mirror of
				https://github.com/Cisco-Talos/clamav.git
				synced 2025-10-26 05:34:11 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			1226 lines
		
	
	
	
		
			30 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			1226 lines
		
	
	
	
		
			30 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  *  Copyright (C) 2004 Trog <trog@uncon.org>
 | |
|  *
 | |
|  *  This program is free software; you can redistribute it and/or modify
 | |
|  *  it under the terms of the GNU General Public License as published by
 | |
|  *  the Free Software Foundation; either version 2 of the License, or
 | |
|  *  (at your option) any later version.
 | |
|  *
 | |
|  *  This program is distributed in the hope that it will be useful,
 | |
|  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 | |
|  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 | |
|  *  GNU General Public License for more details.
 | |
|  *
 | |
|  *  You should have received a copy of the GNU General Public License
 | |
|  *  along with this program; if not, write to the Free Software
 | |
|  *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 | |
|  *  MA 02110-1301, USA.
 | |
|  */
 | |
| 
 | |
| #if HAVE_CONFIG_H
 | |
| #include "clamav-config.h"
 | |
| #endif
 | |
| 
 | |
| #include <stdio.h>
 | |
| #include <string.h>
 | |
| #include <stdlib.h>
 | |
| #ifdef HAVE_UNISTD_H
 | |
| #include <unistd.h>
 | |
| #endif
 | |
| #include <sys/types.h>
 | |
| #include <sys/stat.h>
 | |
| #include <fcntl.h>
 | |
| #include <dirent.h>
 | |
| #include <ctype.h>
 | |
| 
 | |
| #include "libclamav/clamav.h"
 | |
| #include "libclamav/vba_extract.h"
 | |
| #include "libclamav/cltypes.h"
 | |
| #include "libclamav/ole2_extract.h"
 | |
| #include "shared/output.h"
 | |
| 
 | |
| #include "vba.h"
 | |
| 
 | |
| typedef struct mac_token_tag
 | |
| {
 | |
|     unsigned char token;
 | |
|     const char *str;
 | |
| } mac_token_t;
 | |
| 
 | |
| typedef struct mac_token2_tag
 | |
| {
 | |
|     uint16_t token;
 | |
|     const char *str;
 | |
| 
 | |
| } mac_token2_t;
 | |
| 
 | |
| cli_ctx *convenience_ctx(int fd) {
 | |
|     cli_ctx *ctx;
 | |
|     struct cl_engine *engine;
 | |
| 
 | |
|     ctx = malloc(sizeof(*ctx));
 | |
|     if(!ctx){
 | |
| 	printf("ctx malloc failed\n");
 | |
|         return NULL;
 | |
|     }
 | |
| 
 | |
|     ctx->engine = engine = cl_engine_new();
 | |
|     if(!(ctx->engine)){	    
 | |
| 	printf("engine malloc failed\n");
 | |
|         free(ctx);
 | |
| 	return NULL;
 | |
|     }	
 | |
| 
 | |
|     ctx->fmap = cli_malloc(sizeof(struct F_MAP *));
 | |
|     if(!(ctx->fmap)){
 | |
| 	printf("fmap malloc failed\n");
 | |
|         free(engine);
 | |
|         free(ctx);
 | |
| 	return NULL;
 | |
|     }
 | |
| 
 | |
|     if(!(*ctx->fmap = fmap(fd, 0, 0))){
 | |
| 	printf("fmap failed\n");
 | |
| 	free(ctx->fmap);
 | |
| 	free(engine);
 | |
|         free(ctx);
 | |
| 	return NULL;
 | |
|     }
 | |
|     return ctx;
 | |
| }
 | |
| 
 | |
| void destroy_ctx(int desc, cli_ctx *ctx) {
 | |
|     funmap(*(ctx->fmap));
 | |
|     if (desc >= 0)
 | |
|         close(desc);
 | |
|     free(ctx->fmap);
 | |
|     cl_engine_free((struct cl_engine *)ctx->engine);
 | |
|     free(ctx);
 | |
| }
 | |
| 
 | |
| int sigtool_vba_scandir(const char *dirname, int hex_output, struct uniq *U);
 | |
| 
 | |
| static char *get_unicode_name (char *name, int size)
 | |
| {
 | |
|     int i, j;
 | |
|     char *newname;
 | |
| 
 | |
|     if (*name == 0 || size <= 0) {
 | |
| 	return NULL;
 | |
|     }
 | |
| 
 | |
|     newname = (char *) malloc (size * 2);
 | |
|     if (!newname) {
 | |
| 	return NULL;
 | |
|     }
 | |
|     j = 0;
 | |
|     for (i = 0; i < size; i = i + 2) {
 | |
| 	if (isprint (name[i])) {
 | |
| 	    newname[j++] = name[i];
 | |
| 	} else {
 | |
| 	    if (name[i] < 10 && name[i] >= 0) {
 | |
| 		newname[j++] = '_';
 | |
| 		newname[j++] = name[i] + '0';
 | |
| 	    }
 | |
| 	    newname[j++] = '_';
 | |
| 	}
 | |
|     }
 | |
|     newname[j] = '\0';
 | |
|     return newname;
 | |
| }
 | |
| 
 | |
| static void output_token (unsigned char token)
 | |
| {
 | |
|     int i;
 | |
|     mac_token_t mac_token[] = {
 | |
| 	{0x01, "-"},
 | |
| 	{0x02, "Not"},
 | |
| 	{0x03, "And"},
 | |
| 	{0x04, "Or"},
 | |
| 	{0x05, "("},
 | |
| 	{0x06, ")"},
 | |
| 	{0x07, "+"},
 | |
| 	{0x08, "-"},
 | |
| 	{0x09, "/"},
 | |
| 	{0x0a, "*"},
 | |
| 	{0x0b, "Mod"},
 | |
| 	{0x0c, "="},
 | |
| 	{0x0d, "<>"},
 | |
| 	{0x0e, "<"},
 | |
| 	{0x0f, ">"},
 | |
| 	{0x10, "<="},
 | |
| 	{0x11, ">="},
 | |
| 	{0x12, ","},
 | |
| 	{0x18, "Resume"},
 | |
| 	{0x19, ":"},
 | |
| 	{0x1a, "End"},
 | |
| 	{0x1b, "Sub"},
 | |
| 	{0x1c, "Function"},
 | |
| 	{0x1d, "If"},
 | |
| 	{0x1e, "Then"},
