1 //-------------------------------------------------------------------------- 2 // Copyright (C) 2019-2021 Cisco and/or its affiliates. All rights reserved. 3 // 4 // This program is free software; you can redistribute it and/or modify it 5 // under the terms of the GNU General Public License Version 2 as published 6 // by the Free Software Foundation. You may not use, modify or distribute 7 // this program under any other version of the GNU General Public License. 8 // 9 // This program is distributed in the hope that it will be useful, but 10 // WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 12 // General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License along 15 // with this program; if not, write to the Free Software Foundation, Inc., 16 // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. 17 //-------------------------------------------------------------------------- 18 // file_decomp_zip.h author Brandon Stultz <brastult@cisco.com> 19 20 #ifndef FILE_DECOMP_ZIP_H 21 #define FILE_DECOMP_ZIP_H 22 23 #include <zlib.h> 24 25 #include "file_decomp.h" 26 27 namespace snort 28 { 29 class BoyerMooreSearchCase; 30 } 31 32 #define MACRO_BINNAME_LEN 14 33 34 static const char* const macro_binname = "vbaProject.bin"; 35 36 static const uint32_t ZIP_LOCAL_HEADER = 0x04034B50; 37 static const uint8_t header_pattern[4] = { 0x50, 0x4B, 0x03, 0x04 }; 38 static const uint8_t DATA_DESC_BIT = 0x08; 39 40 enum fd_ZIP_states 41 { 42 ZIP_STATE_LH, // local header (4 bytes) 43 44 // skipped: 45 // ZIP_STATE_VER, // version (2 bytes) 46 47 ZIP_STATE_BITFLAG, // bitflag (2 bytes) 48 ZIP_STATE_METHOD, // compression method (2 bytes) 49 50 // skipped: 51 // ZIP_STATE_MODTIME, // modification time (2 bytes) 52 // ZIP_STATE_MODDATE, // modification date (2 bytes) 53 // ZIP_STATE_CRC, // CRC-32 (4 bytes) 54 55 ZIP_STATE_COMPSIZE, // compressed size (4 bytes) 56 57 // skipped: 58 // ZIP_STATE_UNCOMPSIZE, // uncompressed size (4 bytes) 59 60 ZIP_STATE_FILENAMELEN, // filename length (2 bytes) 61 ZIP_STATE_EXTRALEN, // extra field length (2 bytes) 62 63 ZIP_STATE_FILENAME, // filename field (filenamelen bytes) 64 65 //skipped: 66 // ZIP_STATE_EXTRA, // extra field (extralen bytes) 67 // ZIP_STATE_STREAM, // compressed stream (compsize bytes) 68 69 ZIP_STATE_OLE_FILE, 70 ZIP_STATE_INFLATE_INIT, // initialize zlib inflate 71 ZIP_STATE_INFLATE, // perform zlib inflate 72 ZIP_STATE_SEARCH, // search for local header 73 ZIP_STATE_SKIP // skip state 74 }; 75 76 struct fd_ZIP_t 77 { 78 // zlib stream 79 z_stream Stream; 80 81 // decompression progress 82 uint32_t progress; 83 84 // ZIP fields 85 uint32_t local_header; 86 uint16_t bitflag; 87 bool data_descriptor; 88 uint16_t method; 89 uint32_t compressed_size; 90 uint16_t filename_length; 91 uint16_t extra_length; 92 char* file_name; 93 // field index 94 uint32_t Index; 95 96 // current parser state 97 fd_ZIP_states State; 98 uint32_t Length; 99 100 // next parser state 101 fd_ZIP_states Next; 102 uint32_t Next_Length; 103 104 // local file header searcher 105 snort::BoyerMooreSearchCase* header_searcher; 106 }; 107 108 // allocate and set initial ZIP state 109 fd_status_t File_Decomp_Init_ZIP(fd_session_t*); 110 111 // end ZIP processing 112 fd_status_t File_Decomp_End_ZIP(fd_session_t*); 113 114 // run the ZIP state machine 115 fd_status_t File_Decomp_ZIP(fd_session_t*); 116 117 #endif 118 119