}

+	if (hdr.sbat_cutoff != 4096) {

+		cli_dbgmsg("WARNING: untested sbat cutoff - please report\n\n");

+	}

+

+	big_block_size = 1 << hdr.log2_big_block_size;

+	small_block_size = 1 << hdr.log2_small_block_size;

+

+	print_ole2_header(&hdr);

+

+	ole2_read_property_tree(fd, &hdr, dirname, handler_writefile);

+

+	return 0;

+}

new file mode 100644

@@ -0,0 +1,28 @@

+/*

+ *  Extract component parts of OLE2 files (e.g. MS Office Documents)

+ *

+ *  Copyright (C) 2004 trog@uncon.org

+ *

+ *  This code is based on the OpenOffice and libgsf sources.

+ *                  

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+#ifndef __OLE2_EXTRACT_H

+#define __OLE2_EXTRACT_H

+

+int cli_ole2_extract(int fd, const char *dirname);

+

+#endif

@@ -107,6 +107,8 @@ char *cl_strerror(int clerror)

 	    return "Malformed Zip detected.";

 	case CL_EGZIP:

 	    return "GZip module failure.";

+	case CL_EOLE2:

+	    return "OLE2 module failure.";

 	case CL_ETMPFILE:

 	    return "Unable to create temporary file.";

 	case CL_ETMPDIR:

@@ -37,6 +37,8 @@ int cli_scanrar_inuse = 0;

 #include "others.h"

 #include "matcher.h"

 #include "unrarlib.h"

+#include "ole2_extract.h"

+#include "vba_extract.h"

 #ifdef HAVE_ZLIB_H

 #include <zlib.h>

@@ -49,6 +51,7 @@ int cli_scanrar_inuse = 0;

 #define SCAN_ARCHIVE	(options & CL_ARCHIVE)

 #define SCAN_MAIL	(options & CL_MAIL)

+#define SCAN_OLE2	(options & CL_OLE2)

 #define DISABLE_RAR	(options & CL_DISABLERAR)

 #define MAGIC_BUFFER_SIZE 14

@@ -60,6 +63,7 @@ int cli_scanrar_inuse = 0;

 #define MAILDIR_MAGIC_STR "Return-Path: "

 #define DELIVERED_MAGIC_STR "Delivered-To: "

 #define BZIP_MAGIC_STR "BZh"

+#define OLE2_MAGIC_STR "\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1"

 int cli_magic_scandesc(int desc, char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev);

@@ -535,6 +539,78 @@ int cli_scanbzip(int desc, char **virname, long int *scanned, const struct cl_no

 }

 #endif

+int cli_scanole2(int desc, char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev)

+{

+	const char *tmpdir;

+	char *dir, *fullname;

+	unsigned char *data;

+	int ret = CL_CLEAN, fd, i;

+	vba_project_t *vba_project;

+

+    cli_dbgmsg("in cli_scanole2()\n");

+

+    tmpdir = getenv("TMPDIR");

+

+    if(tmpdir == NULL)

+#ifdef P_tmpdir

+	tmpdir = P_tmpdir;

+#else

+	tmpdir = "/tmp";

+#endif

+

+	/* generate the temporary directory */

+	dir = cl_gentemp(tmpdir);

+	if(mkdir(dir, 0700)) {

+	    cli_errmsg("ScanOLE2 -> Can't create temporary directory %s\n", dir);

+	    return CL_ETMPDIR;

+	}

+

+	if((ret = cli_ole2_extract(desc, dir))) {

+	    cli_errmsg("ScanOLE2 -> %s\n", cl_strerror(ret));

+	    cli_rmdirs(dir);

+	    free(dir);

+	    return ret;

+	}

+

+	if((vba_project = (vba_project_t *) vba56_dir_read(dir))) {

+

+	    for(i = 0; i < vba_project->count; i++) {

+		fullname = (char *) malloc(strlen(vba_project->dir) + strlen(vba_project->name[i]) + 2);

+		sprintf(fullname, "%s/%s", vba_project->dir, vba_project->name[i]);

+		fd = open(fullname, O_RDONLY);

+		if(fd == -1) {

+			cli_errmsg("Scan->OLE2 -> Can't open file %s\n", fullname);

