malwaredb-types 0.3.4

Data types and parsers for MalwareDB.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327

// SPDX-License-Identifier: Apache-2.0

use crate::doc::DocumentFile;
use crate::utils::u64_from_offset;
use crate::{Ordering, SpecimenFile};

use std::fmt::{Display, Formatter};

use anyhow::{ensure, Context, Result};
use chrono::{DateTime, Utc};
use tracing::instrument;
use uuid::{uuid, Uuid};

const DOCFILE_MAGIC: [u8; 8] = [0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1];

/// Clsid is the UUID which matches a `Docfile` subtype, and the first three segments
/// could be in big or little endian, so we have to check both
/// <http://fileformats.archiveteam.org/wiki/Microsoft_Compound_File>
#[derive(Clone, Debug, Eq)]
pub struct Clsid {
    /// Little Endian representation, most common
    pub le_uuid: Uuid,

    /// Big Endian representation, unlikely to be encountered
    pub be_uuid: Uuid,
}

impl PartialEq for Clsid {
    fn eq(&self, other: &Self) -> bool {
        self.be_uuid == other.be_uuid || self.le_uuid == other.le_uuid
    }
}

impl Clsid {
    /// Microsoft Excel 5 through '95
    pub const EXCEL5: Self = Clsid {
        le_uuid: uuid!("10080200-0000-0000-c000-000000000046"),
        be_uuid: uuid!("00020810-0000-0000-c000-000000000046"),
    };

    /// Microsoft Excel '97
    pub const EXCEL97: Self = Clsid {
        le_uuid: uuid!("20080200-0000-0000-c000-000000000046"),
        be_uuid: uuid!("00020820-0000-0000-c000-000000000046"),
    };

    /// Microsoft Word 6 through '95
    pub const WORD6: Self = Clsid {
        le_uuid: uuid!("00090200-0000-0000-c000-000000000046"),
        be_uuid: uuid!("00020900-0000-0000-c000-000000000046"),
    };

    /// Microsoft Word document
    pub const DOC: Self = Clsid {
        le_uuid: uuid!("06090200-0000-0000-c000-000000000046"),
        be_uuid: uuid!("00020906-0000-0000-c000-000000000046"),
    };

    /// Microsoft Power Point 4
    pub const POWERPOINT4: Self = Clsid {
        le_uuid: uuid!("51480400-0000-0000-c000-000000000046"),
        be_uuid: uuid!("00044851-0000-0000-c000-000000000046"),
    };

    /// Microsoft Power Point '95
    pub const POWERPOINT95: Self = Clsid {
        le_uuid: uuid!("ea7bae70-fb3b-11cd-a903-00aa00510ea3"),
        be_uuid: uuid!("70ae7bea-3bfb-cd11-a903-00aa00510ea3"),
    };

    /// Microsoft Power Point '97 through 2003
    pub const PPT: Self = Clsid {
        le_uuid: uuid!("108d8164-9b4f-cf11-86ea-00aa00b929e8"),
        be_uuid: uuid!("64818d10-4f9b-11cf-86ea-00aa00b929e8"),
    };

    /// Microsoft Installer
    pub const MSI: Self = Clsid {
        le_uuid: uuid!("000c1084-0000-0000-c000-000000000046"),
        be_uuid: uuid!("84100c00-0000-0000-c000-000000000046"),
    };

    /// Microsoft Windows Update Patch
    pub const MSP: Self = Clsid {
        le_uuid: uuid!("000c1086-0000-0000-c000-000000000046"),
        be_uuid: uuid!("86100c00-0000-0000-c000-000000000046"),
    };

    /// Equality between a [Clsid] and byte array
    #[must_use]
    pub fn equal(&self, bytes: &[u8; 16]) -> bool {
        self.be_uuid.as_bytes() == bytes || self.le_uuid.as_bytes() == bytes
    }
}

/// UUID file type, of which only a subset is of interest
/// This is how we can filter out container formats, like .msi (installer) files.
#[derive(Clone, Debug, Eq, PartialEq)]
pub enum ClsidType {
    /// Microsoft Excel
    Excel,

    /// Microsoft Power Point
    PowerPoint,

    /// Microsoft Word
    Word,

    /// Microsoft Installer
    MSI,

    /// Microsoft Windows Patch
    MSP,

    /// Unknown or unsupported non-MS Office document type
    Unknown([u8; 16]),
}

impl ClsidType {
    /// Clsid from a byte array
    #[instrument]
    pub fn from(bytes: &[u8; 16]) -> Self {
        if Clsid::EXCEL5.equal(bytes) || Clsid::EXCEL97.equal(bytes) {
            return Self::Excel;
        }

        if Clsid::WORD6.equal(bytes) || Clsid::DOC.equal(bytes) {
            return Self::Word;
        }

        if Clsid::PPT.equal(bytes)
            || Clsid::POWERPOINT4.equal(bytes)
            || Clsid::POWERPOINT95.equal(bytes)
        {
            return Self::PowerPoint;
        }

        if Clsid::MSI.equal(bytes) {
            return Self::MSI;
        }

        if Clsid::MSP.equal(bytes) {
            return Self::MSP;
        }

        Self::Unknown(*bytes)
    }
}

impl ClsidType {
    /// If the Clsid is a document type
    #[inline]
    #[must_use]
    pub fn is_document(&self) -> bool {
        matches!(
            self,
            ClsidType::Excel | ClsidType::PowerPoint | ClsidType::Word
        )
    }
}

impl Display for ClsidType {
    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
        match self {
            ClsidType::Excel => write!(f, "Excel"),
            ClsidType::PowerPoint => write!(f, "PowerPoint"),
            ClsidType::Word => write!(f, "Word"),
            ClsidType::MSI => write!(f, "Installer"),
            ClsidType::MSP => write!(f, "Windows Patch"),
            ClsidType::Unknown(uuid) => write!(f, "Unknown/other {}", hex::encode(uuid)),
        }
    }
}