 | |
| 	{0x1f, "ElseIf"},
 | |
| 	{0x20, "Else"},
 | |
| 	{0x21, "While"},
 | |
| 	{0x22, "Wend"},
 | |
| 	{0x23, "For"},
 | |
| 	{0x24, "To"},
 | |
| 	{0x25, "Step"},
 | |
| 	{0x26, "Next"},
 | |
| 	{0x28, ";"},
 | |
| 	{0x29, "Call"},
 | |
| 	{0x2a, "Goto"},
 | |
| 	{0x2c, "On"},
 | |
| 	{0x2d, "Error"},
 | |
| 	{0x2e, "Let"},
 | |
| 	{0x2f, "Dim"},
 | |
| 	{0x30, "Shared"},
 | |
| 	{0x31, "Select"},
 | |
| 	{0x32, "Is"},
 | |
| 	{0x33, "Case"},
 | |
| 	{0x34, "As"},
 | |
| 	{0x35, "Redim"},
 | |
| 	{0x36, "Print"},
 | |
| 	{0x37, "Input"},
 | |
| 	{0x38, "Line"},
 | |
| 	{0x39, "Write"},
 | |
| 	{0x3a, "Name"},
 | |
| 	{0x3b, "Output"},
 | |
| 	{0x3c, "Append"},
 | |
| 	{0x3d, "Open"},
 | |
| 	{0x3e, "GetCurValues"},
 | |
| 	{0x3f, "Dialog"},
 | |
| 	{0x40, "Super"},
 | |
| 	{0x41, "Declare"},
 | |
| 	{0x42, "Double"},
 | |
| 	{0x43, "Integer"},
 | |
| 	{0x44, "Long"},
 | |
| 	{0x45, "Single"},
 | |
| 	{0x46, "String"},
 | |
| 	{0x47, "Cdecl"},
 | |
| 	{0x48, "Alias"},
 | |
| 	{0x49, "Any"},
 | |
| 	{0x4a, "ToolsGetSpelling"},
 | |
| 	{0x4b, "ToolsGetSynonyms"},
 | |
| 	{0x4c, "Close"},
 | |
| 	{0x4d, "Begin"},
 | |
| 	{0x4e, "Lib"},
 | |
| 	{0x4f, "Read"},
 | |
| 	{0x50, "CheckDialog"},
 | |
| 	{0x51, " "},		/* not sure about this one - some white space */
 | |
| 	{0x52, "\t"},
 | |
| 	{0x54, "EndIf"},
 | |
| 	{0x64, "\n"},
 | |
| 	{0x71, "#"},
 | |
| 	{0x72, "\\"},
 | |
| 	{0x00, NULL},
 | |
|     };
 | |
| 
 | |
|     for (i = 0; mac_token[i].token != 0x00; i++) {
 | |
| 	if (token == mac_token[i].token) {
 | |
| 	    printf (" %s ", mac_token[i].str);
 | |
| 	    return;
 | |
| 	}
 | |
|     }
 | |
|     printf ("[#0x%x]", token);
 | |
|     return;
 | |
| }
 | |
| 
 | |
| static void output_token67 (uint16_t token)
 | |
| {
 | |
|     int i;
 | |
|     mac_token2_t mac_token[] = {
 | |
| 	{0x0004, "HelpActivateWindow"},
 | |
| 	{0x0009, "HelpAbout"},
 | |
| 	{0x000c, "ShrinkFont"},
 | |
| 	{0x0016, "NextWindow"},
 | |
| 	{0x0017, "PrevWindow"},
 | |
| 	{0x001c, "DeleteWord"},
 | |
| 	{0x001e, "EditClear"},
 | |
| 	{0x0045, "GoBack"},
 | |
| 	{0x0046, "SaveTemplate"},
 | |
| 	{0x0048, "Cancel"},
 | |
| 	{0x004e, "DocumentStatistics"},
 | |
| 	{0x004f, "FileNew"},
 | |
| 	{0x0050, "FileOpen"},
 | |
| 	{0x0053, "FileSave"},
 | |
| 	{0x0054, "FileSaveAs"},
 | |
| 	{0x0056, "FileSummaryInfo"},
 | |
| 	{0x0057, "FileTemplates"},
 | |
| 	{0x0058, "FilePrint"},
 | |
| 	{0x0061, "FilePrintSetup"},
 | |
| 	{0x0063, "FileFind"},
 | |
| 	{0x006c, "EditCut"},
 | |
| 	{0x006d, "EditCopy"},
 | |
| 	{0x006e, "EditPaste"},
 | |
| 	{0x0070, "EditFind"},
 | |
| 	{0x0074, "EditFindClearFormatting"},
 | |
| 	{0x0075, "EditReplace"},
 | |
| 	{0x0079, "EditReplaceClearFormatting"},
 | |
| 	{0x007a, "EditGoTo"},
 | |
| 	{0x007b, "EditAutoText"},
 | |
| 	{0x0093, "ViewPage"},
 | |
| 	{0x0098, "ToolsCustomize"},
 | |
| 	{0x009b, "NormalViewHeaderArea"},
 | |
| 	{0x009f, "InsertBreak"},
 | |
| 	{0x00a2, "InsertSymbol"},
 | |
| 	{0x00a4, "InsertFile"},
 | |
| 	{0x00a8, "EditBookmark"},
 | |
| 	{0x00ac, "InsertObject"},
 | |
| 	{0x00ae, "FormatFont"},
 | |
| 	{0x00af, "FormatParagraph"},
 | |
| 	{0x00b2, "FilePageSetup"},
 | |
| 	{0x00bf, "ToolsSpelling"},
 | |
| 	{0x00ca, "ToolsOptions"},
 | |
| 	{0x00cc, "ToolsOptionsView"},
 | |
| 	{0x00cb, "ToolsOptionsGeneral"},
 | |
| 	{0x00d1, "ToolsOptionsSave"},
 | |
| 	{0x00d3, "ToolsOptionsSpelling"},
 | |
| 	{0x00d5, "ToolsOptionsUserInfo"},
 | |
| 	{0x00d7, "ToolsMacro"},
 | |
| 	{0x00de, "Organizer"},
 | |
| 	{0x00e1, "ToolsOptionsFileLocations"},
 | |
| 	{0x00e4, "ToolsWordCount"},
 | |
| 	{0x00e9, "DocRestore"},
 | |
| 	{0x00ed, "EditSelectAll"},
 | |
| 	{0x00f3, "ClosePane"},
 | |
| 	{0x0129, "UserDialog"},
 | |
| 	{0x012c, "CopyFile"},
 | |
| 	{0x012d, "FileNewDefault"},
 | |
| 	{0x012e, "FilePrintDefault"},
 | |
| 	{0x0143, "ViewToolbars"},
 | |
| 	{0x015d, "TextFormField"},
 | |
| 	{0x0161, "FormFieldOptions"},
 | |
| 	{0x0172, "InsertFootnote"},
 | |
| 	{0x0179, "DrawRectangle"},
 | |
| 	{0x017a, "ToolsAutoCorrect"},
 | |
| 	{0x01a4, "Connect"},
 | |
| 	{0x01a5, "WW2_EditFind"},
 | |
| 	{0x01a6, "WW2_EditReplace"},
 | |
| 	{0x01b0, "ToolsCustomizeKeyboard"},
 | |
| 	{0x01b1, "ToolsCustomizeMenus"},
 | |
| 	{0x01d2, "DrawBringToFront"},
 | |
| 	{0x01d3, "DrawSendToBack"},
 | |
| 	{0x01e3, "InsertFormField"},
 | |
| 	{0x01f7, "ToolsProtectDocument"},
 | |
| 	{0x0202, "ShrinkFontOnePoint"},
 | |
| 	{0x0209, "ToolsUnprotectDocument"},
 | |
| 	{0x022f, "DrawFlipHorizontal"},
 | |
| 	{0x0235, "FormatDrawingObject"},
 | |
| 	{0x0241, "ViewZoom"},
 | |
| 	{0x0246, "ToogleFull"},
 | |
| 	{0x024a, "NewToolbar"},
 | |
| 	{0x0265, "FileSendMail"},
 | |
| 	{0x0267, "ToolsCustomizeMenuBar"},
 | |
| 	{0x0270, "FileRoutingSlip"},
 | |
