/* * Extract component parts of OLE2 files (e.g. MS Office Documents) * * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. * Copyright (C) 2007-2013 Sourcefire, Inc. * * Authors: Kevin Lin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. */ #ifndef __MSDOC_H #define __MSDOC_H #include "others.h" #include "uniq.h" /* Summary and Document Information Parsing to JSON */ #if HAVE_JSON #define PROPCNTLIMIT 25 #define PROPSTRLIMIT 256 /* affects property strs, NOT sanitized strs (may result in a buffer allocating PROPSTRLIMIT*6) */ #define UTF16_MS "UTF-16LE" #define sum16_endian_convert(v) le16_to_host((uint16_t)(v)) #define sum32_endian_convert(v) le32_to_host((uint32_t)(v)) #define sum64_endian_convert(v) le64_to_host((uint64_t)(v)) enum summary_pidsi { SPID_CODEPAGE = 0x00000001, SPID_TITLE = 0x00000002, SPID_SUBJECT = 0x00000003, SPID_AUTHOR = 0x00000004, SPID_KEYWORDS = 0x00000005, SPID_COMMENTS = 0x00000006, SPID_TEMPLATE = 0x00000007, SPID_LASTAUTHOR = 0x00000008, SPID_REVNUMBER = 0x00000009, SPID_EDITTIME = 0x0000000A, SPID_LASTPRINTED = 0x0000000B, SPID_CREATEDTIME = 0x0000000C, SPID_MODIFIEDTIME = 0x0000000D, SPID_PAGECOUNT = 0x0000000E, SPID_WORDCOUNT = 0x0000000F, SPID_CHARCOUNT = 0x00000010, SPID_THUMBNAIL = 0x00000011, SPID_APPNAME = 0x00000012, SPID_SECURITY = 0x00000013 }; enum docsum_pidsi { DSPID_CODEPAGE = 0x00000001, DSPID_CATEGORY = 0x00000002, DSPID_PRESFORMAT = 0x00000003, DSPID_BYTECOUNT = 0x00000004, DSPID_LINECOUNT = 0x00000005, DSPID_PARCOUNT = 0x00000006, DSPID_SLIDECOUNT = 0x00000007, DSPID_NOTECOUNT = 0x00000008, DSPID_HIDDENCOUNT = 0x00000009, DSPID_MMCLIPCOUNT = 0x0000000A, DSPID_SCALE = 0x0000000B, DSPID_HEADINGPAIR = 0x0000000C, /* VT_VARIANT | VT_VECTOR */ DSPID_DOCPARTS = 0x0000000D, /* VT_VECTOR | VT_LPSTR */ DSPID_MANAGER = 0x0000000E, DSPID_COMPANY = 0x0000000F, DSPID_LINKSDIRTY = 0x00000010, DSPID_CCHWITHSPACES = 0x00000011, DSPID_SHAREDDOC = 0x00000013, /* must be false */ DSPID_LINKBASE = 0x00000014, /* moved to user-defined */ DSPID_HLINKS = 0x00000015, /* moved to user-defined */ DSPID_HYPERLINKSCHANGED = 0x00000016, DSPID_VERSION = 0x00000017, DSPID_DIGSIG = 0x00000018, DSPID_CONTENTTYPE = 0x0000001A, DSPID_CONTENTSTATUS = 0x0000001B, DSPID_LANGUAGE = 0x0000001C, DSPID_DOCVERSION = 0x0000001D }; enum property_type { PT_EMPTY = 0x0000, PT_NULL = 0x0001, PT_INT16 = 0x0002, PT_INT32 = 0x0003, PT_FLOAT32 = 0x0004, PT_DOUBLE64 = 0x0005, PT_DATE = 0x0007, PT_BSTR = 0x0008, PT_BOOL = 0x000B, PT_INT8v1 = 0x0010, PT_UINT8 = 0x0011, PT_UINT16 = 0x0012, PT_UINT32 = 0x0013, PT_INT64 = 0x0014, PT_UINT64 = 0x0015, PT_INT32v1 = 0x0016, PT_UINT32v1 = 0x0017, PT_LPSTR = 0x001E, PT_LPWSTR = 0x001F, PT_FILETIME = 0x0040, /* More Types