blah

Cisco-Talos · Aug 2, 2024 · 2b30307 · 2b30307
1 parent f2434e4
commit 2b30307
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 128 deletions.
diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c
@@ -415,7 +415,6 @@ print_ole2_property(property_t *property)
 static void
 print_ole2_header(ole2_header_t *hdr)
 {
-#if 0
     if (!hdr || !cli_debug_flag) {
         return;
     }
@@ -443,40 +442,6 @@ print_ole2_header(ole2_header_t *hdr)
     cli_dbgmsg("XBat start:\t\t%d\n", hdr->xbat_start);
     cli_dbgmsg("XBat block count:\t%d\n", hdr->xbat_count);
     cli_dbgmsg("\n");
-
-
-
-#endif
-    fprintf(stderr, "\n");
-    fprintf(stderr, "Magic:\t\t\t0x%x%x%x%x%x%x%x%x\n",
-               hdr->magic[0], hdr->magic[1], hdr->magic[2], hdr->magic[3],
-               hdr->magic[4], hdr->magic[5], hdr->magic[6], hdr->magic[7]);
-
-    fprintf(stderr, "CLSID:\t\t\t{%x%x%x%x-%x%x-%x%x-%x%x-%x%x%x%x%x%x}\n",
-               hdr->clsid[0], hdr->clsid[1], hdr->clsid[2], hdr->clsid[3],
-               hdr->clsid[4], hdr->clsid[5], hdr->clsid[6], hdr->clsid[7],
-               hdr->clsid[8], hdr->clsid[9], hdr->clsid[10], hdr->clsid[11],
-               hdr->clsid[12], hdr->clsid[13], hdr->clsid[14], hdr->clsid[15]);
-
-    fprintf(stderr, "Minor version:\t\t0x%x\n", hdr->minor_version);
-    fprintf(stderr, "DLL version:\t\t0x%x\n", hdr->dll_version);
-    fprintf(stderr, "Byte Order:\t\t%d\n", hdr->byte_order);
-    fprintf(stderr, "Big Block Size:\t%i\n", hdr->log2_big_block_size);
-    fprintf(stderr, "Small Block Size:\t%i\n", hdr->log2_small_block_size);
-    fprintf(stderr, "BAT count:\t\t%d\n", hdr->bat_count);
-    fprintf(stderr, "Prop start:\t\t%d\n", hdr->prop_start);
-    fprintf(stderr, "SBAT cutoff:\t\t%d\n", hdr->sbat_cutoff);
-    fprintf(stderr, "SBat start:\t\t%d\n", hdr->sbat_start);
-    fprintf(stderr, "SBat block count:\t%d\n", hdr->sbat_block_count);
-    fprintf(stderr, "XBat start:\t\t%d\n", hdr->xbat_start);
-    fprintf(stderr, "XBat block count:\t%d\n", hdr->xbat_count);
-    fprintf(stderr, "\n");
-
-
-
-
-
-
     return;
 }
 
@@ -2912,9 +2877,21 @@ cl_error_t cli_ole2_extract(const char *dirname, cli_ctx *ctx, struct uniq **fil
     hdr.xbat_start            = ole2_endian_convert_32(hdr.xbat_start);
     hdr.xbat_count            = ole2_endian_convert_32(hdr.xbat_count);
 
-    fprintf(stderr, "%s::%d::bat_count (sector count) and prop_start are different\n", __FUNCTION__, __LINE__);
-    fprintf(stderr, "%s::%d::bat_count = %d\n", __FUNCTION__, __LINE__, hdr.bat_count);
-print_ole2_header(&hdr);
+
+
+#if 0
+    int32_t bat_count __attribute__((packed)); NUMBER of directory sectors
+    int32_t prop_start __attribute__((packed)); number of fat sectors
+
+    uint32_t signature __attribute__((packed)); first directory sector location
+#endif
+    fprintf(stderr, "%s::%d::Number of directory sectors = %d (0x%x)\n", __FUNCTION__, __LINE__, hdr.bat_count, hdr.bat_count);
+    fprintf(stderr, "%s::%d::Number of FAT sectors = %d (0x%x)\n", __FUNCTION__, __LINE__, hdr.prop_start, hdr.prop_start);
+    fprintf(stderr, "%s::%d::Transaction sector Number = %d (0x%x)\n", __FUNCTION__, __LINE__, hdr.signature, hdr.signature);
+
+
+
+
 
     hdr.sbat_root_start = -1;
 

diff --git a/libclamav/ole2_extract_images.h b/libclamav/ole2_extract_images.h
@@ -1,6 +1,7 @@
 #ifndef OLE2_EXTRACT_IMAGES_H_
 #define OLE2_EXTRACT_IMAGES_H_
 
+/* https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-doc/0c9df81f-98d0-454e-ad84-b612cd05b1a4   */
 typedef struct __attribute__((packed)) {
     uint32_t fcStshfOrig;
     uint32_t lcbStshfOrig;
@@ -689,6 +690,7 @@ static void processOfficeArtBlipPICT(cli_ctx* ctx, OfficeArtRecordHeader * rh, c
 
 /*https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-odraw/704b3ec5-3e3f-425f-b2f7-a090cc68e624*/
 static void processOfficeArtBlipJPEG(cli_ctx * ctx, OfficeArtRecordHeader * rh, const uint8_t * const ptr){
+    fprintf(stderr, "%s::%d::Entering\n", __FUNCTION__, __LINE__);
     size_t offset = 16; /* Size of rh*/
     uint16_t recInst = getRecInst(rh);
 