| 	{0x0273, "ChooseButtonImage"},
 | |
| 	{0x027b, "HelpTipOfTheDay"},
 | |
| 	{0x0280, "Int"},
 | |
| 	{0x0290, "MicrosoftMail"},
 | |
| 	{0x0299, "ScreenRefresh"},
 | |
| 	{0x02b0, "HelpContents"},
 | |
| 	{0x0780, "Str$"},
 | |
| 	{0x0e80, "Rnd"},
 | |
| 	{0x2580, "FileName$"},
 | |
| 	{0x2b80, "MsgBox"},
 | |
| 	{0x2c80, "Beep"},
 | |
| 	{0x5400, "FileSaveAs"},
 | |
| 	{0x5600, "FileSummaryInfo"},
 | |
| 	{0x8000, "Abs"},
 | |
| 	{0x8001, "Sgn"},
 | |
| 	{0x8002, "Int"},
 | |
| 	{0x8003, "Len"},
 | |
| 	{0x8004, "Asc"},
 | |
| 	{0x8005, "Chr$"},
 | |
| 	{0x8006, "Val"},
 | |
| 	{0x8007, "Str$"},
 | |
| 	{0x8008, "Left$"},
 | |
| 	{0x8009, "Right$"},
 | |
| 	{0x800a, "Mid$"},
 | |
| 	{0x800b, "String$"},
 | |
| 	{0x800c, "Date$"},
 | |
| 	{0x800d, "Time$"},
 | |
| 	{0x800e, "Rnd"},
 | |
| 	{0x800f, "InStr"},
 | |
| 	{0x8012, "Insert"},
 | |
| 	{0x8013, "InsertPara"},
 | |
| 	{0x8015, "Selection$"},
 | |
| 	{0x801b, "ExistingBookMark"},
 | |
| 	{0x8023, "IsDocumentDirty"},
 | |
| 	{0x8024, "SetDocumentDirty"},
 | |
| 	{0x8025, "FileName$"},
 | |
| 	{0x8026, "CountFiles"},
 | |
| 	{0x8027, "GetAutoText$"},
 | |
| 	{0x8028, "CountAutoTextEntries"},
 | |
| 	{0x802a, "SetAutoText"},
 | |
| 	{0x802b, "MsgBox"},
 | |
| 	{0x802c, "Beep"},
 | |
| 	{0x802d, "Shell"},
 | |
| 	{0x802f, "ResetPara"},
 | |
| 	{0x8032, "DocMove"},
 | |
| 	{0x8033, "DocSize"},
 | |
| 	{0x8034, "VLine"},
 | |
| 	{0x803a, "CountWindows"},
 | |
| 	{0x803b, "WindowName$"},
 | |
| 	{0x803e, "Window"},
 | |
| 	{0x8041, "AppMinimize"},
 | |
| 	{0x8042, "AppMaximize"},
 | |
| 	{0x8043, "AppRestore"},
 | |
| 	{0x8044, "DocMaximize"},
 | |
| 	{0x8045, "GetProfileString$"},
 | |
| 	{0x8046, "SetProfileString"},
 | |
| 	{0x8047, "CharColor"},
 | |
| 	{0x8048, "Bold"},
 | |
| 	{0x8049, "Italic"},
 | |
| 	{0x804e, "UnderLine"},
 | |
| 	{0x8053, "CenterPara"},
 | |
| 	{0x8054, "LeftPara"},
 | |
| 	{0x8055, "RightPara"},
 | |
| 	{0x8056, "JustifyPara"},
 | |
| 	{0x805c, "DDEInitiate"},
 | |
| 	{0x805d, "DDETerminate"},
 | |
| 	{0x8053, "DDETerminateAll"},
 | |
| 	{0x805f, "DDEExecute"},
 | |
| 	{0x8060, "DDEPoke"},
 | |
| 	{0x8061, "DDERequest$"},
 | |
| 	{0x8062, "Activate"},
 | |
| 	{0x8063, "AppActivate"},
 | |
| 	{0x8064, "SendKeys"},
 | |
| 	{0x806f, "ViewStatusBar"},
 | |
| 	{0x8071, "ViewRibbon"},
 | |
| 	{0x8073, "ViewPage"},
 | |
| 	{0x8075, "ViewNormal"},
 | |
| 	{0x8079, "Overtype"},
 | |
| 	{0x807a, "Font$"},
 | |
| 	{0x807b, "CountOfFonts"},
 | |
| 	{0x807c, "Font"},
 | |
| 	{0x807d, "FontSize"},
 | |
| 	{0x8081, "WW6_EditClear"},
 | |
| 	{0x8082, "FileList"},
 | |
| 	{0x8083, "File1"},
 | |
| 	{0x8098, "ExtendSelection"},
 | |
| 	{0x809e, "DisableInput"},
 | |
| 	{0x809f, "DocClose"},
 | |
| 	{0x80a0, "FileClose"},
 | |
| 	{0x80a1, "File$"},
 | |
| 	{0x80a2, "FileExit"},
 | |
| 	{0x80a3, "FileSaveAll"},
 | |
| 	{0x80a7, "Input$"},
 | |
| 	{0x80a8, "Seek"},
 | |
| 	{0x80a9, "Eof"},
 | |
| 	{0x80aa, "Lof"},
 | |
| 	{0x80ab, "Kill"},
 | |
| 	{0x80ac, "ChDir"},
 | |
| 	{0x80ad, "MkDir"},
 | |
| 	{0x80ae, "RmDir"},
 | |
| 	{0x80af, "UCase$"},
 | |
| 	{0x80b0, "LCase$"},
 | |
| 	{0x80b1, "InoutBox$"},
 | |
| 	{0x80b3, "OnTime"},
 | |
| 	{0x80b5, "AppInfo$"},
 | |
| 	{0x80b6, "SelInfo"},
 | |
| 	{0x80b7, "CountMacros"},
 | |
| 	{0x80b8, "MacroName"},
 | |
| 	{0x80b9, "CountFoundFiles"},
 | |
| 	{0x80ba, "FoundFileName$"},
 | |
| 	{0x80be, "MacroDesc$"},
 | |
| 	{0x80bf, "CountKeys"},
 | |
| 	{0x80c1, "KeyMacro$"},
 | |
| 	{0x80c2, "MacroCopy"},
 | |
| 	{0x80c3, "IsExecuteOnly"},
 | |
| 	{0x80c7, "OKButton"},
 | |
| 	{0x80c8, "CancelButton"},
 | |
| 	{0x80c9, "Text"},
 | |
| 	{0x80ca, "GroupBox"},
 | |
| 	{0x80cb, "OptionButton"},
 | |
| 	{0x80cc, "PushButton"},
 | |
| 	{0x80d5, "ExitWindows"},
 | |
| 	{0x80d6, "DisableAutoMacros"},
 | |
| 	{0x80d7, "EditFindFound"},
 | |
| 	{0x80d8, "CheckBox"},
 | |
| 	{0x80d9, "TextBox"},
 | |
| 	{0x80da, "ListBox"},
 | |
| 	{0x80db, "OptionGroup"},
 | |
| 	{0x80dc, "ComboBox"},
 | |
| 	{0x80de, "WindowList"},
 | |
| 	{0x80e8, "CountDirectories"},
 | |
| 	{0x80e9, "GetDirectory$"},
 | |
| 	{0x80ea, "LTrim$"},
 | |
| 	{0x80eb, "RTrim$"},
 | |
| 	{0x80ee, "Environ$"},
 | |
| 	{0x80ef, "WaitCursor"},
 | |
| 	{0x80f0, "DateSerial"},
 | |
| 	{0x80f1, "DateValue"},
 | |
| 	{0x80f2, "Day"},
 | |
| 	{0x80f4, "Hour"},
 | |
| 	{0x80f5, "Minute"},
 | |
| 	{0x80f6, "Month"},
 | |
| 	{0x80f7, "Now"},
 | |
| 	{0x80f8, "WeekdayNow"},
 | |
| 	{0x80f9, "Year"},
 | |
| 	{0x80fa, "DocWindowHeight"},
 | |
| 	{0x80fb, "DocWindowWidth"},
 | |
| 	{0x80fc, "DOSToWIN$"},
 | |
| 	{0x80fd, "WinToDOS$"},
 | |
| 	{0x80ff, "Second"},
 | |
| 	{0x8100, "TimeValue"},
 | |
| 	{0x8101, "Today"},
 | |
| 	{0x8103, "SetAttr"},
 | |
| 	{0x8105, "DocMinimize"},
 | |
| 	{0x8107, "AppActivate"},
