diff options
Diffstat (limited to 'doc/macro-storage.txt')
| -rw-r--r-- | doc/macro-storage.txt | 188 |
1 files changed, 0 insertions, 188 deletions
diff --git a/doc/macro-storage.txt b/doc/macro-storage.txt deleted file mode 100644 index 488c8b52c..000000000 --- a/doc/macro-storage.txt +++ /dev/null @@ -1,188 +0,0 @@ -* References: - * svx/source/msfilter/msvbasic.cxx - * Costin Raiu, Kaspersky Labs, 'Apple of Discord' - * Virus bulletin's bontchev.pdf, svajcer.pdf - -Using a hacked libgsf's test-cp-msole.c: - - * round-trip - works fine, 'security warning from OXP' - * deleting the __SRP_* streams: works fine ... - -'Simple' stream: - * Simple: 'SGetThree' -> 'SGetThack' - no pcode changes ... - + no visible changes - * Compressed text: - + 0d 0a is the VBA test line terminator - + Screwing up the compression can cause _serious_ - artefacts - ie. Excel loop/lock / crash etc. - * VBA 5 -> VBA 6 ... (?) - * pcode line table start marker: FE CA 01 00 - + following 2 bytes : seemingly not a clobberable version. - + blanking (0x00) pcode between 42 81 0C 00 and ff ff ff ff - - gives empty 1st macro in spreadsheet. - + clobbering with 0xff's results in XP crasher. - * clobbering the pcode results in the text changing ie. - For i = 0 To 10 -> For i = 0 To 31 - with no other change. - * clobbered pcode with 0's from & inc. feca0100 - * ie. pcode totally ignored. - * Can totally wipe all data from start to "01 ae b0 00'A''t''t'," - none of it used (seemingly) - * Can totally wipe all data _except_ pre-pended 3 items: - 0x01 0xae 0xb0 - as long as we update offsets in 'dir' stream; - see later. - * re-compressing seems to cause some nasty grief; - _looks_ like a length is stored somewhere here. - Our version is shrunk by N bytes, - we get N bytes of - de-compressed crud at the end of the macro. - -'_VBA_PROJECT' stream: - * clobber byte 3 of _VBA_PROJECT to 0xa8 - also works going backwards: 0x01 - + no need to clobber pcode table ... [ presumably not read !? ] - * Office XP only requires this data in this file: - + cc 61 <01> 00 00 01 + pad to 32 bytes with 0s. - * clobber macro name - reflected in re-load in - <module-name> [functions] list - ordering odd there though. - -Generic stream description: - + first byte '1' - + 2nd byte == length of compressed data - 1 - + 3rd byte == 0xb + 4 bits MSB of compressed data length - + maximum recorded compressed size is 0xc0c ie 0x010cbc - above which it (appears) that it reads to the EOS. - + 4th ... bytes = LZSS compressed macro text. - + VBA editor can't cope with unicode - just barfs - + VBA editor can cope with 8bit chars - and writes them - out as such too. - + can insert invalid / broken VBA with no problems. - -All streams contain compressed text: - + Sheet / Workbook / VBA etc. all re-constructed ... [!] - -'dir' stream: - * Looks like the project stream - but more authoritative ? - * Compression is (essentially) LZSS with no Huffman post-coding, - and some window size tweakage. - * Contains authoritative offsets for VBA text in streams - * re-compression a total pain; managed to get Excel to accept - a re-compressed 'dir' - by truncating a number of the longer - back-matches to < 1/2 the window size. - * altering the offsets - works. - * Stream format is: - + 2 byte tag, 4 byte length, <data> [ repeat ] - + the tag 0x9 is broken: it's length is 2 bytes too short. - * Each Stream has 4 strings: ascii/unicode pairs - + unicode canonical; 1st pair: unknown, 2nd: stream name. - + serious problems if all names not in sync (hmm) - - - * Cutting / reduction: - + Removing both external linkage records + prepended 2 name - pair works fine. - + fiddling with the object count - appears to have - little effect on OfficeXP - reads to EOF. - + removing objects: - + removing SHORT_OBJECT_COUNT -> Sheet1's name -> - crashes Excel (even