blah

Cisco-Talos · Jun 6, 2024 · 0e1fa94 · 0e1fa94
1 parent 57e0fec
commit 0e1fa94
Showing 1 changed file with 9 additions and 135 deletions.
diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c
@@ -638,16 +638,6 @@ static int ole2_cmp_name(const char * const name, uint32_t name_size, const char
     return strcasecmp(decoded, keyword);
 }
 
-#if 0
-static void print_name(const property_t * prop) {
-    uint32_t i;
-    for (i = 0; i < prop->name_size/2; i++){
-        fprintf(stderr, "%c", prop->name[i * 2]);
-    }
-    fprintf(stderr, "\n");
-}
-#endif
-
 /*
  * File Information Block Base.
  * Naming is consistent with 
@@ -727,28 +717,27 @@ const char * const AES128_ENCRYPTION = "EncryptedWithAES128";
 const char * const AES192_ENCRYPTION = "EncryptedWithAES192";
 const char * const AES256_ENCRYPTION = "EncryptedWithAES256";
 
-
+const uint16_t XLS_XOR_OBFUSCATION = 0;
+const uint16_t XLS_RC4_ENCRYPTION = 1;
+const uint32_t MINISTREAM_CUTOFF_SIZE = 0x1000;
 
 static uint32_t get_stream_data_offset(ole2_header_t * hdr, const property_t * word_block, uint16_t sector) {
     uint32_t offset = (1 << hdr->log2_big_block_size);
     uint32_t sector_size = offset;
     uint32_t fib_offset = 0;
 
-#define MINISTREAM_CUTOFF_SIZE 0x1000
     if (word_block->size < MINISTREAM_CUTOFF_SIZE){
         fib_offset = offset + sector_size * hdr->sbat_root_start;
         fib_offset += (word_block->start_block * (1 << hdr->log2_small_block_size));
-fprintf(stderr, "%s::%d::MINISTREAM!!!!!!!!!!\n", __FUNCTION__, __LINE__);
     } else {
         fib_offset = offset + sector_size * sector;
-fprintf(stderr, "%s::%d::NOT MINISTREAM!!!!!!!!!!\n", __FUNCTION__, __LINE__);
     }
 
     return fib_offset;
 }
 
 
-static void test_for_encryption(cli_ctx * ctx, const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) {
+static void test_for_encryption(const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) {
 
     const uint8_t * ptr = NULL;
     fib_base_t fib = {0};
@@ -778,24 +767,11 @@ static void test_for_encryption(cli_ctx * ctx, const property_t * word_block, ol
      * a document is obfuscated with xor
      * (is_obfuscated function)
      */
-#if 0
-    bRet = is_encrypted(&fib);
-    if (bRet){
-        /*Only inserts metadata if there is encryption.*/
-        insert_metadata(ctx, "Ole2Encrypted", true);
-        print_heuristic(ctx, "Heuristics.Encrypted.OLE2");
-    }
-
-    return bRet;
-#else
     pEncryptionStatus->encrypted = is_encrypted(&fib);
 
     if (is_obfuscated(&fib)) {
         pEncryptionStatus->encryption_type = XOR_OBFUSCATION;
     }
-
-#endif
-
 }
 
 static bool read_uint16(const uint8_t * const ptr, uint32_t ptr_size, uint32_t * idx, uint16_t * dst){
@@ -839,7 +815,7 @@ static bool find_file_pass(const uint8_t * const ptr, uint32_t ptr_size, uint32_
  * Search for the FilePass structure.
  * https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/cf9ae8d5-4e8c-40a2-95f1-3b31f16b5529
  */
-static void test_for_xls_encryption(cli_ctx * ctx, const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) {
+static void test_for_xls_encryption(const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) {
     uint16_t tmp16;
     uint32_t idx;
 
@@ -878,28 +854,13 @@ static void test_for_xls_encryption(cli_ctx * ctx, const property_t * word_block
         return;
     }
 
-#define XLS_XOR_OBFUSCATION 0
-#define XLS_RC4_ENCRYPTION 1
-
-#if 0
-    bRet = ((XLS_RC4_ENCRYPTION == tmp16) || (XLS_XOR_OBFUSCATION == tmp16));
-    if (bRet){
-        /*Only inserts metadata if there is encryption.*/
-        insert_metadata(ctx, "Ole2Encrypted", true);
-        print_heuristic(ctx, "Heuristics.Encrypted.OLE2");
-    }
-
-    return bRet;
-#else
-
     if (XLS_RC4_ENCRYPTION == tmp16) {
         pEncryptionStatus->encryption_type = RC4_ENCRYPTION;
         pEncryptionStatus->encrypted = true;
     } else if (XLS_XOR_OBFUSCATION == tmp16) {
         pEncryptionStatus->encryption_type = XOR_OBFUSCATION;
         pEncryptionStatus->encrypted = true;
     }
-#endif
 }
 