@@ -778,7 +780,6 @@ static size_t processOfficeArtBlip(cli_ctx * ctx, const uint8_t * const ptr){
 static size_t processOfficeArtFBSE(cli_ctx * ctx, ole2_header_t *hdr, OfficeArtRecordHeader * imageHeader, const uint8_t * const ptr, property_t * wordDocBlock) {
     OfficeArtFBSEKnown fbse;
 
-    //    imageCnt = blipStoreRecordHeader.recLen/(sizeof(OfficeArtFBSEKnown) + sizeof(OfficeArtRecordHeader));
     uint32_t offset = sizeof(OfficeArtRecordHeader);
     uint16_t recInst = getRecInst(imageHeader);
 
@@ -810,9 +811,6 @@ static size_t processOfficeArtFBSE(cli_ctx * ctx, ole2_header_t *hdr, OfficeArtR
          * The data is in a different stream
          */
     }
-    return offset;
-#if 0
-
 #if 0
     size_t i;
     fprintf(stderr, "%s::%d::", __FUNCTION__, __LINE__);
@@ -822,95 +820,11 @@ static size_t processOfficeArtFBSE(cli_ctx * ctx, ole2_header_t *hdr, OfficeArtR
     fprintf(stderr, "\n");
 #endif
 
-
-
-#if 1
-    fprintf(stderr, "%s::%d::before cpy\n", __FUNCTION__, __LINE__);
-    copy_OfficeArtRecordHeader(imageHeader, &(ptr[offset]));
-
-    uint8_t recVer = getRecVer(imageHeader);
-    fprintf(stderr, "%s::%d::recVer = %d\n", __FUNCTION__, __LINE__, recVer);
-
-    offset += sizeof(OfficeArtRecordHeader);
-
-    copy_OfficeArtFBSEKnown (&fbse, &(ptr[offset]));
-    offset += sizeof(OfficeArtFBSEKnown );
-    recInst = getRecInst(imageHeader);
-
-    fprintf(stderr, "%s::%d::recInst = %d\n", __FUNCTION__, __LINE__, recInst);
-    fprintf(stderr, "%s::%d::fbse.btWin32 = %d\n", __FUNCTION__, __LINE__, fbse.btWin32);
-    fprintf(stderr, "%s::%d::fbse.btMacOS = %d\n", __FUNCTION__, __LINE__, fbse.btMacOS);
-
-    //here;
-
-
-    if ((recInst != fbse.btWin32) && (recInst != fbse.btMacOS)) {
-        cli_dbgmsg("ERROR Invalid recInst 0x%x\n", recInst);
-        return;
-    }
-    fprintf(stderr, "%s::%d\n", __FUNCTION__, __LINE__);
-    if (imageHeader->recType != 0xf007) {
-        cli_dbgmsg("ERROR Invalid recType 0x%x\n", imageHeader->recType);
-        return;
-    }
-    fprintf(stderr, "%s::%d\n", __FUNCTION__, __LINE__);
-
-    offset += fbse.cbName;
-
-    if (imageHeader->recLen == (sizeof(OfficeArtFBSEKnown) + fbse.cbName + fbse.size)) {
-        fprintf(stderr, "%s::%d::Blip is embedded\n", __FUNCTION__, __LINE__);
-        /* The BLIP is embedded in this record*/ 
-        processOfficeArtBlip(ctx, &(ptr[offset]));
-    } else {
-        /* The BLIP is in the 'WordDocument' stream. */
-        size_t size = fbse.size;
-        const uint8_t * const ptr = load_pointer_to_stream_from_fmap(hdr, wordDocBlock, fbse.foDelay, size);
-        fprintf(stderr, "%s::%d::Blip is in WordDocument stream, delay = %u (0x%x)\n", __FUNCTION__, __LINE__, fbse.foDelay, fbse.foDelay);
-        processOfficeArtBlip(ctx, ptr);
-    }
-
-#endif
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-    fprintf(stderr, "%s::%d::Looks like this might be IT!!!!\n", __FUNCTION__, __LINE__);
-#endif
+    return offset;
 }
 
 static void ole2_extract_images(cli_ctx * ctx, ole2_header_t * ole2Hdr, FibRgFcLcb97 * header, const uint8_t * ptr, property_t * wordDocBlock) {
     size_t offset = header->fcDggInfo;
-    uint32_t i;
 
     /*
      * Start of OfficeArtContent
@@ -1071,7 +985,7 @@ void ole2_process_image_directory( cli_ctx * ctx, ole2_header_t * hdr, ole2_imag
         size_t offset = get_stream_data_offset(hdr, tableStream, tableStream->start_block);
         /*TODO: Fix hardcoded 4k*/
         ptr = fmap_need_off_once(hdr->map, offset, 4096);
-        fprintf(stderr, "%s::%d::Fix hardcoded 4k\n", __FUNCTION__, __LINE__);
+fprintf(stderr, "%s::%d::Fix hardcoded 4k\n", __FUNCTION__, __LINE__);
         if (NULL == ptr) {
             cli_dbgmsg("ERROR: Invalid offset for File Information Block %ld (0x%lx)\n", offset, offset);
             goto done;