Пример #1
0
Файл: bmp.cpp Проект: jeske/hz
int load_bmp (IMAGEDATA *im, const char *filename)
{
  FILE *fp;
  uint16 x;
  int ret;
  uint8 *data = NULL;
  uint8 *ptr = NULL;
  int size = 0;
  struct stat st;

  if (stat (filename, &st) == -1)
  {
    I_Perror ("Error statting file %s", filename);
    return (-1);
  }
  size = st.st_size;
  data = ptr = (uint8 *) malloc (size * sizeof(uint8));

  if ((fp = fopen (filename, "r")) == NULL)
  {
    free(ptr);
    I_Perror ("Error openning file %s", filename);
    return (-1);
  }
  if (fread(data, sizeof(uint8), size, fp) < size)
  {
    free(ptr);
    I_Perror ("Error reading file %s", filename);
    return (-1);
  }
  fclose (fp);
  x = read_little_16 (&data);

  switch (x)
  {
    case BMP_TYPE_V1:
      I_Message ("Type 1 BMP\n");
      break;
    case BMP_TYPE_V3:
//      I_Message ("Type 3 BMP\n");
      ret = load_bmp_v3 (im, data);
      break;
    default:
      I_Message ("UnknownBMP\n");
  }

  free (ptr);
  return ret;
}
                        // move cursor to the beginning of a device independent bitmap (DIB)
                        DEBUG_SO(printf("offBmi=0x%08x\n", offBmi);)  
                        cursor_normal += offBmi - 4; 
                                  
                        if(cursor_normal + 12 > end_of_payload)
                           return RULE_NOMATCH;
                                  
                        // match size of BITMAPCOREHEADER to determine if it's the proper structure
                        bcSize = read_little_32(cursor_normal);
                        cursor_normal += 4;
                        DEBUG_SO(printf("bcSize=0x%08x\n", bcSize);)
        
                        if (bcSize == 12) // checks BITMAPCOREHEADER
                        {
                            bcWidth = read_little_16(cursor_normal);
                            cursor_normal += 2;
        
                            bcHeight = read_little_16(cursor_normal);
                            cursor_normal += 2;
        
                            bcPlanes = read_little_16(cursor_normal);
                            cursor_normal += 2;
        
                            bcBitCount = read_little_16(cursor_normal);
                            cursor_normal += 2;
        
                            DEBUG_SO(printf("bcWidth=%xh bcHeight=%xh bcPlanes=%xh bcBitCount=%xh\n", bcWidth,bcHeight,bcPlanes,bcBitCount);)

                            // 16-bit * 16-bit can't be more than 32-bit
                            Value = (bcWidth * bcPlanes) & 0xFFFFFFFF;
Пример #3
0
Файл: bmp.cpp Проект: jeske/hz
int load_bmp_v3 (IMAGEDATA *im, uint8 *data)
{
  uint8  byte;
  uint16 word;
  uint32 dword, data_offset;
  uint32 compression, size;
  uint32 scan_len, data_len;
  int x, y;

  /* go through header */
  dword = read_little_32 (&data);
  dword = read_little_32 (&data);
  data_offset = read_little_32 (&data);

  /* load info struct */
  /* header size */
  dword = read_little_32 (&data);
  if (dword != 40)
  {
    I_Error ("load_bmp(): Unexpected header size, expected 40 got %d", word);
    return (-1);
  }
  dword = read_little_32 (&data);
  im->width = dword;
  dword = read_little_32 (&data);
  im->height = dword;
  /* image planes, always 1 */
  word = read_little_16 (&data);
  /* bits per pixel */
  word = read_little_16 (&data);
  im->colordepth = word;
  /* compression method */
  dword = read_little_32 (&data);
  compression = dword;
  dword = read_little_32 (&data);
  size = dword;
  if (!size)
  {
    I_Message ("-W- Uh oh, image size is 0, guessing\n");
    size = im->height * im->width * im->colordepth / 8;
  }
//  else
//    I_Message ("Size is %d\n", size);

