1 /*- 2 *********************************************************************** 3 * 4 * $Id: xmagic.h,v 1.72 2014/07/18 06:40:44 mavrik Exp $ 5 * 6 *********************************************************************** 7 * 8 * Copyright 2000-2014 The FTimes Project, All Rights Reserved. 9 * 10 *********************************************************************** 11 */ 12 #ifndef _XMAGIC_H_INCLUDED 13 #define _XMAGIC_H_INCLUDED 14 15 /*- 16 *********************************************************************** 17 * 18 * Defines 19 * 20 *********************************************************************** 21 */ 22 #ifdef UNIX 23 #define XMAGIC_DEFAULT_LOCATION XMAGIC_PREFIX"/etc/xmagic" 24 #define XMAGIC_CURRENT_LOCATION "./xmagic" 25 #endif 26 27 #ifdef WIN32 28 #define XMAGIC_DEFAULT_LOCATION XMAGIC_PREFIX"\\etc\\xmagic" 29 #define XMAGIC_CURRENT_LOCATION ".\\xmagic" 30 #endif 31 32 #define XMAGIC_DEFAULT "other/unknown" 33 #define XMAGIC_ISEMPTY "other/empty" 34 35 #define XMAGIC_COMBO_SIZE ((7 + 1) * (XMAGIC_COMBO_SLOT_COUNT)) /* (strlen("100.00/") + 1 for the NULL byte) * XMAGIC_COMBO_SLOT_COUNT */ 36 #define XMAGIC_COMBO_SLOT_COUNT 10 37 38 #define XMAGIC_PERCENT_COMBO_CSPDAE_SLOTS 6 39 40 #define XMAGIC_PERCENT_1BYTE_CODES 256 41 #define XMAGIC_ROW_AVERAGE_1_CODES 256 42 #define XMAGIC_ROW_AVERAGE_2_CODES 65536 43 #define XMAGIC_ROW_ENTROPY_1_CODES 256 44 #define XMAGIC_ROW_ENTROPY_2_CODES 65536 45 #define XMAGIC_LOG2_OF_10 3.32192809488736234787 /* log2(10) = ln(10)/ln(2) */ 46 #define XMAGIC_LSB 0 47 #define XMAGIC_MSB 1 48 #define XMAGIC_READ_BUFSIZE 0x4000 49 #define XMAGIC_MAX_HASH_LENGTH ((SHA256_HASH_SIZE)*2) 50 #define XMAGIC_MAX_LINE 8192 51 #define XMAGIC_MAX_LEVEL 128 52 #define XMAGIC_STRING_BUFSIZE 64 53 #define XMAGIC_SUBJECT_BUFSIZE 128 54 #ifdef USE_PCRE 55 #define XMAGIC_REGEXP_CAPTURE_BUFSIZE XMAGIC_SUBJECT_BUFSIZE 56 #define XMAGIC_REGEXP_BUFSIZE 1024 57 #endif 58 #define XMAGIC_DESCRIPTION_BUFSIZE 256 59 60 #define XMAGIC_INDIRECT_OFFSET 0x00000001 61 #define XMAGIC_RELATIVE_OFFSET 0x00000002 62 #define XMAGIC_NO_SPACE 0x00000004 63 #define XMAGIC_HAVE_WARP 0x00000008 64 #define XMAGIC_HAVE_SIZE 0x00000010 65 #define XMAGIC_RELATIVE_X_OFFSET 0x00000020 66 67 #define XMAGIC_TEST_ERROR -1 68 #define XMAGIC_TEST_FALSE 0 69 #define XMAGIC_TEST_MATCH 1 70 71 #ifdef USE_PCRE 72 #ifndef PCRE_MAX_CAPTURE_COUNT 73 #define PCRE_MAX_CAPTURE_COUNT 9 /* This is the maximum number of capturing '()' subpatterns allowed. */ 74 #endif 75 /* 76 * The following quote was taken from pcreapi(3) man page. 77 * 78 * The smallest size for ovector that will allow for n captured 79 * substrings, in addition to the offsets of the substring matched 80 * by the whole pattern, is (n+1)*3. 