+			free(fullname);

+			ret = CL_EOPEN;

+			break;

+		}

+		free(fullname);

+		data = (unsigned char *) vba_decompress(fd, vba_project->offset[i]);

+

+		if(cl_scanbuff(data, strlen(data), virname, root) == CL_VIRUS) {

+		    free(data);

+		    ret = CL_VIRUS;

+		    break;

+		}

+

+		free(data);

+	    }

+

+	} else {

+	    cli_errmsg("ScanOLE2 -> Can't decode VBA streams.\n");

+	    ret = CL_EOLE2;

+	}

+

+	for(i = 0; i < vba_project->count; i++)

+	    free(vba_project->name[i]);

+	free(vba_project->name);

+	free(vba_project->dir);

+	free(vba_project->offset);

+

+	cli_rmdirs(dir);

+	free(dir);

+	return ret;

+}

 int cli_scandir(char *dirname, char **virname, long int *scanned, const struct cl_node *root, const struct cl_limits *limits, int options, int *reclev)

 {

 	DIR *dd;

@@ -700,6 +776,10 @@ int cli_magic_scandesc(int desc, char **virname, long int *scanned, const struct

 	    ret = cli_scanbzip(desc, virname, scanned, root, limits, options, reclev);

 	}

 #endif

+	else if(SCAN_OLE2 && !strncmp(magic, OLE2_MAGIC_STR, 8)) {

+	    cli_dbgmsg("Recognized OLE2 file.\n");

+	    ret = cli_scanole2(desc, virname, scanned, root, limits, options, reclev);

+	}

 	else if(SCAN_MAIL && !strncmp(magic, MAIL_MAGIC_STR, strlen(MAIL_MAGIC_STR))) {

 	    cli_dbgmsg("Recognized mail file.\n");

 	    ret = cli_scanmail(desc, virname, scanned, root, limits, options, reclev);

new file mode 100644

@@ -0,0 +1,602 @@

+/*

+ *  Extract VBA source code for component MS Office Documents)

+ *

+ *  Copyright (C) 2004 trog@uncon.org

+ *

+ *  This code is based on the OpenOffice and libgsf sources.

+ *                  

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License as published by

+ *  the Free Software Foundation; either version 2 of the License, or

+ *  (at your option) any later version.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.

+ */

+

+#include <stdio.h>

+#include <string.h>

+#include <unistd.h>

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <fcntl.h>

+#include <stdint.h>

+#include <stdlib.h>

+#include <ctype.h>

+

+#include "vba_extract.h"

+

+#define FALSE (0)

+#define TRUE (1)

+

+typedef struct vba_version_tag {

+	unsigned char signature[4];

+	const char *name;

+	int vba_version;

+	int is_mac;

+} vba_version_t;

+

+

+typedef struct byte_array_tag {

+	unsigned int length;

+	unsigned char *data;

+} byte_array_t;

+

+#define NUM_VBA_VERSIONS 9

+vba_version_t vba_version[] = {

+	{ { 0x5e, 0x00, 0x00, 0x01 }, "Office 97",              5, FALSE},

+	{ { 0x5f, 0x00, 0x00, 0x01 }, "Office 97 SR1",          5, FALSE },

+	{ { 0x65, 0x00, 0x00, 0x01 }, "Office 2000 alpha?",     6, FALSE },

+	{ { 0x6b, 0x00, 0x00, 0x01 }, "Office 2000 beta?",      6, FALSE },

+	{ { 0x6d, 0x00, 0x00, 0x01 }, "Office 2000",            6, FALSE },

+	{ { 0x70, 0x00, 0x00, 0x01 }, "Office XP beta 1/2",     6, FALSE },

+	{ { 0x73, 0x00, 0x00, 0x01 }, "Office XP",              6, FALSE },

+	{ { 0x60, 0x00, 0x00, 0x0e }, "MacOffice 98",           5, TRUE },

+	{ { 0x62, 0x00, 0x00, 0x0e }, "MacOffice 2001",         5, TRUE },

+};

+

+#define VBA56_DIRENT_RECORD_COUNT (2 + /* magic */              \

+                                   4 + /* version */            \

+                                   2 + /* 0x00 0xff */          \

+                                  22)  /* unknown */