with decrementing the count) - + If the equivalent PROJECT reference removed - - works fine, can remove all Sheets. - + can remove workbook if not in PROJECT. - + not understood fields: - + Fields 0x13, 0x2c - can be 00'd with no apparent problems - + Binning all the VBA stream names (ie. not Sheet*,wbk) results - in very odd loading - populates project tree just fine, (from - OLE stream names?) - but code view / calculate hangs the - editor; hmm. - - * finally realised that the _VBA_PROJECT_CUR/PROJECT and PROJECTwm - streams are rather important. - - * PROJECTwm - looks like an i18n hash; 8bit -> 16bit; simple list, - all 0 terminated with a trailing 16bits of 0. - + what is VersionCompatible32="393222000" ? - - -* Office 97 quirks: - - + exports a '_VBA_PROJECT' storage - but can just trash it. - + this is for backwards compatibility with Office 95 - + Office 95 doesn't have a _VBA_PROJECT stream. - + everything very fragile until you delete the __SRP_X - streams. - + Clobbering the 'byte 3' _VBA_PROJECT version works nicely, - [ you can flawlessly export OfficeXP to Office97 macros ]. - + Binning the 'PROJECTwm' stream appears to have no effect though - Also mangling down the PROJECTwm set to only the macro names - works fine. - + Serious problems arise when we omit the 'Sheet 1' type - references in the PROJECT stream. - + we can omit them from the [Workspace] section, - + we must have lots of 'Document=' nodes. - + [HostExtenderInfo] not necessary. - + HelpContextID, HelpFile, Name not necessary. - + CMG, DPB, GC: not necessary - + VersionCompatible32="393222000" not necessary - + Sheet names must be there; Foo1,Foo2,Foo3 no good. - + they must exactly match the 'dir' entries [I guess] - + The 'dir' entries must be there too ... - + Workbook & Sheet streams ... - The 'Workbook' stream must contain _at least_: - + Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}" - The 'Sheet' stream must contain _at least_: - + Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}" - + Naming consistency - + 'Workbook' name (stream & PROJECT) _must_ match with - Excel 'CODENAME' (0x01ba) record, or SEGV result. - + Similarly, Sheet 'CODENAME' records must also match. - [ XclCodename record ] - + Office 97 also segv's if we don't have a valuid - + Attribute VB_Name = "<MacroSheet>" - record in the macro ... - - -** Appendix 1: Random _VBA_PROJECT observations: - - + Examining a typical stream; - -00000000 cc 61 5e 00 00 01 00 ff 09 08 00 00 09 04 00 00 |Ìa^....ÿ........| - ^^^^^^^^^^-1-^^^^^^^^^^ ^^^^-2-^^^^ ^^^^-3-^^^^ -00000010 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 |ä...............| - ^-4-^ ^-A-^ ^-B-^ ^-C-^ ^-D-^ ^-E-^ ^-F-^ ^-G-^ -00000020 02 00 16 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 |....*.\.G.{.0.0.| - ^-H-^ - -[1] - version / magic -[2/3] - language identifiers -[4] - char-set -Lengths: -[A] - -[B] - -[C] - -[D] - -[E] - -[F] - -[G] - number of plugins / strings. -[H] - - - ... a number of strings ... - VBA section: - -00000770 0b 00 02 00 02 00 02 00 02 00 01 00 01 00 01 00 |................| - ^-1-^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^-2-^^^^^^^^^^^^ -00000780 01 00 02 04 02 04 02 04 03 00 04 02 00 00 06 02 |................| - ^^^^^^^^^^^^^^^^^^^^^^^ ^-3-^ ^^^^^^^^^^^ ^-4-^ -00000790 01 00 08 02 00 00 0a 02 ff ff ff ff ff ff 00 00 |................| - ^^^^^^^^^^^^^^^^^ ^^^^^^^^^-5-^^^^^^^^^^^^ --000007a0 00 00 ff ff 00 00 5a f6 67 40 03 00 00 00 01 00 |......Z.g@......| - - - - This is all tedious overall project stuff so far ... - -[1] - count of VBA project elements ... -[2] - element types - each USHORT: - 0x1 == VBA module, - 0x2 == sheet/workbook, - 0x402 == class or form -[3] - count of int32s - tags of some form (?); effectively magic: -[5] - an offset table in 16bit chunks (?) - + fixed length of 100bytes |