/// A struct representing the older Microsoft Office format, Office95, aka Docfile.
///
/// This format is really a container format, and could be used to hold a non-Office files,
/// such as installers (.msi files), Windows update files, and others. Here we are only concerned
/// with MS Office types.
#[derive(Clone, Debug)]
pub struct Office95<'a> {
    /// Sub-type for the file
    pub clsid: ClsidType,

    /// Creation date of the document
    pub creation_time: Option<DateTime<Utc>>,

    /// Date the document was last modified
    pub modification_time: Option<DateTime<Utc>>,

    /// The array containing the raw bytes used to parse this document
    pub contents: &'a [u8],
}

impl<'a> Office95<'a> {
    /// Office95 `DOCFILE` type parsed from a sequence of bytes
    ///
    /// # Errors
    ///
    /// Returns an error if the document fails to parse as an Office95/Docfile, or if the CLSID isn't known.
    #[instrument(name = "Office95/Docfile parser", skip(contents))]
    pub fn from(contents: &'a [u8]) -> Result<Self> {
        ensure!(contents.starts_with(&DOCFILE_MAGIC), "Not a DOCFILE");

        let offset: [u8; 4] = contents[48..52]
            .try_into()
            .context("Failed to get slice for Office95 offset")?;
        let offset_int = u32::from_le_bytes(offset);
        let offset_int = (512 * (1 + offset_int) + 80) as usize;
        let clsid: [u8; 16] = contents[offset_int..offset_int + 16]
            .try_into()
            .context("Failed to get slide for Office95 clsid")?;

        let creation_time = if let Some(creation_time) =
            u64_from_offset(contents, offset_int + 20, Ordering::LittleEndian)
        {
            if creation_time > 0 {
                // The `nt_time` use of the From trait has `.expect()` which may be a problem, since
                // we're dealing with malware, so we have to expect funny business.
                // https://github.com/sorairolake/nt-time/issues/149
                Some(DateTime::<Utc>::from(nt_time::FileTime::new(creation_time)))
            } else {
                None
            }
        } else {
            None
        };

        let modification_time = if let Some(modification_time) =
            u64_from_offset(contents, offset_int + 28, Ordering::LittleEndian)
        {
            if modification_time > 0 {
                // The `nt_time` use of the From trait has `.expect()` which may be a problem, since
                // we're dealing with malware, so we have to expect funny business.
                // https://github.com/sorairolake/nt-time/issues/149
                Some(DateTime::<Utc>::from(nt_time::FileTime::new(
                    modification_time,
                )))
            } else {
                None
            }
        } else {
            None
        };

        let clsid = ClsidType::from(&clsid);
        ensure!(
            clsid.is_document(),
            "Office95: CLSID `{clsid}` is not a known or supported document type"
        );

        Ok(Self {
            clsid,
            creation_time,
            modification_time,
            contents,
        })
    }
}

// TODO: Better Office95 parsing
impl DocumentFile for Office95<'_> {
    fn pages(&self) -> u32 {
        0
    }

    fn author(&self) -> Option<String> {
        None
    }

    fn title(&self) -> Option<String> {
        None
    }

    fn has_javascript(&self) -> bool {
        false
    }

    fn has_form(&self) -> bool {
        false
    }

    fn creation_time(&self) -> Option<DateTime<Utc>> {
        self.creation_time
    }

    fn modification_time(&self) -> Option<DateTime<Utc>> {
        self.modification_time
    }
}

impl SpecimenFile for Office95<'_> {
    const MAGIC: &'static [&'static [u8]] = &[&DOCFILE_MAGIC];

    fn type_name(&self) -> &'static str {
        "Office95"
    }
}

impl Display for Office95<'_> {
    fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result {
        write!(f, "Type: {}", self.clsid)?;
        if let Some(created) = self.creation_time {
            write!(f, ", Created: {created}")?;
        }
        if let Some(modified) = self.modification_time {
            write!(f, ", Modified: {modified}")?;
        }
        write!(f, ", Size: {}", self.contents.len())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use rstest::rstest;

    #[rstest]
    #[case::word(include_bytes!("../../testdata/office95/word.doc"), ClsidType::Word)]
    #[case::excel(include_bytes!("../../testdata/office95/excel.xls"), ClsidType::Excel)]
    #[case::powerpoint(include_bytes!("../../testdata/office95/powerpoint.ppt"), ClsidType::PowerPoint)]
    fn doc(#[case] bytes: &[u8], #[case] expected_clsid: ClsidType) {
        let office = Office95::from(bytes).unwrap();
        println!("{office}");
        assert_eq!(office.clsid, expected_clsid);
    }
}