not currently handled */ }; typedef struct summary_stub { uint16_t byte_order; uint16_t version; uint32_t system; /* implementation-specific */ uint8_t CLSID[16]; uint32_t num_propsets; /* 1 or 2 */ } summary_stub_t; typedef struct propset_summary_entry { uint8_t FMTID[16]; uint32_t offset; } propset_entry_t; /* error codes */ #define OLE2_SUMMARY_ERROR_TOOSMALL 0x00000001 #define OLE2_SUMMARY_ERROR_OOB 0x00000002 #define OLE2_SUMMARY_ERROR_DATABUF 0x00000004 #define OLE2_SUMMARY_ERROR_INVALID_ENTRY 0x00000008 #define OLE2_SUMMARY_LIMIT_PROPS 0x00000010 #define OLE2_SUMMARY_FLAG_TIMEOUT 0x00000020 #define OLE2_SUMMARY_FLAG_CODEPAGE 0x00000040 #define OLE2_SUMMARY_FLAG_UNKNOWN_PROPID 0x00000080 #define OLE2_SUMMARY_FLAG_UNHANDLED_PROPTYPE 0x00000100 #define OLE2_SUMMARY_FLAG_TRUNC_STR 0x00000200 #define OLE2_CODEPAGE_ERROR_NOTFOUND 0x00000400 #define OLE2_CODEPAGE_ERROR_UNINITED 0x00000800 #define OLE2_CODEPAGE_ERROR_INVALID 0x00001000 #define OLE2_CODEPAGE_ERROR_INCOMPLETE 0x00002000 #define OLE2_CODEPAGE_ERROR_OUTBUFTOOSMALL 0x00002000 /* metadata structures */ typedef struct summary_ctx { cli_ctx *ctx; int mode; fmap_t *sfmap; json_object *summary; size_t maplen; uint32_t flags; /* propset metadata */ uint32_t pssize; /* track from propset start, not tail start */ uint16_t codepage; int writecp; /* property metadata */ const char *propname; /* timeout meta */ int toval; } summary_ctx_t; /* string conversion */ struct codepage_entry { uint16_t codepage; const char *encoding; }; #define NUMCODEPAGES sizeof(codepage_entries)/sizeof(struct codepage_entry) /* MAINTAIN - the array in codepage value sorted order */ static const struct codepage_entry codepage_entries[] = { { 37, "IBM037" }, /* IBM EBCDIC US-Canada */ { 437, "IBM437" }, /* OEM United States */ { 500, "IBM500" }, /* IBM EBCDIC International */ { 708, "ASMO-708" }, /* Arabic (ASMO 708) */ { 709, NULL }, /* Arabic (ASMO-449+, BCON V4) */ { 710, NULL }, /* Arabic - Transparent Arabic */ { 720, NULL }, /* Arabic (Transparent ASMO); Arabic (DOS) */ { 737, NULL }, /* OEM Greek (formerly 437G); Greek (DOS) */ { 775, "IBM775" }, /* OEM Baltic; Baltic (DOS) */ { 850, "IBM850" }, /* OEM Multilingual Latin 1; Western European (DOS) */ { 852, "IBM852" }, /* OEM Latin 2; Central European (DOS) */ { 855, "IBM855" }, /* OEM Cyrillic (primarily Russian) */ { 857, "IBM857" }, /* OEM Turkish; Turkish (DOS) */ { 858, NULL }, /* OEM Multilingual Latin 1 + Euro symbol */ { 860, "IBM860" }, /* OEM Portuguese; Portuguese (DOS) */ { 861, "IBM861" }, /* OEM Icelandic; Icelandic (DOS) */ { 862, NULL }, /* OEM Hebrew; Hebrew (DOS) */ { 863, "IBM863" }, /* OEM French Canadian; French Canadian (DOS) */ { 864, "IBM864" }, /* OEM Arabic; Arabic (864) */ { 865, "IBM865" }, /* OEM Nordic; Nordic (DOS) */ { 866, "CP866" }, /* OEM Russian; Cyrillic (DOS) */ { 869, "IBM869" }, /* OEM Modern Greek; Greek, Modern (DOS) */ { 870, "IBM870" }, /* IBM EBCDIC Multilingual/ROECE (Latin 2); IBM EBCDIC Multilingual Latin 2 */ { 874, "WINDOWS-874" }, /* ANSI/OEM Thai (ISO 8859-11); Thai (Windows) */ { 875, "CP875" }, /* IBM EBCDIC Greek Modern */ { 932, "SHIFT_JIS" }, /* ANSI/OEM Japanese; Japanese (Shift-JIS) */ { 936, "GB2312" }, /* ANSI/OEM Simplified Chinese (PRC, Singapore); Chinese Simplified (GB2312) */ { 949, NULL }, /* ANSI/OEM Korean (Unified Hangul Code) */ { 950, "BIG5" }, /* ANSI/OEM Traditional Chinese (Taiwan; Hong Kong SAR, PRC); Chinese Traditional (Big5) */ { 1026, "IBM1026" }, /* IBM EBCDIC Turkish (Latin 5) */ { 1047, NULL }, /* IBM EBCDIC Latin 1/Open System */ { 1140, NULL }, /* IBM EBCDIC US-Canada (037 + Euro symbol); IBM EBCDIC (US-Canada-Euro) */ { 1141, NULL }, /* IBM EBCDIC Germany (20273 + Euro symbol); IBM EBCDIC (Germany-Euro) */ { 1142, NULL }, /* IBM EBCDIC Denmark-Norway (20277 + Euro symbol); IBM EBCDIC (Denmark-Norway-Euro) */ { 1143, NULL }, /* IBM EBCDIC Finland-Sweden (20278 + Euro symbol); IBM EBCDIC (Finland-Sweden-Euro) */ { 1144, NULL }, /* IBM EBCDIC Italy (20280 + Euro symbol); IBM EBCDIC (Italy-Euro) */ { 1145, NULL }, /* IBM EBCDIC Latin America-Spain (20284 + Euro symbol); IBM EBCDIC (Spain-Euro) */ { 1146, NULL }, /* IBM EBCDIC United Kingdom (20285 + Euro symbol); IBM EBCDIC (UK-Euro) */ { 1147, NULL }, /* IBM EBCDIC France (20297 + Euro symbol); IBM EBCDIC (France-Euro) */ { 1148, NULL }, /* IBM EBCDIC International (500 + Euro symbol); IBM EBCDIC (International-Euro) */ { 1149, NULL }, /* IBM EBCDIC Icelandic (20871 + Euro symbol); IBM EBCDIC (Icelandic-Euro) */ { 1200, "UTF-16LE" }, /* Unicode UTF-16, little endian byte order (BMP of ISO 10646); available only to managed applications */ { 1201, "UTF-16BE" }, /* Unicode UTF-16, big endian byte order; available only to managed applications */ { 1250, "WINDOWS-1250" }, /* ANSI Central European; Central European (Windows) */ { 1251, "WINDOWS-1251" }, /* ANSI Cyrillic; Cyrillic (Windows) */ { 1252, "WINDOWS-1252" }, /* ANSI Latin 1; Western European (Windows) */ { 1253, "WINDOWS-1253" }, /* ANSI Greek; Greek (Windows) */ { 1254, "WINDOWS-1254" }, /* ANSI Turkish; Turkish (Windows) */ { 1255, "WINDOWS-1255" }, /* ANSI Hebrew; Hebrew (Windows) */ { 1256, "WINDOWS-1256" }, /* ANSI Arabic; Arabic (Windows) */ { 1257, "WINDOWS-1257" }, /* ANSI Baltic; Baltic (Windows) */ { 1258, "WINDOWS-1258" }, /* ANSI/OEM Vietnamese; Vietnamese (Windows) */ { 1361, "JOHAB" }, /* Korean (Johab) */ { 10000, "MACINTOSH" }, /* MAC Roman; Western