 | |
| 	{0x8108, "AppCount"},
 | |
| 	{0x8109, "AppGetNames"},
 | |
| 	{0x810a, "AppHide"},
 | |
| 	{0x810b, "AppIsRunning"},
 | |
| 	{0x810c, "GetSystemInfo$"},
 | |
| 	{0x810d, "GetPrivateProfileString$"},
 | |
| 	{0x810e, "SetPrivateProfileString"},
 | |
| 	{0x810f, "GetAttr"},
 | |
| 	{0x8111, "ScreenUpdating"},
 | |
| 	{0x8116, "SelectCurWord"},
 | |
| 	{0x8118, "IsTemplateDirty"},
 | |
| 	{0x8119, "SetTemplateDirty"},
 | |
| 	{0x811b, "DlgEnable"},
 | |
| 	{0x811d, "DlgVisible"},
 | |
| 	{0x811f, "DlgText$"},
 | |
| 	{0x8121, "AppShow"},
 | |
| 	{0x8122, "DlgListBoxArray"},
 | |
| 	{0x8125, "Picture"},
 | |
| 	{0x8126, "DlgSetPicture"},
 | |
| 	{0x8131, "WW2_Files$"},
 | |
| 	{0x8138, "DlgFocus"},
 | |
| 	{0x813b, "BorderLineStyle"},
 | |
| 	{0x813d, "MenuItemText$"},
 | |
| 	{0x813e, "MenuItemMacro$"},
 | |
| 	{0x813f, "CountMenus"},
 | |
| 	{0x8140, "MenuText$"},
 | |
| 	{0x8141, "CountMenuItems"},
 | |
| 	{0x8145, "DocWindowPosTop"},
 | |
| 	{0x8146, "DocWindowPosLeft"},
 | |
| 	{0x8147, "Stop"},
 | |
| 	{0x8148, "DropListBox"},
 | |
| 	{0x8149, "RenameMenu"},
 | |
| 	{0x814a, "FileCloseAll"},
 | |
| 	{0x814b, "SortArray"},
 | |
| 	{0x814c, "SetDocumentVar"},
 | |
| 	{0x814d, "GetDocumentVar$"},
 | |
| 	{0x8152, "IsMacro"},
 | |
| 	{0x8153, "FileNameFromWindow$"},
 | |
| 	{0x815b, "MoveToolbar"},
 | |
| 	{0x816e, "MacID$"},
 | |
| 	{0x8170, "GetSelEndPos"},
 | |
| 	{0x8171, "SetSelRange"},
 | |
| 	{0x8172, "GetText$"},
 | |
| 	{0x8174, "DeleteButton"},
 | |
| 	{0x8175, "AddButton"},
 | |
| 	{0x8177, "DeleteAddIn"},
 | |
| 	{0x8178, "AddAddIn"},
 | |
| 	{0x8179, "GetAddInName$"},
 | |
| 	{0x817c, "ResetButtonImage"},
 | |
| 	{0x8180, "GetAddInId"},
 | |
| 	{0x8181, "CountAddIns"},
 | |
| 	{0x8182, "ClearAddIns"},
 | |
| 	{0x8183, "AddInState"},
 | |
| 	{0x818c, "DefaultDir$"},
 | |
| 	{0x818d, "FileNameInfo$"},
 | |
| 	{0x818e, "MacroFileName$"},
 | |
| 	{0x818f, "ViewHeader"},
 | |
| 	{0x8190, "ViewFooter"},
 | |
| 	{0x8192, "CopyButtonImage"},
 | |
| 	{0x8195, "CountToolbars"},
 | |
| 	{0x8196, "ToolbarName$"},
 | |
| 	{0x8198, "ChDefaultDir"},
 | |
| 	{0x8199, "EditUndo"},
 | |
| 	{0x81a0, "GetAutoCorrect$"},
 | |
| 	{0x81a2, "FileQuit"},
 | |
| 	{0x81a4, "FileConfirmConversions"},
 | |
| 	{0x81d3, "SelectionFileName$"},
 | |
| 	{0x81d9, "CountToolbarButtons"},
 | |
| 	{0x81da, "ToolbarButtonMacro$"},
 | |
| 	{0x81db, "WW2_Insert"},
 | |
| 	{0x81dc, "AtEndOfDocument"},
 | |
| 	{0x81fc, "GetDocumentProperty$"},
 | |
| 	{0x81fd, "GetDocumentProperty"},
 | |
| 	{0x8201, "DocumentPropertyName$"},
 | |
| 	{0x820e, "SpellChecked"},
 | |
| 	{0xb780, "CountMacros"},
 | |
| 	{0xb880, "MacroName$"},
 | |
| 	{0xc000, "CharLeft"},
 | |
| 	{0xc001, "CharRight"},
 | |
| 	{0xc002, "WordLeft"},
 | |
| 	{0xc003, "WordRight"},
 | |
| 	{0xc004, "EndOfLine"},
 | |
| 	{0xc007, "ParaDown"},
 | |
| 	{0xc008, "LineUp"},
 | |
| 	{0xc009, "LineDown"},
 | |
| 	{0xc00a, "PageUp"},
 | |
| 	{0xc00c, "StartOfLine"},
 | |
| 	{0xc00d, "EndOfLine"},
 | |
| 	{0xc010, "StartOfDocument"},
 | |
| 	{0xc011, "EndOfDocument"},
 | |
| 	{0xc012, "EditClear"},
 | |
| 	{0xc024, "BorderTop"},
 | |
| 	{0xc025, "BorderLeft"},
 | |
| 	{0xc026, "BorderBottom"},
 | |
| 	{0xc027, "BorderRight"},
 | |
| 	{0xc280, "MacroCopy"},
 | |
| 	{0x0000, NULL},
 | |
|     };
 | |
|     for (i = 0; mac_token[i].token != 0x0000; i++) {
 | |
| 	if (token == mac_token[i].token) {
 | |
| 	    printf ("%s", mac_token[i].str);
 | |
| 	    return;
 | |
| 	}
 | |
|     }
 | |
|     printf ("[#67(0x%x)]", token);
 | |
|     return;
 | |
| }
 | |
| 
 | |
| static void output_token73 (uint16_t token)
 | |
| {
 | |
|     int i;
 | |
|     mac_token2_t mac_token[] = {
 | |
| 	{0x0001, ".Name"},
 | |
| 	{0x0002, ".KeyCode"},
 | |
| 	{0x0003, ".Context"},
 | |
| 	{0x0004, ".ResetAll"},
 | |
| 	{0x0007, ".Menu"},
 | |
| 	{0x0008, ".MenuText"},
 | |
| 	{0x0009, ".APPUSERNAME"},
 | |
| 	{0x000b, ".Delete"},
 | |
| 	{0x000c, ".Sort"},
 | |
| 	{0x0012, ".SavedBy"},
 | |
| 	{0x0014, ".DateCreatedFrom"},
 | |
| 	{0x0015, ".DateCreatedTo"},
 | |
| 	{0x0016, ".DateSavedFrom"},
 | |
| 	{0x0017, ".DateSavedTo"},
 | |
| 	{0x0020, ".ButtonFieldClicks"},
 | |
| 	{0x0021, ".Font"},
 | |
| 	{0x0022, ".Points"},
 | |
| 	{0x0023, ".Color"},
 | |
| 	{0x0024, ".Bold"},
 | |
| 	{0x0025, ".Italic"},
 | |
| 	{0x0027, ".Hidden"},
 | |
| 	{0x0028, ".Underline"},
 | |
| 	{0x0029, ".Outline"},
 | |
| 	{0x002b, ".Position"},
 | |
| 	{0x002d, ".Spacing"},
 | |
| 	{0x002f, ".Printer"},
 | |
| 	{0x0034, ".AutoSave"},
 | |
| 	{0x0035, ".Units"},
 | |
| 	{0x0036, ".Pagination"},
 | |
| 	{0x0037, ".SummaryPrompt"},
 | |
| 	{0x0039, ".Initials"},
 | |
| 	{0x003a, ".Tabs"},
 | |
| 	{0x003b, ".Spaces"},
 | |
| 	{0x003c, ".Paras"},
 | |
| 	{0x003d, ".Hyphens"},
