[MS-OLEDS] 2.3.3 OLEStream [英] [MS-OLEDS] 2.3.3 OLEStream

查看:71
本文介绍了[MS-OLEDS] 2.3.3 OLEStream的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

1。

字段:ReservedMonikerStreamSize / RelativeSourceMonikerStreamSize / AbsoluteSourceMonikerStreamSize

描述:""必须设置为XXXMonikerStream字段的大小(以字节为单位)。"



在示例3.2中OLEStream结构 - 链接对象:

0x00000014 RelativeSourceMonikerStreamSize = 0x55(0x69 - 0x14) < br $>
0x00000018 RelativeSourceMonikerStream.Clsid

0x00000028 RelativeSourceMonikerStream.StreamData

0x00000069 AbsoluteSourceMonikerStreamSize



它是实际上 len(XXXMonikerStreamSize)+ len(XXXMonikerStream),而不是
len(XXXMonikerStream)



顺便说一下,这是"XXXMonikerStreamSize"吗?字段真的用过了?

我看到一些依赖于CompositeMoniker的恶意文档文件,声明了一个错误的名字对象流大小,但Word仍然可以正确处理它们。看起来Word只读取"XXXMonikerStreamSize";数据的字节然后解析它们,并最终使用
来自名字对象结构的实际大小。



2.

字段:ReservedDisplayName

描述:这必须是 LengthPrefixedUnicodeString (第2.1.5节),它可以包含任意值,并且必须在处理时被忽略。



在结构LengthPrefixedUnicodeString中,"长度"为"长度"。是"字符串"中的 Unicode字符数。字段,这意味着,实际的字节长度是( 2 *"长度")。



但根据我的文件看到,很多都指定了后一种形式的大小(在"ReservedDisplayName"中)(2 *"长度"),所以哪一个是正确的?


1.
Field: ReservedMonikerStreamSize / RelativeSourceMonikerStreamSize / AbsoluteSourceMonikerStreamSize
Description: "This MUST be set to the size, in bytes, of the XXXMonikerStream field."

In example 3.2 OLEStream Structure - Linked Object:
0x00000014 RelativeSourceMonikerStreamSize = 0x55(0x69 - 0x14)
0x00000018 RelativeSourceMonikerStream.Clsid
0x00000028 RelativeSourceMonikerStream.StreamData
0x00000069 AbsoluteSourceMonikerStreamSize

It's actually len(XXXMonikerStreamSize) + len(XXXMonikerStream), not len(XXXMonikerStream).

By the way, is this "XXXMonikerStreamSize" field really used?
I've seen some malicious document files relying on CompositeMoniker, declaring a wrong moniker stream size, but Word could still correctly handle them. Looks like Word just reads "XXXMonikerStreamSize" bytes of data and then parses them, and uses the actual size from the moniker structure eventually.

2.
Field: ReservedDisplayName
Description: This MUST be a LengthPrefixedUnicodeString (section 2.1.5) that can contain any arbitrary value and MUST be ignored on processing.

In structure LengthPrefixedUnicodeString, the "Length" is the number of Unicode characters in the "String" field, which means, the actual length in bytes is (2 * "Length").

But according to the files I have seen, lots of them specify the size(in "ReservedDisplayName") in the latter form(2 * "Length"), so which is the correct one?

推荐答案

Hello mint177

Hello mint177

感谢您对开放式规格的询问。我们创建了一个事件来调查此问题。其中一位公开规范的团队成员将在明天与您联系以进一步提供帮助。

谢谢


这篇关于[MS-OLEDS] 2.3.3 OLEStream的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发语言最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