feat: OLE CF and VBA modules implemented

cli/src/commands/dump.rs

@@ -20,6 +20,8 @@ enum SupportedModules {
     Elf,
     Pe,
     Dotnet,
+    Olecf,
+    Vba
 }
 
 #[derive(Debug, Clone, ValueEnum)]
@@ -111,6 +113,12 @@ pub fn exec_dump(args: &ArgMatches) -> anyhow::Result<()> {
         if !requested_modules.contains(&&SupportedModules::Pe) {
             module_output.pe = MessageField::none()
         }
+        if !requested_modules.contains(&&SupportedModules::Olecf) {
+            module_output.olecf = MessageField::none()
+        }
+        if !requested_modules.contains(&&SupportedModules::Vba) {
+            module_output.vba = MessageField::none()
+        }
     } else {
         // Module was not specified, only show those that produced meaningful
         // results, the rest are cleared out.
@@ -131,6 +139,12 @@ pub fn exec_dump(args: &ArgMatches) -> anyhow::Result<()> {
         if !module_output.pe.is_pe() {
             module_output.pe = MessageField::none()
         }
+        if !module_output.olecf.is_olecf() {
+            module_output.olecf = MessageField::none()
+        }
+        if !module_output.vba.has_macros() {
+            module_output.vba = MessageField::none()
+        }
     }
 
     match output_format {

lib/Cargo.toml

@@ -146,6 +146,9 @@ magic-module = [
 # The `math` module.
 math-module = []
 
+# The `olecf` module
+olecf-module = []
+
 # The `pe` module parses PE files.
 pe-module = [
     "dep:const-oid",
@@ -182,6 +185,9 @@ text-module = [
 # conditions of a rule to check against other epoch time.
 time-module = []
 
+# The `vba` module
+vba-module = []
+
 # Features that are enabled by default.
 default = [
     "constant-folding",
@@ -194,10 +200,12 @@ default = [
     "macho-module",
     "math-module",
     "hash-module",
+    "olecf-module",
     "pe-module",
     "string-module",
     "time-module",
     "lnk-module",
+    "vba-module",
     "test_proto2-module",
     "test_proto3-module",
 ]
@@ -260,6 +268,7 @@ x509-parser = { workspace = true, optional = true }
 yansi = { workspace = true }
 yara-x-macros = { workspace = true }
 yara-x-parser = { workspace = true, features = ["serde"] }
+zip = { workspace = true }
 
 lingua = { version = "1.6.2", optional = true, default-features = false, features = ["english", "german", "french", "spanish"] }
 

lib/src/modules/add_modules.rs

@@ -18,6 +18,8 @@ add_module!(modules, "macho", macho, "macho.Macho", Some("macho"), Some(macho::_
 add_module!(modules, "magic", magic, "magic.Magic", Some("magic"), Some(magic::__main__ as MainFn));
 #[cfg(feature = "math-module")]
 add_module!(modules, "math", math, "math.Math", Some("math"), Some(math::__main__ as MainFn));
+#[cfg(feature = "olecf-module")]
+add_module!(modules, "olecf", olecf, "olecf.Olecf", Some("olecf"), Some(olecf::__main__ as MainFn));
 #[cfg(feature = "pe-module")]
 add_module!(modules, "pe", pe, "pe.PE", Some("pe"), Some(pe::__main__ as MainFn));
 #[cfg(feature = "string-module")]
@@ -30,4 +32,6 @@ add_module!(modules, "test_proto3", test_proto3, "test_proto3.TestProto3", Some(
 add_module!(modules, "text", text, "text.Text", Some("text"), Some(text::__main__ as MainFn));
 #[cfg(feature = "time-module")]
 add_module!(modules, "time", time, "time.Time", Some("time"), Some(time::__main__ as MainFn));
+#[cfg(feature = "vba-module")]
+add_module!(modules, "vba", vba, "vba.Vba", Some("vba"), Some(vba::__main__ as MainFn));
 }

lib/src/modules/mod.rs

@@ -174,6 +174,24 @@ pub mod mods {
     /// Data structure returned by the `macho` module.
     pub use super::protos::macho::Macho;
 
+    /// Data structures defined by the `olecf` module.
+    ///
+    /// The main structure produced by the module is [`olecf:Olecf`]. The rest
+    /// of them are used by one or more fields in the main structure.
+    ///
+    pub use super::protos::olecf;
+    /// Data structure returned by the `olecf` module.
+    pub use super::protos::olecf::Olecf;
+
+    /// Data structures defined by the `vba` module.
+    ///
+    /// The main structure produced by the module is [`vba::Vba`]. The rest
+    /// of them are used by one or more fields in the main structure.
+    ///
+    pub use super::protos::vba;
+    /// Data structure returned by the `macho` module.
+    pub use super::protos::vba::Vba;
+
     /// Data structures defined by the `pe` module.
     ///
     /// The main structure produced by the module is [`pe::PE`]. The rest
@@ -268,6 +286,8 @@ pub mod mods {
         info.dotnet = protobuf::MessageField(invoke::<Dotnet>(data));
         info.macho = protobuf::MessageField(invoke::<Macho>(data));
         info.lnk = protobuf::MessageField(invoke::<Lnk>(data));
+        info.olecf = protobuf::MessageField(invoke::<Olecf>(data));
+        info.vba = protobuf::MessageField(invoke::<Vba>(data));
         info
     }
 

lib/src/modules/modules.rs

@@ -17,6 +17,8 @@ mod macho;
 mod magic;
 #[cfg(feature = "math-module")]
 mod math;
+#[cfg(feature = "olecf-module")]
+mod olecf;
 #[cfg(feature = "pe-module")]
 mod pe;
 #[cfg(feature = "string-module")]
@@ -28,4 +30,6 @@ mod test_proto3;
 #[cfg(feature = "text-module")]
 mod text;
 #[cfg(feature = "time-module")]
-mod time;
+mod time;
+#[cfg(feature = "vba-module")]
+mod vba;

lib/src/modules/olecf/mod.rs

@@ -0,0 +1,50 @@
+/*! YARA module that parses OLE Compound File Binary Format files.
+
+The OLE CF format (also known as Compound File Binary Format or CFBF) is a 
+container format used by many Microsoft file formats including DOC, XLS, PPT,
+and MSI. This module specializes in parsing OLE CF files and extracting 
+metadata about their structure and contents.
+*/
+
+use crate::modules::prelude::*;
+use crate::modules::protos::olecf::*;
+pub mod parser;
+
+#[module_main]
+fn main(data: &[u8], _meta: Option<&[u8]>) -> Olecf {
+
+    match parser::OLECFParser::new(data) {
+        Ok(parser) => {
+            let mut olecf = Olecf::new();
+
+            // Check and set is_olecf
+            let is_valid = parser.is_valid_header();
+            olecf.is_olecf = Some(is_valid);
+
+            // Get stream names and sizes
+            match parser.get_stream_names() {
+                Ok(names) => {                    
+                    // Get sizes for each stream
+                    olecf.stream_sizes = names.iter()
+                        .filter_map(|name| {
+                            parser.get_stream_size(name)
+                                .ok()
+                                .map(|size| size as i64)
+                        })
+                        .collect();
+
+                    // Assign names last after we're done using them
+                    olecf.stream_names = names;
+                },
+                Err(_) => (),
+            }
+
+            olecf
+        },
+        Err(_) => {
+            let mut olecf = Olecf::new();
+            olecf.is_olecf = Some(false);
+            olecf
+        }
+    }
+}