 | |
| 	{0x003e, ".ShowAll"},
 | |
| 	{0x0041, ".TextBoundaries"},
 | |
| 	{0x0043, ".VScroll"},
 | |
| 	{0x0046, ".PageWidth"},
 | |
| 	{0x0047, ".PageHeight"},
 | |
| 	{0x0049, ".TopMargin"},
 | |
| 	{0x004a, ".BottomMargin"},
 | |
| 	{0x004b, ".LeftMargin"},
 | |
| 	{0x004c, ".RightMargin"},
 | |
| 	{0x0052, ".Template"},
 | |
| 	{0x0059, ".RecentFileCount"},
 | |
| 	{0x005d, ".SmallCaps"},
 | |
| 	{0x0060, ".Password"},
 | |
| 	{0x0061, ".RecentFiles"},
 | |
| 	{0x0062, ".Title"},
 | |
| 	{0x0063, ".Subject"},
 | |
| 	{0x0064, ".Author"},
 | |
| 	{0x0065, ".Keywords"},
 | |
| 	{0x0066, ".Comments"},
 | |
| 	{0x0067, ".FileName"},
 | |
| 	{0x0068, ".Directory"},
 | |
| 	{0x0069, ".CreateDate"},
 | |
| 	{0x006a, ".LastSavedDate"},
 | |
| 	{0x006b, ".LastSavedBy"},
 | |
| 	{0x006c, ".RevisionNumber"},
 | |
| 	{0x006f, ".NumPages"},
 | |
| 	{0x0070, ".NumWords"},
 | |
| 	{0x0071, ".NumChars"},
 | |
| 	{0x0074, ".Rename"},
 | |
| 	{0x0075, ".NewName"},
 | |
| 	{0x0078, ".SmartQuotes"},
 | |
| 	{0x007f, ".Source"},
 | |
| 	{0x0080, ".Reference"},
 | |
| 	{0x0085, ".Insert"},
 | |
| 	{0x0086, ".Destination"},
 | |
| 	{0x0087, ".Type"},
 | |
| 	{0x0089, ".HeaderDistance"},
 | |
| 	{0x008a, ".FooterDistance"},
 | |
| 	{0x008b, ".FirstPage"},
 | |
| 	{0x008c, ".OddAndEvenPages"},
 | |
| 	{0x0091, ".Entry"},
 | |
| 	{0x0092, ".Range"},
 | |
| 	{0x0095, ".Link"},
 | |
| 	{0x0098, ".Add"},
 | |
| 	{0x009b, ".NewTemplate"},
 | |
| 	{0x009f, ".ReadOnly"},
 | |
| 	{0x00a1, ".LeftIndent"},
 | |
| 	{0x00a2, ".RightIndent"},
 | |
| 	{0x00a3, ".FirstIndent"},
 | |
| 	{0x00a5, ".After"},
 | |
| 	{0x00b9, ".NumCopies"},
 | |
| 	{0x00ba, ".From"},
 | |
| 	{0x00bb, ".To"},
 | |
| 	{0x00cb, ".Format"},
 | |
| 	{0x00cd, ".Replace"},
 | |
| 	{0x00ce, ".WholeWord"},
 | |
| 	{0x00cf, ".MatchCase"},
 | |
| 	{0x00d7, ".CreateBackup"},
 | |
| 	{0x00d8, ".LockAnnot"},
 | |
| 	{0x00d9, ".Direction"},
 | |
| 	{0x00ff, ".SuggestFromMainDictOnly"},
 | |
| 	{0x012b, ".UpdateLinks"},
 | |
| 	{0x012e, ".Update"},
 | |
| 	{0x0131, ".Text"},
 | |
| 	{0x0136, ".Description"},
 | |
| 	{0x0139, ".Setting"},
 | |
| 	{0x013b, ".AllCaps"},
 | |
| 	{0x0148, ".Category"},
 | |
| 	{0x0149, ".ConfirmConversions"},
 | |
| 	{0x014c, ".StatusBar"},
 | |
| 	{0x014d, ".PicturePlaceHolders"},
 | |
| 	{0x014e, ".FieldCodes"},
 | |
| 	{0x0150, ".Show"},
 | |
| 	{0x0156, ".FastSaves"},
 | |
| 	{0x0157, ".SaveInterval"},
 | |
| 	{0x0161, ".LineColor"},
 | |
| 	{0x017d, ".Wrap"},
 | |
| 	{0x0183, ".AutoFit"},
 | |
| 	{0x0184, ".CharNum"},
 | |
| 	{0x018b, ".View"},
 | |
| 	{0x0190, ".Options"},
 | |
| 	{0x0194, ".Find"},
 | |
| 	{0x0196, ".Path"},
 | |
| 	{0x01a8, ".Background"},
 | |
| 	{0x01a9, ".SearchPath"},
 | |
| 	{0x01ab, ".CustomDict1"},
 | |
| 	{0x01ac, ".CustomDict2"},
 | |
| 	{0x01ad, ".CustomDict3"},
 | |
| 	{0x01ae, ".CustomDict4"},
 | |
| 	{0x01b1, ".Collate"},
 | |
| 	{0x01b2, ".Shadow"},
 | |
| 	{0x01b4, ".Button"},
 | |
| 	{0x01b9, ".Remove"},
 | |
| 	{0x01ba, ".Protect"},
 | |
| 	{0x01d7, ".Store"},
 | |
| 	{0x01da, ".Class"},
 | |
| 	{0x01de, ".Hide"},
 | |
| 	{0x01df, ".Toolbar"},
 | |
| 	{0x01e0, ".ReplaceAll"},
 | |
| 	{0x01eb, ".Address"},
 | |
| 	{0x01f4, ".SelectedFile"},
 | |
| 	{0x01f5, ".Run"},
 | |
| 	{0x01f6, ".Edit"},
 | |
| 	{0x0218, ".LastSaved"},
 | |
| 	{0x0219, ".Revision"},
 | |
| 	{0x021c, ".Pages"},
 | |
| 	{0x021d, ".Words"},
 | |
| 	{0x0232, ".WPHelp"},
 | |
| 	{0x0233, ".WPDocNavKeys"},
 | |
| 	{0x0234, ".SetDesc"},
 | |
| 	{0x023d, ".CountFootNodes"},
 | |
| 	{0x0255, ".AddToMru"},
 | |
| 	{0x0262, ".NoteTypes"},
 | |
| 	{0x0272, ".With"},
 | |
| 	{0x0275, ".CustoDict5"},
 | |
| 	{0x0276, ".CustoDict6"},
 | |
| 	{0x0277, ".CustoDict7"},
 | |
| 	{0x0278, ".CustoDict8"},
 | |
| 	{0x0279, ".CustoDict9"},
 | |
| 	{0x027a, ".CustoDict10"},
 | |
| 	{0x027e, ".ErrorBeeps"},
 | |
| 	{0x0285, ".Goto"},
 | |
| 	{0x0287, ".Copy"},
 | |
| 	{0x028e, ".Caption"},
 | |
| 	{0x0299, ".AddBelow"},
 | |
| 	{0x02a4, ".Effects3d"},
 | |
| 	{0x02ac, ".MenuType"},
 | |
| 	{0x02ad, ".DraftFont"},
 | |
| 	{0x02af, ".WrapToWindow"},
 | |
| 	{0x02b0, ".Drawings"},
 | |
| 	{0x02c0, ".NumLines"},
 | |
| 	{0x02c6, ".SuperScript"},
 | |
| 	{0x02c7, ".Subscript"},
 | |
| 	{0x02c8, ".WritePassword"},
 | |
| 	{0x02c9, ".RecommendReadOnly"},
 | |
| 	{0x02ca, ".DocumentPassword"},
 | |
| 	{0x02d5, ".HelpText"},
 | |
| 	{0x02d6, ".InsertAs"},
 | |
| 	{0x02dc, ".Formatting"},
 | |
| 	{0x02de, ".InitialCaps"},
 | |
| 	{0x02df, ".SentenceCaps"},
 | |
| 	{0x02e0, ".Days"},
 | |
| 	{0x02e1, ".ReplaceText"},
 | |
| 	{0x02e4, ".Product"},
 | |
| 	{0x02f1, ".SoundsLike"},
 | |
| 	{0x02f2, ".KerningMin"},
 | |
| 	{0x02f3, ".PatternMatch"},
 | |
| 	{0x0308, ".EmbedFonts"},
 | |
| 	{0x030a, ".Width"},
 | |