81 * 82 */ 83 #ifndef PCRE_OVECTOR_ARRAY_SIZE 84 #define PCRE_OVECTOR_ARRAY_SIZE 30 85 #endif 86 #endif 87 88 #define XMAGIC_PRESERVE_COMMENTS 0x00000001 89 90 #define XMAGIC_TIME_SIZE 20 91 #define XMAGIC_YMDHMS_FORMAT_SIZE 20 92 #define XMAGIC_YMDHMS_FORMAT "%Y-%m-%d %H:%M:%S" 93 94 /*- 95 *********************************************************************** 96 * 97 * Typedefs 98 * 99 *********************************************************************** 100 */ 101 #ifdef USE_KLEL 102 typedef struct _XMAGIC_DATA_BLOCK 103 { 104 unsigned char *pucData; 105 int iLength; 106 } XMAGIC_DATA_BLOCK; 107 #endif 108 109 #ifdef USE_KLEL 110 typedef struct _XMAGIC_KLEL_TYPE_SPEC 111 { 112 const char *pcName; 113 KLEL_EXPR_TYPE iType; 114 } XMAGIC_KLEL_TYPE_SPEC; 115 #endif 116 117 typedef enum _XMAGIC_TEST_OPERATORS 118 { 119 XMAGIC_OP_AND = 0, /* '&' */ 120 XMAGIC_OP_EQ, /* '==' or '=' */ 121 XMAGIC_OP_GE, /* '>=' */ 122 XMAGIC_OP_GE_AND_LE, /* '[]' */ 123 XMAGIC_OP_GE_AND_LT, /* '[)' */ 124 XMAGIC_OP_GT, /* '>' */ 125 XMAGIC_OP_GT_AND_LE, /* '(]' */ 126 XMAGIC_OP_GT_AND_LT, /* '()' */ 127 XMAGIC_OP_LE, /* '<=' */ 128 XMAGIC_OP_LE_OR_GE, /* '][' */ 129 XMAGIC_OP_LE_OR_GT, /* '](' */ 130 XMAGIC_OP_LT, /* '<' */ 131 XMAGIC_OP_LT_OR_GE, /* ')[' */ 132 XMAGIC_OP_LT_OR_GT, /* ')(' */ 133 XMAGIC_OP_NE, /* '!=' or '!' */ 134 XMAGIC_OP_NOOP, /* 'x' */ 135 #ifdef USE_PCRE 136 XMAGIC_OP_REGEXP_EQ, /* '=~' */ 137 XMAGIC_OP_REGEXP_NE, /* '!~' */ 138 #endif 139 XMAGIC_OP_XOR, /* '^' */ 140 } XMAGIC_TEST_OPERATORS; 141 142 typedef enum _XMAGIC_WARP_OPERATORS 143 { 144 XMAGIC_WARP_OP_MOD = 1, /* '%' */ 145 XMAGIC_WARP_OP_AND, /* '&' */ 146 XMAGIC_WARP_OP_MUL, /* '*' */ 147 XMAGIC_WARP_OP_ADD, /* '+' */ 148 XMAGIC_WARP_OP_SUB, /* '-' */ 149 XMAGIC_WARP_OP_DIV, /* '/' */ 150 XMAGIC_WARP_OP_LSHIFT, /* '<' */ 151 XMAGIC_WARP_OP_RSHIFT, /* '>' */ 152 XMAGIC_WARP_OP_XOR, /* '^' */ 153 XMAGIC_WARP_OP_OR, /* '|' */ 154 } XMAGIC_WARP_OPERATORS; 155 156 typedef enum _XMAGIC_TYPES 157 { 158 XMAGIC_BEDATE = 1, 159 XMAGIC_BELONG, 160 XMAGIC_BESHORT, 161 XMAGIC_BEUI64, 162 XMAGIC_BYTE, 163 XMAGIC_DATE, 164 #ifdef USE_KLEL 165 XMAGIC_KLELEXP, 166 #endif 167 XMAGIC_LEDATE, 168 XMAGIC_LELONG, 169 XMAGIC_LESHORT, 170 XMAGIC_LEUI64, 171 XMAGIC_LONG, 172 XMAGIC_MD5, 173 XMAGIC_NLEFT, 174 #ifdef USE_PCRE 175 XMAGIC_REGEXP, 176 #endif 177 XMAGIC_PERCENT_COMBO_CSPDAE, 178 XMAGIC_PERCENT_CTYPE_80_FF, 179 XMAGIC_PERCENT_CTYPE_ALNUM, 180 XMAGIC_PERCENT_CTYPE_ALPHA, 181 XMAGIC_PERCENT_CTYPE_ASCII, 182 XMAGIC_PERCENT_CTYPE_CNTRL, 183 XMAGIC_PERCENT_CTYPE_DIGIT, 184 XMAGIC_PERCENT_CTYPE_LOWER, 185 XMAGIC_PERCENT_CTYPE_PRINT, 186 XMAGIC_PERCENT_CTYPE_PUNCT, 187 XMAGIC_PERCENT_CTYPE_SPACE, 188 XMAGIC_PERCENT_CTYPE_UPPER, 189 XMAGIC_PSTRING, 190 XMAGIC_ROW_AVERAGE_1, 191 XMAGIC_ROW_AVERAGE_2, 