 
@@ -1006,25 +967,15 @@ static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t
         }
 
         if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "WORDDocument")){
-            test_for_encryption(ctx, &(prop_block[idx]), hdr, pEncryptionStatus);
+            test_for_encryption(&(prop_block[idx]), hdr, pEncryptionStatus);
         } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "WorkBook")){
-            test_for_xls_encryption(ctx, &(prop_block[idx]), hdr, pEncryptionStatus);
+            test_for_xls_encryption(&(prop_block[idx]), hdr, pEncryptionStatus);
         } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "PowerPoint Document")){
-            test_for_encryption(ctx, &(prop_block[idx]), hdr, pEncryptionStatus);
+            test_for_encryption(&(prop_block[idx]), hdr, pEncryptionStatus);
         } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "EncryptionInfo")){
-#if 0
-            insert_metadata(ctx, "Ole2Encrypted", 1);
-            print_heuristic(ctx, "Heuristics.Encrypted.OLE2");
-#else
             pEncryptionStatus->encrypted = true;
-#endif
         } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "EncryptedPackage")){
-#if 0
-            insert_metadata(ctx, "Ole2Encrypted", 1);
-            print_heuristic(ctx, "Heuristics.Encrypted.OLE2");
-#else
             pEncryptionStatus->encrypted = true;
-#endif
         }
 
         ole2_listmsg("printing ole2 property\n");
@@ -1182,34 +1133,6 @@ static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t
         ole2_listmsg("loop ended: %d %d\n", ole2_list_size(&node_list), ole2_list_is_empty(&node_list));
     }
 
-#if 0
-    {
-        property_t * root_node_ptr = &(prop_block[0]);
-        fprintf(stderr, "%s::%d::DUMPING\n", __FUNCTION__, __LINE__);
-        size_t i = 0;
-        fprintf(stderr, "%s::%d::%d::", __FUNCTION__, __LINE__, root_node_ptr->name_size);
-        for (i = 0; i < root_node_ptr->name_size/2; i++){
-            fprintf(stderr, "%c", root_node_ptr->name[i * 2]);
-        }
-        fprintf(stderr, "\n");
-        for (i = 0; i < sizeof(prop_block) / sizeof(prop_block[0]); i++){
-            fprintf(stderr, "%s::%d::%ls\n", __FUNCTION__, __LINE__, (wchar_t*) (prop_block[i].name));
-
-            if (0 == ole2_cmp_name(prop_block[i].name, prop_block[i].name_size, "WORDDocument")){
-                fprintf(stderr, "%s::%d::FOUND IT HERE!!!!!\n", __FUNCTION__, __LINE__);
-
-            }
-#if 0
-            if (0 == wcscasecmp(prop_block[i].name, L"WordDocument")){
-                fprintf(stderr, "%s::%d::%lu::FOUND IT\n", __FUNCTION__, __LINE__, i);
-            }
-#endif
-        }
-
-        fprintf(stderr, "%s::%d::END DUMPING\n", __FUNCTION__, __LINE__);
-    }
-#endif
-
     ole2_list_delete(&node_list);
     return CL_SUCCESS;
 }
@@ -2637,7 +2560,6 @@ static bool verify_key_aes(const encryption_key_t *const key, encryption_verifie
  *
  */
 static bool initialize_encryption_key(
-        cli_ctx * ctx,
     const uint8_t *encryptionInfoStreamPtr,
     size_t remainingBytes,
     encryption_key_t *encryptionKey, 
@@ -2836,46 +2758,6 @@ static bool initialize_encryption_key(
     if (pEncryptionStatus->encryption_type){
         pEncryptionStatus->encrypted = true;
     }
-#if 0
-    if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) {
-        if (NULL != jsonKey) {
-            if (ctx->wrkproperty == ctx->properties) {
-                cli_jsonint(ctx->wrkproperty, jsonKey, true);
-            }
-        }
-
-        cli_dbgmsg("Encrypted with VelvetSweatshop: %d\n", bRet);
-        if (ctx->wrkproperty == ctx->properties) {
-            cli_jsonint(ctx->wrkproperty, "EncryptedWithVelvetSweatshop", bRet);
-        }
-    }
-#else
-#if 0
-    insert_metadata(ctx, jsonKey, true);
-    insert_metadata(ctx, "EncryptedWithVelvetSweatshop", bRet);
-#else
-    fprintf(stderr, "%s::%d::Move to bottom\n", __FUNCTION__, __LINE__);
-#endif
-#endif
-
-#if 0
-    if (SCAN_HEURISTIC_ENCRYPTED_DOC && (NULL != jsonKey)) {
-        cl_error_t status = cli_append_potentially_unwanted(ctx, "Heuristics.Encrypted.OLE2");
-        if (CL_SUCCESS  != status) {
-            cli_errmsg("OLE2 : Unable to warn potentially unwanted signature '%s'\n", "Heuristics.Encrypted.OLE2");
-        }
-    }
-#else
-#if 0
-    if (jsonKey){
-        print_heuristic(ctx, "Heuristics.Encrypted.OLE2");
-    } else if (bRet){
-        print_heuristic(ctx, "Heuristics.Encrypted.OLE2.VelvetSweatshop");
-    }
-#else
-    fprintf(stderr, "%s::%d::Move to bottom\n", __FUNCTION__, __LINE__);
-#endif
-#endif
 
     return bRet;
 }
@@ -3001,18 +2883,10 @@ cl_error_t cli_ole2_extract(const char *dirname, cli_ctx *ctx, struct uniq **fil
     encryption_offset = 4 * (1 << hdr.log2_big_block_size);
     if ((encryption_offset + sizeof(encryption_info_stream_standard_t)) <= hdr.m_length) {
 
-        bEncrypted = initialize_encryption_key(ctx,
+        bEncrypted = initialize_encryption_key(
             &(((const uint8_t *)phdr)[encryption_offset]),
             hdr.m_length - encryption_offset,
             &key, &encryption_status);
-
-#if 0
-        cli_dbgmsg("Encrypted with VelvetSweatshop: %d\n", bEncrypted);
-
-        if (ctx->wrkproperty == ctx->properties) {
-            cli_jsonint(ctx->wrkproperty, "EncryptedWithVelvetSweatshop", bEncrypted);
-        }
-#endif
     }
 
     /* 8 SBAT blocks per file block */