| 	{0x030b, ".Height"},
 | |
| 	{0x0316, ".SendMailAttach"},
 | |
| 	{0x0318, ".Kerning"},
 | |
| 	{0x0319, ".Exit"},
 | |
| 	{0x031a, ".Enable"},
 | |
| 	{0x031b, ".OwnHelp"},
 | |
| 	{0x031c, ".OwnStat"},
 | |
| 	{0x031d, ".StatText"},
 | |
| 	{0x031e, ".FormsData"},
 | |
| 	{0x0320, ".BookMarks"},
 | |
| 	{0x0327, ".LinkStyles"},
 | |
| 	{0x032a, ".Message"},
 | |
| 	{0x032d, ".AllAtOnce"},
 | |
| 	{0x032f, ".TrackStatus"},
 | |
| 	{0x0330, ".FillColor"},
 | |
| 	{0x0332, ".FillPatternColor"},
 | |
| 	{0x033a, ".RoundCorners"},
 | |
| 	{0x0349, ".TextType"},
 | |
| 	{0x0353, ".TextWidth"},
 | |
| 	{0x0354, ".TextDefault"},
 | |
| 	{0x0355, ".TextFormat"},
 | |
| 	{0x0366, ".SearchName"},
 | |
| 	{0x0370, ".BlueScreen"},
 | |
| 	{0x0377, ".ListBy"},
 | |
| 	{0x0378, ".SubDir"},
 | |
| 	{0x0388, ".HorizontalPos"},
 | |
| 	{0x0389, ".HorizontalFrom"},
 | |
| 	{0x038a, ".VerticalPos"},
 | |
| 	{0x038b, ".VerticalFrom"},
 | |
| 	{0x038f, ".Tab"},
 | |
| 	{0x039a, ".Strikethrough"},
 | |
| 	{0x039b, ".Face"},
 | |
| 	{0x039d, ".NativePictureFormat"},
 | |
| 	{0x039e, ".FileSize"},
 | |
| 	{0x03a2, ".LineType"},
 | |
| 	{0x03a4, ".DisplayIcon"},
 | |
| 	{0x03a8, ".IconFilename"},
 | |
| 	{0x03a9, ".IconNumber"},
 | |
| 	{0x03ac, ".GlobalDotPrompt"},
 | |
| 	{0x03b2, ".NoReset"},
 | |
| 	{0x03db, ".SaveAsAOCELetter"},
 | |
| 	{0x041b, ".CapsLock"},
 | |
| 	{0x0422, ".FindAllWordForms"},
 | |
| 	{0x045e, ".VirusProtection"},
 | |
| 	{0x6200, ".Title"},
 | |
| 	{0x6300, ".Subject"},
 | |
| 	{0x6400, ".Author"},
 | |
| 	{0x6500, ".Keywords"},
 | |
| 	{0x6600, ".Comments"},
 | |
| 	{0xcb00, ".Format"},
 | |
| 	{0x0000, NULL},
 | |
|     };
 | |
| 
 | |
|     for (i = 0; mac_token[i].token != 0x0000; i++) {
 | |
| 	if (token == mac_token[i].token) {
 | |
| 	    printf ("%s", mac_token[i].str);
 | |
| 	    return;
 | |
| 	}
 | |
|     }
 | |
|     printf ("[#73(0x%x)]", token);
 | |
|     return;
 | |
| }
 | |
| 
 | |
| static void print_hex_buff (unsigned char *start, unsigned char *end, int hex_output)
 | |
| {
 | |
|     if (!hex_output) {
 | |
| 	return;
 | |
|     }
 | |
|     printf ("[clam hex:");
 | |
|     while (start < end) {
 | |
| 	printf (" %.2x", *start);
 | |
| 	start++;
 | |
|     }
 | |
|     printf ("]\n");
 | |
| }
 | |
| 
 | |
| #ifdef __GNUC__
 | |
| static void wm_decode_macro (unsigned char *buff, uint32_t len, int hex_output) __attribute__((unused));
 | |
| #endif
 | |
| static void wm_decode_macro (unsigned char *buff, uint32_t len, int hex_output)
 | |
| {
 | |
|     uint32_t i;
 | |
|     uint8_t s_length, j;
 | |
|     uint16_t w_length, int_val;
 | |
|     unsigned char *tmp_buff, *tmp_name, *line_start;
 | |
| 
 | |
|     i = 2;
 | |
|     line_start = buff;
 | |
|     while (i < len) {
 | |
| 	switch (buff[i]) {
 | |
| 	case 0x65:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    print_hex_buff (line_start, buff + i + 2 + s_length, hex_output);
 | |
| 	    printf ("\n%s", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    line_start = buff + i;
 | |
| 	    break;
 | |
| 	case 0x69:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    printf (" %s", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    break;
 | |
| 	case 0x6a:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    printf (" \"%s\"", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    break;
 | |
| 	case 0x6b:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    printf (" '%s", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    break;
 | |
| 	case 0x6d:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    printf (" %s", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    break;
 | |
| 	case 0x70:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    printf ("REM%s", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    break;
 | |
| 	case 0x76:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    printf (" .%s", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    break;
 | |
| 	case 0x77:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc (s_length + 1);
 | |
| 	    strncpy ((char *) tmp_buff, (char *) (buff + i + 2), s_length);
 | |
| 	    tmp_buff[s_length] = '\0';
 | |
| 	    printf ("%s", tmp_buff);
 | |
| 	    free (tmp_buff);
 | |
| 	    i += 2 + s_length;
 | |
| 	    break;
 | |
| 	case 0x79:		/* unicode "string" */
 | |
| 	    w_length = (uint16_t) (buff[i + 2] << 8) + buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc ((w_length * 2) + 1);
 | |
| 	    memcpy (tmp_buff, buff + i + 3, w_length * 2);
 | |
| 	    tmp_name = (unsigned char *) get_unicode_name ((char *) tmp_buff, w_length * 2);
 | |
| 	    free (tmp_buff);
 | |
| 	    printf ("\"%s\"", tmp_name);
 | |
| 	    free (tmp_name);
 | |