192 XMAGIC_ROW_ENTROPY_1, 193 XMAGIC_ROW_ENTROPY_2, 194 XMAGIC_SHA1, 195 XMAGIC_SHA256, 196 XMAGIC_SHORT, 197 XMAGIC_STRING, 198 XMAGIC_UI64, 199 XMAGIC_UNIX_YMDHMS_BEDATE, 200 XMAGIC_UNIX_YMDHMS_LEDATE, 201 XMAGIC_WINX_YMDHMS_BEDATE, 202 XMAGIC_WINX_YMDHMS_LEDATE, 203 } XMAGIC_TYPES; 204 205 typedef struct _XMAGIC_INDIRECTION 206 { 207 int iType; 208 int iOperator; 209 APP_UI32 ui32Value; 210 } XMAGIC_INDIRECTION; 211 212 typedef struct _XMAGIC_VALUE 213 { 214 double dLowerNumber; 215 double dNumber; 216 double dUpperNumber; 217 APP_UI32 ui32LowerNumber; 218 APP_UI32 ui32Number; 219 APP_UI32 ui32UpperNumber; 220 APP_UI64 ui64LowerNumber; 221 APP_UI64 ui64Number; 222 APP_UI64 ui64UpperNumber; 223 APP_UI8 ui8String[XMAGIC_STRING_BUFSIZE]; 224 } XMAGIC_VALUE; 225 226 /*- 227 *********************************************************************** 228 * 229 * The meaning of XMAGIC... 230 * 231 * psParent Pointer to parent magic 232 * psSibling Pointer to next magic 233 * psChild Pointer to subordinate magic 234 * pcCombo Pointer to the combo buffer 235 * acDescription Description to use on a match 236 * iType The type of value to examine (e.g., byte, short, long, date, etc.) 237 * iTestOperator Contains the ID of the operator (see XMAGIC_TEST_OPERATORS) used to test the value 238 * iWarpOperator Contains the ID of the operator (see XMAGIC_WARP_OPERATORS) used in the warp transformation 239 * ui32FallbackCount The number of '<'s in the test level 240 * ui32Flags Contains an OR'd set of flags that control/shape the various magic tests 241 * ui32Level The number of '>'s in the test level 242 * ui32WarpValue Contains the right-hand value used in the warp transformation 243 * i32XOffset Offset in file being evaluated (relative offsets may be negative; absolute offsets may not be negative) 244 * sIndirection A structure that contains the indirect offset information (x[.[BSLbsl]][%&*+-/<>^|][y]) 245 * sValue A structure that contains the value to be tested 246 #ifdef USE_PCRE 247 * acRegExp User-specified regular expression 248 * aucCapturedData Captured regular expression data 249 * iCaptureCount Number of capturing ()'s in the regular expression 250 * iMatchLength Length of the captured regular expression match 251 * iRegExpLength Length of acRegExp 252 * ui32Size Size of the type in bytes (applies to entropy and regexp) 253 * psPcre Compiled regular expression 254 * psPcreExtra Results of studying the compiled regular expression 255 #endif 256 * dAverage Average computed over ui32Size bytes at i32XOffset 257 * dEntropy Entropy computed over ui32Size bytes at i32XOffset 258 * dPercent Percent computed over ui32Size bytes at i32XOffset 259 * iStringLength Length of sValue.ui8String 260 * pcHash Computed hash (MD5, SHA1, SHA256, etc.) 261 * 262 *********************************************************************** 263 */ 264 typedef struct _XMAGIC 265 { 266 struct _XMAGIC *psParent; 267 struct _XMAGIC *psSibling; 268 struct _XMAGIC *psChild; 269 char acDescription[XMAGIC_DESCRIPTION_BUFSIZE]; 270 char *pcCombo; 271 int iType; 272 int iTestOperator; 273 int iWarpOperator; 274 APP_UI32 ui32FallbackCount; 275 APP_UI32 ui32Flags; 276 APP_UI32 ui32Level; 277 APP_UI32 ui32Size; 278 APP_UI32 ui32WarpValue; 279 APP_SI32 i32XOffset; /* This variable can be negative for relative offsets. */ 280 XMAGIC_INDIRECTION sIndirection; 281 XMAGIC_VALUE sValue; 282 int iStringLength; 283 #ifdef USE_PCRE 284 char acRegExp[XMAGIC_REGEXP_BUFSIZE]; 285 unsigned char aucCapturedData[XMAGIC_REGEXP_CAPTURE_BUFSIZE]; 286 int iCaptureCount; 287 int iMatchLength; 288 int iRegExpLength; 289 pcre *psPcre; 290 pcre_extra *psPcreExtra; 291 #endif 292 double dAverage; 293 double dEntropy; 294 double dPercent; 295 char *pcHash; 296 #ifdef USE_KLEL 297 KLEL_CONTEXT *psKlelContext; 298 #endif 299 } XMAGIC; 300 301 /*- 302 *********************************************************************** 303 * 304 * Function Prototypes 305 * 306 *********************************************************************** 307 */ 308 int is80_ff(int c); 309 #if defined(USE_KLEL) && !defined(HAVE_STRNLEN) 310 size_t strnlen(const char *pcString, size_t szMaxLength); 311 #endif 312 double XMagicComputePercentage(unsigned char *pucBuffer, int iLength, int iType); 313 char *XMagicComputePercentageCombos(unsigned char *pucBuffer, int iLength, int iType); 314 double XMagicComputeRowAverage1(unsigned char *pucBuffer, int iLength); 315 double XMagicComputeRowAverage2(unsigned char *pucBuffer, int iLength); 316 double XMagicComputeRowEntropy1(unsigned char *pucBuffer, int iLength); 317 double XMagicComputeRowEntropy2(unsigned char *pucBuffer, int iLength); 318 int XMagicConvert2charHex(char *pcSRC, char *pcDST); 319 int XMagicConvert3charOct(char *pcSRC, char *pcDST); 320 int XMagicConvertHexToInt(int iC); 321 void XMagicFormatDescription(void *pvValue, XMAGIC *psXMagic, char *pcDescription); 322 void XMagicFreeXMagic(XMAGIC *psXMagic); 323 int XMagicGetDescription(char *pcS, char *pcE, XMAGIC *psXMagic, char *pcError); 324 char *XMagicGetLine(FILE *pFile, int iMaxLine, unsigned int uiFlags, int *piLinesConsumed, char *pcError); 325 int XMagicGetOffset(char *pcS, char *pcE, XMAGIC *psXMagic, char *pcError); 326 int XMagicGetTestOperator(char *pcS, char *pcE, XMAGIC *psXMagic, char *pcError); 327 int XMagicGetTestValue(char *pcS, char *pcE, XMAGIC *psXMagic, char *pcError); 328 int XMagicGetType(char *pcS, char *pcE, XMAGIC *psXMagic, char *pcError); 329 APP_SI32 XMagicGetValueOffset(unsigned