European (Mac) */ { 10001, NULL }, /* Japanese (Mac) */ { 10002, NULL }, /* MAC Traditional Chinese (Big5); Chinese Traditional (Mac) */ { 10003, NULL }, /* Korean (Mac) */ { 10004, NULL }, /* Arabic (Mac) */ { 10005, NULL }, /* Hebrew (Mac) */ { 10006, NULL }, /* Greek (Mac) */ { 10007, NULL }, /* Cyrillic (Mac) */ { 10008, NULL }, /* MAC Simplified Chinese (GB 2312); Chinese Simplified (Mac) */ { 10010, NULL }, /* Romanian (Mac) */ { 10017, NULL }, /* Ukrainian (Mac) */ { 10021, NULL }, /* Thai (Mac) */ { 10029, NULL }, /* MAC Latin 2; Central European (Mac) */ { 10079, NULL }, /* Icelandic (Mac) */ { 10081, NULL }, /* Turkish (Mac) */ { 10082, NULL }, /* Croatian (Mac) */ { 12000, "UTF-32LE" }, /* Unicode UTF-32, little endian byte order; available only to managed applications */ { 12001, "UTF-32BE" }, /* Unicode UTF-32, big endian byte order; available only to managed applications */ { 20000, NULL }, /* CNS Taiwan; Chinese Traditional (CNS) */ { 20001, NULL }, /* TCA Taiwan */ { 20002, NULL }, /* Eten Taiwan; Chinese Traditional (Eten) */ { 20003, NULL }, /* IBM5550 Taiwan */ { 20004, NULL }, /* TeleText Taiwan */ { 20005, NULL }, /* Wang Taiwan */ { 20105, NULL }, /* IA5 (IRV International Alphabet No. 5, 7-bit); Western European (IA5) */ { 20106, NULL }, /* IA5 German (7-bit) */ { 20107, NULL }, /* IA5 Swedish (7-bit) */ { 20108, NULL }, /* IA5 Norwegian (7-bit) */ { 20127, "US-ASCII" }, /* US-ASCII (7-bit) */ { 20261, NULL }, /* T.61 */ { 20269, NULL }, /* ISO 6937 Non-Spacing Accent */ { 20273, "IBM273" }, /* IBM EBCDIC Germany */ { 20277, "IBM277" }, /* IBM EBCDIC Denmark-Norway */ { 20278, "IBM278" }, /* IBM EBCDIC Finland-Sweden */ { 20280, "IBM280" }, /* IBM EBCDIC Italy */ { 20284, "IBM284" }, /* IBM EBCDIC Latin America-Spain */ { 20285, "IBM285" }, /* IBM EBCDIC United Kingdom */ { 20290, "IBM290" }, /* IBM EBCDIC Japanese Katakana Extended */ { 20297, "IBM297" }, /* IBM EBCDIC France */ { 20420, "IBM420" }, /* IBM EBCDIC Arabic */ { 20423, "IBM423" }, /* IBM EBCDIC Greek */ { 20424, "IBM424" }, /* IBM EBCDIC Hebrew */ { 20833, NULL }, /* IBM EBCDIC Korean Extended */ { 20838, NULL }, /* IBM EBCDIC Thai */ { 20866, "KOI8-R" }, /* Russian (KOI8-R); Cyrillic (KOI8-R) */ { 20871, "IBM871" }, /* IBM EBCDIC Icelandic */ { 20880, "IBM880" }, /* IBM EBCDIC Cyrillic Russian */ { 20905, "IBM905" }, /* IBM EBCDIC Turkish */ { 20924, NULL }, /* IBM EBCDIC Latin 1/Open System (1047 + Euro symbol) */ { 20932, "EUC-JP" }, /* Japanese (JIS 0208-1990 and 0212-1990) */ { 20936, NULL }, /* Simplified Chinese (GB2312); Chinese Simplified (GB2312-80) */ { 20949, NULL }, /* Korean Wansung */ { 21025, "CP1025" }, /* IBM EBCDIC Cyrillic Serbian-Bulgarian */ { 21027, NULL }, /* (deprecated) */ { 21866, "KOI8-U" }, /* Ukrainian (KOI8-U); Cyrillic (KOI8-U) */ { 28591, "ISO-8859-1" }, /* ISO 8859-1 Latin 1; Western European (ISO) */ { 28592, "ISO-8859-2" }, /* ISO 8859-2 Central European; Central European (ISO) */ { 28593, "ISO-8859-3" }, /* ISO 8859-3 Latin 3 */ { 28594, "ISO-8859-4" }, /* ISO 8859-4 Baltic */ { 28595, "ISO-8859-5" }, /* ISO 8859-5 Cyrillic */ { 28596, "ISO-8859-6" }, /* ISO 8859-6 Arabic */ { 28597, "ISO-8859-7" }, /* ISO 8859-7 Greek */ { 28598, "ISO-8859-8" }, /* ISO 8859-8 Hebrew; Hebrew (ISO-Visual) */ { 28599, "ISO-8859-9" }, /* ISO 8859-9 Turkish */ { 28603, "ISO-8859-13" }, /* ISO 8859-13 Estonian */ { 28605, "ISO-8859-15" }, /* ISO 8859-15 Latin 9 */ { 29001, NULL }, /* Europa 3 */ { 38598, NULL }, /* ISO 8859-8 Hebrew; Hebrew (ISO-Logical) */ { 50220, "ISO-2022-JP" }, /* ISO 2022 Japanese with no halfwidth Katakana; Japanese (JIS) (guess) */ { 50221, "ISO-2022-JP-2" }, /* ISO 2022 Japanese with halfwidth Katakana; Japanese (JIS-Allow 1 byte Kana) (guess) */ { 50222, "ISO-2022-JP-3" }, /* ISO 2022 Japanese JIS X 0201-1989; Japanese (JIS-Allow 1 byte Kana - SO/SI) (guess) */ { 50225, "ISO-2022-KR" }, /* ISO 2022 Korean */ { 50227, NULL }, /* ISO 2022 Simplified Chinese; Chinese Simplified (ISO 2022) */ { 50229, NULL }, /* ISO 2022 Traditional Chinese */ { 50930, NULL }, /* EBCDIC Japanese (Katakana) Extended */ { 50931, NULL }, /* EBCDIC US-Canada and Japanese */ { 50933, NULL }, /* EBCDIC Korean Extended and Korean */ { 50935, NULL }, /* EBCDIC Simplified Chinese Extended and Simplified Chinese */ { 50936, NULL }, /* EBCDIC Simplified Chinese */ { 50937, NULL }, /* EBCDIC US-Canada and Traditional Chinese */ { 50939, NULL }, /* EBCDIC Japanese (Latin) Extended and Japanese */ { 51932, "EUC-JP" }, /* EUC Japanese */ { 51936, "EUC-CN" }, /* EUC Simplified Chinese; Chinese Simplified (EUC) */ { 51949, "EUC-KR" }, /* EUC Korean */ { 51950, NULL }, /* EUC Traditional Chinese */ { 52936, NULL }, /* HZ-GB2312 Simplified Chinese; Chinese Simplified (HZ) */ { 54936, "GB18030" }, /* Windows XP and later: GB18030 Simplified Chinese (4 byte); Chinese Simplified (GB18030) */ { 57002, NULL }, /* ISCII Devanagari */ { 57003, NULL }, /* ISCII Bengali */ { 57004, NULL }, /* ISCII Tamil */ { 57005, NULL }, /* ISCII Telugu */ { 57006, NULL }, /* ISCII Assamese */ { 57007, NULL }, /* ISCII Oriya */ { 57008, NULL }, /* ISCII Kannada */ { 57009, NULL }, /* ISCII Malayalam */ { 57010, NULL }, /* ISCII Gujarati */ { 57011, NULL }, /* ISCII Punjabi */ { 65000, "UTF-7" }, /* Unicode (UTF-7) */ { 65001, "UTF-8" } /* Unicode (UTF-8) */ }; int cli_ole2_summary_json(cli_ctx *ctx, int fd, int mode); #endif /* HAVE_JSON */ #endif /* __MSDOC_H_ */