| 	    i += 3 + (w_length * 2);
 | |
| 	    break;
 | |
| 
 | |
| 	case 0x7c:		/* unicode 'string */
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    tmp_buff = (unsigned char *) malloc ((s_length * 2) + 1);
 | |
| 	    memcpy (tmp_buff, buff + i + 2, s_length * 2);
 | |
| 	    tmp_name = (unsigned char *) get_unicode_name ((char *) tmp_buff, s_length * 2);
 | |
| 	    free (tmp_buff);
 | |
| 	    printf ("'%s", tmp_name);
 | |
| 	    free (tmp_name);
 | |
| 	    i += 2 + (s_length * 2);
 | |
| 	    break;
 | |
| 
 | |
| 	case 0x66:
 | |
| 	    int_val = (uint8_t) (buff[i + 2] << 8) + buff[i + 1];
 | |
| 	    print_hex_buff (line_start, buff + i + 3, hex_output);
 | |
| 	    printf ("\n%d", int_val);
 | |
| 	    i += 3;
 | |
| 	    line_start = buff + i;
 | |
| 	    break;
 | |
| 	case 0x67:
 | |
| 	    w_length = (uint16_t) (buff[i + 2] << 8) + buff[i + 1];
 | |
| 	    output_token67 (w_length);
 | |
| 	    i += 3;
 | |
| 	    break;
 | |
| 	case 0x68:
 | |
| 	    /* 8-byte float */
 | |
| 	    printf ("(float)");
 | |
| 	    i += 9;
 | |
| 	    break;
 | |
| 	case 0x6c:
 | |
| 	    int_val = (uint16_t) (buff[i + 2] << 8) + buff[i + 1];
 | |
| 	    printf (" %d", int_val);
 | |
| 	    i += 3;
 | |
| 	    break;
 | |
| 	case 0x6e:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    for (j = 0; j < s_length; j++) {
 | |
| 		printf (" ");
 | |
| 	    }
 | |
| 	    i += 2;
 | |
| 	    break;
 | |
| 	case 0x6f:
 | |
| 	    s_length = (uint8_t) buff[i + 1];
 | |
| 	    for (j = 0; j < s_length; j++) {
 | |
| 		printf ("\t");
 | |
| 	    }
 | |
| 	    i += 2;
 | |
| 	    break;
 | |
| 	case 0x73:
 | |
| 	    w_length = (uint16_t) (buff[i + 2] << 8) + buff[i + 1];
 | |
| 	    output_token73 (w_length);
 | |
| 	    i += 3;
 | |
| 	    break;
 | |
| 	case 0x64:
 | |
| 	    print_hex_buff (line_start, buff + i + 1, hex_output);
 | |
| 	    printf ("\n");
 | |
| 	    i++;
 | |
| 	    line_start = buff + i;
 | |
| 	    break;
 | |
| 	default:
 | |
| 	    output_token (buff[i]);
 | |
| 	    i++;
 | |
| 	    break;
 | |
| 	}
 | |
|     }
 | |
|     print_hex_buff (line_start, buff + i, hex_output);
 | |
| }
 | |
| 
 | |
| static int sigtool_scandir (const char *dirname, int hex_output)
 | |
| {
 | |
|     DIR *dd;
 | |
|     struct dirent *dent;
 | |
|     STATBUF statbuf;
 | |
|     char *fname;
 | |
|     const char *tmpdir;
 | |
|     char *dir;
 | |
|     int ret = CL_CLEAN, desc;
 | |
|     cli_ctx *ctx;
 | |
| 
 | |
|     fname = NULL;
 | |
|     if ((dd = opendir (dirname)) != NULL) {
 | |
| 	while ((dent = readdir (dd))) {
 | |
| 	    if (dent->d_ino) {
 | |
| 		if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
 | |
| 		    /* build the full name */
 | |
| 		    fname = (char *) cli_calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
 | |
| 		    if(!fname){
 | |
| 		        closedir(dd);
 | |
| 		        return -1;	    
 | |
| 		    }	
 | |
| 		    sprintf (fname, "%s"PATHSEP"%s", dirname, dent->d_name);
 | |
| 
 | |
| 		    /* stat the file */
 | |
| 		    if (LSTAT (fname, &statbuf) != -1) {
 | |
| 			if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode)) {
 | |
| 			    if (sigtool_scandir (fname, hex_output)) {
 | |
| 				free (fname);
 | |
| 				closedir (dd);
 | |
| 				return CL_VIRUS;
 | |
| 			    }
 | |
| 			} else {
 | |
| 			    if (S_ISREG (statbuf.st_mode)) {
 | |
| 			        struct uniq *vba = NULL;
 | |
| 				tmpdir = cli_gettmpdir();
 | |
| 
 | |
| 				/* generate the temporary directory */
 | |
| 				dir = cli_gentemp (tmpdir);
 | |
| 				if(!dir) {
 | |
| 				    printf("cli_gentemp() failed\n");
 | |
| 				    free(fname);
 | |
| 				    closedir (dd);
 | |
| 				    return -1;
 | |
| 				}
 | |
| 
 | |
| 				if (mkdir (dir, 0700)) {
 | |
| 				    printf ("Can't create temporary directory %s\n", dir);
 | |
| 				    free(fname);
 | |
| 				    closedir (dd);
 | |
| 				    free(dir);
 | |
| 				    return CL_ETMPDIR;
 | |
| 				}
 | |
| 
 | |
| 				if ((desc = open (fname, O_RDONLY|O_BINARY)) == -1) {
 | |
| 				    printf ("Can't open file %s\n", fname);
 | |
| 				    free(fname);
 | |
| 				    closedir (dd);
 | |
| 				    free(dir);
 | |
| 				    return 1;
 | |
| 				}
 | |
| 
 | |
| 				if(!(ctx = convenience_ctx(desc))) {
 | |
| 				    free(fname);	
 | |
| 				    close(desc);
 | |
| 				    closedir(dd);
 | |
| 				    free(dir);
 | |
| 				    return 1;
 | |
| 				}
 | |
| 				if ((ret = cli_ole2_extract (dir, ctx, &vba))) {
 | |
| 				    printf ("ERROR %s\n", cl_strerror (ret));
 | |
| 				    destroy_ctx(desc, ctx);
 | |
| 				    cli_rmdirs (dir);
 | |
| 				    free (dir);
 | |
| 				    closedir (dd);
 | |
| 				    free(fname);
 | |
| 				    return ret;
 | |
| 				}
 | |
| 
 | |
| 				if(vba)
 | |