char *pucBuffer, int iNRead, XMAGIC *psXMagic); 330 XMAGIC *XMagicLoadMagic(char *pcFilename, char *pcError); 331 #ifdef USE_KLEL 332 KLEL_VALUE *XMagicKlelBeLongAt(KLEL_VALUE **ppsArgs, void *pvContext); 333 KLEL_VALUE *XMagicKlelBeShortAt(KLEL_VALUE **ppsArgs, void *pvContext); 334 KLEL_VALUE *XMagicKlelByteAt(KLEL_VALUE **ppsArgs, void *pvContext); 335 KLEL_VALUE *XMagicKlelComputeRowEntropy1At(KLEL_VALUE **ppsArgs, void *pvContext); 336 KLEL_EXPR_TYPE XMagicKlelGetTypeOfVar(const char *pcName, void *pvContext); 337 KLEL_VALUE *XMagicKlelGetValueOfVar(const char *pcName, void *pvContext); 338 KLEL_VALUE *XMagicKlelLeLongAt(KLEL_VALUE **ppsArgs, void *pvContext); 339 KLEL_VALUE *XMagicKlelLeShortAt(KLEL_VALUE **ppsArgs, void *pvContext); 340 KLEL_VALUE *XMagicKlelStringAt(KLEL_VALUE **ppsArgs, void *pvContext); 341 #endif 342 XMAGIC *XMagicNewXMagic(char *pcError); 343 XMAGIC *XMagicParseLine(char *pcLine, char *pcError); 344 int XMagicStringToUi64(char *pcNumber, APP_UI64 *pui64Value); 345 APP_UI16 XMagicSwapUi16(APP_UI16 ui16Value, APP_UI32 ui32MagicType); 346 APP_UI32 XMagicSwapUi32(APP_UI32 ui32Value, APP_UI32 ui32MagicType); 347 APP_UI64 XMagicSwapUi64(APP_UI64 ui64Value, APP_UI32 ui32MagicType); 348 int XMagicTestAverage(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcError); 349 int XMagicTestBuffer(XMAGIC *psXMagic, unsigned char *pucBuffer, int iBufferLength, char *pcDescription, int iDescriptionLength, char *pcError); 350 int XMagicTestEntropy(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcError); 351 int XMagicTestFile(XMAGIC *psXMagic, char *pcFilename, char *pcDescription, int iDescriptionLength, char *pcError); 352 int XMagicTestHash(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcError); 353 int XMagicTestMagic(XMAGIC *psXMagic, unsigned char *pucBuffer, int iNRead, char *pcDescription, int *iBytesUsed, int *iBytesLeft, char *pcError); 354 int XMagicTestNumber(XMAGIC *psXMagic, APP_UI32 ui32Value); 355 int XMagicTestNumber64(XMAGIC *psXMagic, APP_UI64 ui64Value); 356 int XMagicTestPercent(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcError); 357 int XMagicTestPercentCombo(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcError); 358 #ifdef USE_PCRE 359 int XMagicTestRegExp(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcError); 360 #endif 361 #ifdef UNIX 362 int XMagicTestSpecial(char *pcFilename, struct stat *psStatEntry, char *pcDescription, int iDescriptionLength, char *pcError); 363 #endif 364 int XMagicTestString(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcError); 365 int XMagicTestValue(XMAGIC *psXMagic, unsigned char *pucBuffer, int iLength, APP_SI32 iOffset, char *pcDescription, char *pcError); 366 367 #endif /* !_XMAGIC_H_INCLUDED */ 368