diff --git a/libclamav/ole2_extract.c b/libclamav/ole2_extract.c index 9b0ec259b8..e489d859b4 100644 --- a/libclamav/ole2_extract.c +++ b/libclamav/ole2_extract.c @@ -638,16 +638,6 @@ static int ole2_cmp_name(const char * const name, uint32_t name_size, const char return strcasecmp(decoded, keyword); } -#if 0 -static void print_name(const property_t * prop) { - uint32_t i; - for (i = 0; i < prop->name_size/2; i++){ - fprintf(stderr, "%c", prop->name[i * 2]); - } - fprintf(stderr, "\n"); -} -#endif - /* * File Information Block Base. * Naming is consistent with @@ -727,28 +717,27 @@ const char * const AES128_ENCRYPTION = "EncryptedWithAES128"; const char * const AES192_ENCRYPTION = "EncryptedWithAES192"; const char * const AES256_ENCRYPTION = "EncryptedWithAES256"; - +const uint16_t XLS_XOR_OBFUSCATION = 0; +const uint16_t XLS_RC4_ENCRYPTION = 1; +const uint32_t MINISTREAM_CUTOFF_SIZE = 0x1000; static uint32_t get_stream_data_offset(ole2_header_t * hdr, const property_t * word_block, uint16_t sector) { uint32_t offset = (1 << hdr->log2_big_block_size); uint32_t sector_size = offset; uint32_t fib_offset = 0; -#define MINISTREAM_CUTOFF_SIZE 0x1000 if (word_block->size < MINISTREAM_CUTOFF_SIZE){ fib_offset = offset + sector_size * hdr->sbat_root_start; fib_offset += (word_block->start_block * (1 << hdr->log2_small_block_size)); -fprintf(stderr, "%s::%d::MINISTREAM!!!!!!!!!!\n", __FUNCTION__, __LINE__); } else { fib_offset = offset + sector_size * sector; -fprintf(stderr, "%s::%d::NOT MINISTREAM!!!!!!!!!!\n", __FUNCTION__, __LINE__); } return fib_offset; } -static void test_for_encryption(cli_ctx * ctx, const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) { +static void test_for_encryption(const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) { const uint8_t * ptr = NULL; fib_base_t fib = {0}; @@ -778,24 +767,11 @@ static void test_for_encryption(cli_ctx * ctx, const property_t * word_block, ol * a document is obfuscated with xor * (is_obfuscated function) */ -#if 0 - bRet = is_encrypted(&fib); - if (bRet){ - /*Only inserts metadata if there is encryption.*/ - insert_metadata(ctx, "Ole2Encrypted", true); - print_heuristic(ctx, "Heuristics.Encrypted.OLE2"); - } - - return bRet; -#else pEncryptionStatus->encrypted = is_encrypted(&fib); if (is_obfuscated(&fib)) { pEncryptionStatus->encryption_type = XOR_OBFUSCATION; } - -#endif - } static bool read_uint16(const uint8_t * const ptr, uint32_t ptr_size, uint32_t * idx, uint16_t * dst){ @@ -839,7 +815,7 @@ static bool find_file_pass(const uint8_t * const ptr, uint32_t ptr_size, uint32_ * Search for the FilePass structure. * https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/cf9ae8d5-4e8c-40a2-95f1-3b31f16b5529 */ -static void test_for_xls_encryption(cli_ctx * ctx, const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) { +static void test_for_xls_encryption(const property_t * word_block, ole2_header_t * hdr, encryption_status_t * pEncryptionStatus) { uint16_t tmp16; uint32_t idx; @@ -878,20 +854,6 @@ static void test_for_xls_encryption(cli_ctx * ctx, const property_t * word_block return; } -#define XLS_XOR_OBFUSCATION 0 -#define XLS_RC4_ENCRYPTION 1 - -#if 0 - bRet = ((XLS_RC4_ENCRYPTION == tmp16) || (XLS_XOR_OBFUSCATION == tmp16)); - if (bRet){ - /*Only inserts metadata if there is encryption.*/ - insert_metadata(ctx, "Ole2Encrypted", true); - print_heuristic(ctx, "Heuristics.Encrypted.OLE2"); - } - - return bRet; -#else - if (XLS_RC4_ENCRYPTION == tmp16) { pEncryptionStatus->encryption_type = RC4_ENCRYPTION; pEncryptionStatus->encrypted = true; @@ -899,7 +861,6 @@ static void test_for_xls_encryption(cli_ctx * ctx, const property_t * word_block pEncryptionStatus->encryption_type = XOR_OBFUSCATION; pEncryptionStatus->encrypted = true; } -#endif } @@ -1006,25 +967,15 @@ static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t } if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "WORDDocument")){ - test_for_encryption(ctx, &(prop_block[idx]), hdr, pEncryptionStatus); + test_for_encryption(&(prop_block[idx]), hdr, pEncryptionStatus); } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "WorkBook")){ - test_for_xls_encryption(ctx, &(prop_block[idx]), hdr, pEncryptionStatus); + test_for_xls_encryption(&(prop_block[idx]), hdr, pEncryptionStatus); } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "PowerPoint Document")){ - test_for_encryption(ctx, &(prop_block[idx]), hdr, pEncryptionStatus); + test_for_encryption(&(prop_block[idx]), hdr, pEncryptionStatus); } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "EncryptionInfo")){ -#if 0 - insert_metadata(ctx, "Ole2Encrypted", 1); - print_heuristic(ctx, "Heuristics.Encrypted.OLE2"); -#else pEncryptionStatus->encrypted = true; -#endif } else if (0 == ole2_cmp_name(prop_block[idx].name, prop_block[idx].name_size, "EncryptedPackage")){ -#if 0 - insert_metadata(ctx, "Ole2Encrypted", 1); - print_heuristic(ctx, "Heuristics.Encrypted.OLE2"); -#else pEncryptionStatus->encrypted = true; -#endif } ole2_listmsg("printing ole2 property\n"); @@ -1182,34 +1133,6 @@ static int ole2_walk_property_tree(ole2_header_t *hdr, const char *dir, int32_t ole2_listmsg("loop ended: %d %d\n", ole2_list_size(&node_list), ole2_list_is_empty(&node_list)); } -#if 0 - { - property_t * root_node_ptr = &(prop_block[0]); - fprintf(stderr, "%s::%d::DUMPING\n", __FUNCTION__, __LINE__); - size_t i = 0; - fprintf(stderr, "%s::%d::%d::", __FUNCTION__, __LINE__, root_node_ptr->name_size); - for (i = 0; i < root_node_ptr->name_size/2; i++){ - fprintf(stderr, "%c", root_node_ptr->name[i * 2]); - } - fprintf(stderr, "\n"); - for (i = 0; i < sizeof(prop_block) / sizeof(prop_block[0]); i++){ - fprintf(stderr, "%s::%d::%ls\n", __FUNCTION__, __LINE__, (wchar_t*) (prop_block[i].name)); - - if (0 == ole2_cmp_name(prop_block[i].name, prop_block[i].name_size, "WORDDocument")){ - fprintf(stderr, "%s::%d::FOUND IT HERE!!!!!\n", __FUNCTION__, __LINE__); - - } -#if 0 - if (0 == wcscasecmp(prop_block[i].name, L"WordDocument")){ - fprintf(stderr, "%s::%d::%lu::FOUND IT\n", __FUNCTION__, __LINE__, i); - } -#endif - } - - fprintf(stderr, "%s::%d::END DUMPING\n", __FUNCTION__, __LINE__); - } -#endif - ole2_list_delete(&node_list); return CL_SUCCESS; } @@ -2637,7 +2560,6 @@ static bool verify_key_aes(const encryption_key_t *const key, encryption_verifie * */ static bool initialize_encryption_key( - cli_ctx * ctx, const uint8_t *encryptionInfoStreamPtr, size_t remainingBytes, encryption_key_t *encryptionKey, @@ -2836,46 +2758,6 @@ static bool initialize_encryption_key( if (pEncryptionStatus->encryption_type){ pEncryptionStatus->encrypted = true; } -#if 0 - if (SCAN_COLLECT_METADATA && (ctx->wrkproperty != NULL)) { - if (NULL != jsonKey) { - if (ctx->wrkproperty == ctx->properties) { - cli_jsonint(ctx->wrkproperty, jsonKey, true); - } - } - - cli_dbgmsg("Encrypted with VelvetSweatshop: %d\n", bRet); - if (ctx->wrkproperty == ctx->properties) { - cli_jsonint(ctx->wrkproperty, "EncryptedWithVelvetSweatshop", bRet); - } - } -#else -#if 0 - insert_metadata(ctx, jsonKey, true); - insert_metadata(ctx, "EncryptedWithVelvetSweatshop", bRet); -#else - fprintf(stderr, "%s::%d::Move to bottom\n", __FUNCTION__, __LINE__); -#endif -#endif - -#if 0 - if (SCAN_HEURISTIC_ENCRYPTED_DOC && (NULL != jsonKey)) { - cl_error_t status = cli_append_potentially_unwanted(ctx, "Heuristics.Encrypted.OLE2"); - if (CL_SUCCESS != status) { - cli_errmsg("OLE2 : Unable to warn potentially unwanted signature '%s'\n", "Heuristics.Encrypted.OLE2"); - } - } -#else -#if 0 - if (jsonKey){ - print_heuristic(ctx, "Heuristics.Encrypted.OLE2"); - } else if (bRet){ - print_heuristic(ctx, "Heuristics.Encrypted.OLE2.VelvetSweatshop"); - } -#else - fprintf(stderr, "%s::%d::Move to bottom\n", __FUNCTION__, __LINE__); -#endif -#endif return bRet; } @@ -3001,18 +2883,10 @@ cl_error_t cli_ole2_extract(const char *dirname, cli_ctx *ctx, struct uniq **fil encryption_offset = 4 * (1 << hdr.log2_big_block_size); if ((encryption_offset + sizeof(encryption_info_stream_standard_t)) <= hdr.m_length) { - bEncrypted = initialize_encryption_key(ctx, + bEncrypted = initialize_encryption_key( &(((const uint8_t *)phdr)[encryption_offset]), hdr.m_length - encryption_offset, &key, &encryption_status); - -#if 0 - cli_dbgmsg("Encrypted with VelvetSweatshop: %d\n", bEncrypted); - - if (ctx->wrkproperty == ctx->properties) { - cli_jsonint(ctx->wrkproperty, "EncryptedWithVelvetSweatshop", bEncrypted); - } -#endif } /* 8 SBAT blocks per file block */