open-dsi
/
clamav
mirror of https://github.com/Cisco-Talos/clamav
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add signature for MacOffice 2004. Guess endianness of unknown versions of MS Office.

Browse Source 
git-svn: trunk@1184
remotes/push_mirror/metadata
Trog 21 years ago
parent 9d0b7ebd61
commit 11a1fcf5e4
2 changed files with 24 additions and 9 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 6
      clamav-devel/ChangeLog
  2. 27
      clamav-devel/libclamav/vba_extract.c

6
clamav-devel/ChangeLog
Unescape View File

@ -1,3 +1,9 @@
Tue Dec 14 11:36:43 GMT 2004 (trog)
-----------------------------------
* libclamav/vba_extract.c:
- Add signature for MacOffice 2004
- Guess endianness of unknown versions of MS Office.
Tue Dec 14 11:15:22 GMT 2004 (trog)
-----------------------------------
* sigtool/options.c sigtool/sigtool.c: New options: --vba and --vba-hex

27
clamav-devel/libclamav/vba_extract.c
Unescape View File

@ -91,7 +91,7 @@ typedef struct byte_array_tag {
unsigned char *data;
} byte_array_t;
#define NUM_VBA_VERSIONS 13
#define NUM_VBA_VERSIONS 14
vba_version_t vba_version[] = {
{ { 0x5e, 0x00, 0x00, 0x01 }, "Office 97", 5, FALSE},
{ { 0x5f, 0x00, 0x00, 0x01 }, "Office 97 SR1", 5, FALSE },
@ -106,6 +106,7 @@ vba_version_t vba_version[] = {
{ { 0x60, 0x00, 0x00, 0x0e }, "MacOffice 98", 5, TRUE },
{ { 0x62, 0x00, 0x00, 0x0e }, "MacOffice 2001", 5, TRUE },
{ { 0x63, 0x00, 0x00, 0x0e }, "MacOffice X", 6, TRUE },
{ { 0x64, 0x00, 0x00, 0x0e }, "MacOffice 2004", 6, TRUE },
};
#define VBA56_DIRENT_RECORD_COUNT (2 + /* magic */ \
@ -315,17 +316,25 @@ vba_project_t *vba56_dir_read(const char *dir)
}
if (i == NUM_VBA_VERSIONS) {
cli_dbgmsg("Unknown VBA version signature %x %x %x %x\n",
cli_warnmsg("Unknown VBA version signature %x %x %x %x\n",
version[0], version[1], version[2], version[3]);
close(fd);
return NULL;
if (version[3] == 0x01) {
cli_warnmsg("Guessing little-endian\n");
is_mac = FALSE;
} else if (version[3] == 0x0e) {
cli_warnmsg("Guessing big-endian\n");
is_mac = TRUE;
} else {
cli_warnmsg("Unable to guess VBA type\n");
close(fd);
return NULL;
}
} else {
cli_dbgmsg("VBA Project: %s, VBA Version=%d\n", vba_version[i].name,
vba_version[i].vba_version);
is_mac = vba_version[i].is_mac;
}
cli_dbgmsg("VBA Project: %s, VBA Version=%d\n", vba_version[i].name,
vba_version[i].vba_version);
is_mac = vba_version[i].is_mac;
/*****************************************/
/* two bytes, should be equal to 0x00ff */

Write Preview
Loading…
Cancel
Save