/* detection functions */
int rule13666eval(void *p) {
const uint8_t *cursor_normal = 0, *cursor_offBmi;
SFSnortPacket *sp = (SFSnortPacket *) p;
const uint8_t *record_size_ptr, *beg_of_payload, *end_of_payload;
uint32_t recordType, offBmi, bcSize;
uint16_t bcWidth,bcHeight,bcPlanes,bcBitCount;
uint64_t Value; // For storing exploit calculations
if(sp == NULL)
return RULE_NOMATCH;
if(sp->payload == NULL)
return RULE_NOMATCH;
// flow:established, to_client;
if (checkFlow(p, rule13666options[0]->option_u.flowFlags) <= 0 )
return RULE_NOMATCH;
// flowbits:isset "file.emf";
if (processFlowbits(p, rule13666options[1]->option_u.flowBit) <= 0)
return RULE_NOMATCH;
// content:" EMF|00 00 01 00|";
if (contentMatch(p, rule13666options[2]->option_u.content, &cursor_normal) > 0) {
// content:"|01 00 00 00|", offset -48, depth 4, relative;
if (contentMatch(p, rule13666options[3]->option_u.content, &cursor_normal) > 0) {
// byte_jump:size 4, relative, endian little;
if (byteJump(p, rule13666options[4]->option_u.byte, &cursor_normal) > 0) {
if(getBuffer(sp, CONTENT_BUF_NORMALIZED, &beg_of_payload, &end_of_payload) <= 0)
return RULE_NOMATCH;
// Now we're at the start of records. Find the interesting ones.
while(cursor_normal < end_of_payload) {
// We point to record size so we're at the right state for the relative jump
// if it turns out the record doesn't have a BITMAPCOREHEADER.
record_size_ptr = cursor_normal - 4;
// content:"|5E 00 00 00|", offset -8, depth 4, relative; XXX /* EMR_CREATEDIBPATTERNBRUSHPT */
if (contentMatch(p, rule13666options[5]->option_u.content, &cursor_normal) > 0
// content:"|51 00 00 00|", offset -8, depth 4, relative; XXX /* EMR_STRETCHDIBITS */
|| (contentMatch(p, rule13666options[6]->option_u.content, &cursor_normal) > 0))
{
recordType = *(cursor_normal - 4);
switch(recordType)
{
case EMR_CREATEDIBPATTERNBRUSHPT:
DEBUG_SO(printf("matched EMR_CREATEDIBPATTERNBRUSHPT\n");)
if (cursor_normal + 28 > end_of_payload) // Make sure there's enough room
return RULE_NOMATCH;
// extract offset to BITMAPCOREHEADER. can't use byte_jump because it could put us
// past end of packet since the "jump" actually starts from an earlier offset
cursor_offBmi = cursor_normal + 12;
offBmi = read_little_32(cursor_offBmi);
break;
case EMR_STRETCHDIBITS:
DEBUG_SO(printf("matched EMR_STRETCHDIBITS\n");)
if (cursor_normal + 60 > end_of_payload)
return RULE_NOMATCH;
// read offBmiSrc field
cursor_offBmi = cursor_normal + 44;
offBmi = read_little_32(cursor_offBmi);
break;
default:
DEBUG_SO(printf("This case must not happen\n");)
return RULE_NOMATCH;
}
if (offBmi + cursor_normal - 4 < cursor_normal) // check integer overflow
return RULE_NOMATCH;
// move cursor to the beginning of a device independent bitmap (DIB)
DEBUG_SO(printf("offBmi=0x%08x\n", offBmi);)
cursor_normal += offBmi - 4;
if(cursor_normal + 12 > end_of_payload)
return RULE_NOMATCH;
// match size of BITMAPCOREHEADER to determine if it's the proper structure
bcSize = read_little_32(cursor_normal);
cursor_normal += 4;
DEBUG_SO(printf("bcSize=0x%08x\n", bcSize);)
if (bcSize == 12) // checks BITMAPCOREHEADER
int load_bmp_v3 (IMAGEDATA *im, uint8 *data)
{
uint8 byte;
uint16 word;
uint32 dword, data_offset;
uint32 compression, size;
uint32 scan_len, data_len;
int x, y;
/* go through header */
dword = read_little_32 (&data);
dword = read_little_32 (&data);
data_offset = read_little_32 (&data);
/* load info struct */
/* header size */
dword = read_little_32 (&data);
if (dword != 40)
{
I_Error ("load_bmp(): Unexpected header size, expected 40 got %d", word);
return (-1);
}
dword = read_little_32 (&data);
im->width = dword;
dword = read_little_32 (&data);
im->height = dword;
/* image planes, always 1 */
word = read_little_16 (&data);
/* bits per pixel */
word = read_little_16 (&data);
im->colordepth = word;
/* compression method */
dword = read_little_32 (&data);
compression = dword;
dword = read_little_32 (&data);
size = dword;
if (!size)
{
I_Message ("-W- Uh oh, image size is 0, guessing\n");
size = im->height * im->width * im->colordepth / 8;
}
// else
// I_Message ("Size is %d\n", size);
/* horz resolution */
dword = read_little_32 (&data);
/* vert resolution */
dword = read_little_32 (&data);
/* colors */
dword = read_little_32 (&data);
im->numcolors = dword;
/* significant colors */
dword = read_little_32 (&data);
/* Palette on 1, 4 or 8 bit displays */
if (im->colordepth != 24)
{
if (im->numcolors == 0)
{
/* Hmm, if numcolors is 0, guess using the start of data */
im->numcolors = (data_offset - 54) / 4;
}
im->palette = (RGBQUAD *) malloc (im->numcolors * sizeof (RGBQUAD));
for (x = 0; x < im->numcolors; x++)
{
dword = read_little_32 (&data);
im->palette[x].red = (dword >> 16) & 0x0ff;
im->palette[x].green = (dword >> 8) & 0x0ff;
im->palette[x].blue = (dword >> 0) & 0x0ff;
}
}
else