  /* horz resolution */
  dword = read_little_32 (&data);
  /* vert resolution */
  dword = read_little_32 (&data);
  /* colors */
  dword = read_little_32 (&data);
  im->numcolors = dword;
  /* significant colors */
  dword = read_little_32 (&data);

  /* Palette on 1, 4 or 8 bit displays */
  if (im->colordepth != 24)
  {
    if (im->numcolors == 0)
    {
      /* Hmm, if numcolors is 0, guess using the start of data */
      im->numcolors = (data_offset - 54) / 4;
    }

    im->palette = (RGBQUAD *) malloc (im->numcolors * sizeof (RGBQUAD));
    for (x = 0; x < im->numcolors; x++)
    {
      dword = read_little_32 (&data);
      im->palette[x].red = (dword >> 16) & 0x0ff;
      im->palette[x].green = (dword >> 8) & 0x0ff;
      im->palette[x].blue = (dword >> 0) & 0x0ff;
    }
  }
  else
/* detection functions */
int rule16531eval(void *p) {
    const uint8_t *cursor_normal = 0, *beg_of_payload, *end_of_payload;
    SFSnortPacket *sp = (SFSnortPacket *) p;

    if(sp == NULL)
        return RULE_NOMATCH;

    if(sp->payload == NULL)
        return RULE_NOMATCH;
    
    // flow:established, to_client;
    if (checkFlow(p, rule16531options[0]->option_u.flowFlags) > 0 ) {

        if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &beg_of_payload, &end_of_payload) <= 0)
            return RULE_NOMATCH;

        cursor_normal = beg_of_payload;

        //The while loop is for reassembled packets that have multiple SMB messages
        // content:"|FF|SMB2", payload raw, offset 4, depth 5, fast_pattern;
        while (contentMatch(p, rule16531options[1]->option_u.content, &cursor_normal) > 0) {

            uint32_t nb_len;
            uint16_t wc;
            uint16_t dataoffset;
            uint16_t datacount;
            uint16_t bcc;

            //Should be a NetBIOS header
            if ((cursor_normal - beg_of_payload) < 9)
                return RULE_NOMATCH;

            nb_len = *(cursor_normal-6);
            nb_len |= *(cursor_normal-7) << 8;
            nb_len |= *(cursor_normal-8) << 16;

            //Make sure enough data is there to check all necessary fields
            if (cursor_normal+44 > end_of_payload)
                return RULE_NOMATCH;

            //Extract Word Count
            wc = *(cursor_normal+27) << 1; // Someone's being clever multiplying by 2

            // XXX Have seen this with a word count of 0 - means no datacount or dataoffset
            // cursor_normal+44 should normally catch this but if there is another request
            // because of a reassembled packet, we'll get here.
            // This is just to avoid false positives
            if (wc == 0)
            {
                cursor_normal += 30;
                continue;
            }

            //Extract Data Count and Data Offset
            datacount = read_little_16(cursor_normal+40);
            dataoffset = read_little_16(cursor_normal+42);

            if (dataoffset == 0)
				return RULE_NOMATCH;

            //Check to see if there is enough space for the word count field
            //plus word count * 2 bytes, the two-byte bcc field.
            if ((cursor_normal + 30 + wc) > end_of_payload)
                return RULE_NOMATCH;

            //data offset should be always less than the NetBIOS length
            //If not, dataoffset is jacked, so alert
            if (nb_len < dataoffset)
                return RULE_MATCH;

            //Data is the last field in the payload section of the SMB trans response
            //It should be equal to NetBIOS length - dataoffset
            if ((nb_len - dataoffset) > datacount)
                return RULE_MATCH;

            cursor_normal += 28 + wc;

            //Extract bcc
            bcc = read_little_16_inc(cursor_normal);

            //Jump to the end of the data
            cursor_normal += bcc;
        }
    }
    return RULE_NOMATCH;
}