| 				    sigtool_vba_scandir (dir, hex_output, vba);
 | |
| 				destroy_ctx(desc, ctx);
 | |
| 				cli_rmdirs (dir);
 | |
| 				free (dir);
 | |
| 			    }
 | |
| 			}
 | |
| 
 | |
| 		    }
 | |
| 		    free (fname);
 | |
| 		}
 | |
| 	    }
 | |
| 	}
 | |
|     } else {
 | |
| 	logg("!Can't open directory %s.\n", dirname);
 | |
| 	return CL_EOPEN;
 | |
|     }
 | |
| 
 | |
|     closedir (dd);
 | |
|     return 0;
 | |
| }
 | |
| 
 | |
| int sigtool_vba_scandir (const char *dirname, int hex_output, struct uniq *U)
 | |
| {
 | |
|     int ret = CL_CLEAN, i, fd, data_len;
 | |
|     vba_project_t *vba_project;
 | |
|     DIR *dd;
 | |
|     struct dirent *dent;
 | |
|     STATBUF statbuf;
 | |
|     char *fullname, vbaname[1024], *hash;
 | |
|     unsigned char *data;
 | |
|     uint32_t hashcnt;
 | |
|     unsigned int j;
 | |
| 
 | |
|     hashcnt = uniq_get(U, "_vba_project", 12, NULL);
 | |
|     while(hashcnt--) {
 | |
| 	if(!(vba_project = (vba_project_t *)cli_vba_readdir(dirname, U, hashcnt))) continue;
 | |
| 
 | |
| 	for(i = 0; i < vba_project->count; i++) {
 | |
| 	    for(j = 0; j < vba_project->colls[i]; j++) {
 | |
| 		snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", vba_project->dir, vba_project->name[i], j);
 | |
| 		vbaname[sizeof(vbaname)-1] = '\0';
 | |
| 		fd = open(vbaname, O_RDONLY|O_BINARY);
 | |
| 		if(fd == -1) continue;
 | |
| 		data = (unsigned char *)cli_vba_inflate(fd, vba_project->offset[i], &data_len);
 | |
| 		close(fd);
 | |
| 
 | |
| 		if(data) {
 | |
| 		    data = (unsigned char *) realloc (data, data_len + 1);
 | |
| 		    data[data_len]='\0';
 | |
| 		    printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data);
 | |
| 		    free(data);
 | |
| 		}
 | |
| 	    }
 | |
| 	}
 | |
| 
 | |
| 	free(vba_project->name);
 | |
| 	free(vba_project->colls);
 | |
| 	free(vba_project->dir);
 | |
| 	free(vba_project->offset);
 | |
| 	free(vba_project);
 | |
|     }
 | |
| 
 | |
| 
 | |
|     if((hashcnt = uniq_get(U, "powerpoint document", 19, &hash))) {
 | |
| 	while(hashcnt--) {
 | |
| 	    snprintf(vbaname, 1024, "%s"PATHSEP"%s_%u", dirname, hash, hashcnt);
 | |
| 	    vbaname[sizeof(vbaname)-1] = '\0';
 | |
| 	    fd = open(vbaname, O_RDONLY|O_BINARY);
 | |
| 	    if (fd == -1) continue;
 | |
| 	    if ((fullname = cli_ppt_vba_read(fd, NULL))) {
 | |
| 	      sigtool_scandir(fullname, hex_output);
 | |
| 	      cli_rmdirs(fullname);
 | |
| 	      free(fullname);
 | |
| 	    }
 | |
| 	    close(fd);
 | |
| 	}
 | |
|     }
 | |
| 
 | |
| 
 | |
|     if ((hashcnt = uniq_get(U, "worddocument", 12, &hash))) {
 | |
| 	while(hashcnt--) {
 | |
| 	    snprintf(vbaname, sizeof(vbaname), "%s"PATHSEP"%s_%u", dirname, hash, hashcnt);
 | |
| 	    vbaname[sizeof(vbaname)-1] = '\0';
 | |
| 	    fd = open(vbaname, O_RDONLY|O_BINARY);
 | |
| 	    if (fd == -1) continue;
 | |
| 	    
 | |
| 	    if (!(vba_project = (vba_project_t *)cli_wm_readdir(fd))) {
 | |
| 		close(fd);
 | |
| 		continue;
 | |
| 	    }
 | |
| 
 | |
| 	    for (i = 0; i < vba_project->count; i++) {
 | |
| 		data_len = vba_project->length[i];
 | |
| 		data = (unsigned char *)cli_wm_decrypt_macro(fd, vba_project->offset[i], data_len , vba_project->key[i]);
 | |
| 		if(data) {
 | |
| 		    data = (unsigned char *) realloc (data, data_len + 1);
 | |
| 		    data[data_len]='\0';
 | |
| 		    printf ("-------------- start of code ------------------\n%s\n-------------- end of code ------------------\n", data);
 | |
| 		    free(data);
 | |
| 		}
 | |
| 	    }
 | |
| 
 | |
| 	    close(fd);
 | |
| 	    free(vba_project->name);
 | |
| 	    free(vba_project->colls);
 | |
| 	    free(vba_project->dir);
 | |
| 	    free(vba_project->offset);
 | |
| 	    free(vba_project->key);
 | |
| 	    free(vba_project->length);
 | |
| 	    free(vba_project);
 | |
| 	}
 | |
|     }
 | |
| 
 | |
|     if ((dd = opendir (dirname)) != NULL) {
 | |
| 	while ((dent = readdir (dd))) {
 | |
| 	    if (dent->d_ino) {
 | |
| 		if (strcmp (dent->d_name, ".") && strcmp (dent->d_name, "..")) {
 | |
| 		    /* build the full name */
 | |
| 		    fullname = calloc (strlen (dirname) + strlen (dent->d_name) + 2, sizeof (char));
 | |
| 		    sprintf (fullname, "%s"PATHSEP"%s", dirname, dent->d_name);
 | |
| 
 | |
| 		    /* stat the file */
 | |
| 		    if (LSTAT (fullname, &statbuf) != -1) {
 | |
| 			if (S_ISDIR (statbuf.st_mode) && !S_ISLNK (statbuf.st_mode))
 | |
| 			    sigtool_vba_scandir (fullname, hex_output, U); 
 | |
| 		    }
 | |
| 		    free (fullname);
 | |
| 		}
 | |
| 	    }
 | |
| 	}
 | |
|     } else {
 | |
| 	logg("!ScanDir -> Can't open directory %s.\n", dirname);
 | |
| 	return CL_EOPEN;
 | |
|     }
 | |
| 
 | |
| 
 | |
|     closedir (dd);
 | |
|     return ret;
 | |
| }
 | 
