KR20240050230A - Methods and apparatus for disarming a link in ms-xls - Google Patents

Abstract

This specification describes a method for a server to disarm link information of a non-executable file, based on the format of the non-executable file being an MS-XLS file, and a cell in the work stream of the MS-XLS file. ) Retrieves a first record associated with a hyperlink or a second record associated with an image hyperlink, and based on the first record or the second record being retrieved, retrieves a first binary value associated with the hyperlink, and 1 Based on the binary value being searched, searching for a second binary value related to the hyperlink in the record specifying the first binary value, and based on the second binary value being searched, searching for the second binary value in the record specifying the second binary value Search for link information, and detoxify the link information based on the searched link information. The first record may include an HLink, and the second record may include an MsoDrawing record.

Description

Method and apparatus for disarming a link in MS-XLS {METHODS AND APPARATUS FOR DISARMING A LINK IN MS-XLS}

This specification relates to a method and device for detoxifying links in MS-XLS documents.

Advanced Persistent Threat (APT) attacks involve attackers selecting a specific target and applying advanced attack techniques to continuously utilize various types of malicious code to steal targeted information. In particular, APT attacks are often not detected in the initial intrusion stage, and non-portable executable (Non-PE) files containing malicious code are often used rather than executable (portable executable, PE) files.

A non-executable file is the opposite of an executable file and refers to a file that does not run on its own. Examples of non-executable files include document files such as Word files, Excel files, Hangul files, and PDF files, image files, video files, JavaScript files, and HTML files. The reason why non-executable files containing malicious code are often used in APT attacks is because applications that run non-executable files have a certain degree of security vulnerability. In addition, if malicious code is included in a non-executable file, variant malicious code can be easily created by changing the file.

A document action is the act of executing an action in an application program involving a non-executable file. Existing APT solutions operate based on document behavior, so after document behavior occurs, changes in the sandbox (Virtural Machine, VM) are observed to determine whether it is malicious. This takes a long time to analyze because it waits for all document actions to occur before determining whether they are malicious.

Additionally, existing APT solutions such as CDR can remove malicious active content, but cannot eliminate vulnerabilities arising from essential elements of the document (e.g., body, font), creating a security gap.

Since non-executable files may contain harmful link information, the link information must be rendered harmless. In this case, the problem of the layout of the non-executable file changing or being distorted should not occur.

The purpose of this specification is to propose a method to detoxify Link while maintaining the overall structure of MS-XLS.

The technical problems to be achieved by this specification are not limited to the technical problems mentioned above, and other technical problems not mentioned will be clear to those skilled in the art from the detailed description of the specification below. It will be understandable.

One aspect of the present specification is a method for a server to disarm link information of a non-executable file, based on the format of the non-executable file being an MS-XLS file, the Work Stream of the MS-XLS file. searching for a first record related to a cell hyperlink or a second record related to an image hyperlink; retrieving a first binary value associated with a hyperlink based on whether the first record or the second record is retrieved; Based on the search for the first binary value, searching for a second binary value related to a hyperlink in the record specifying the first binary value; Based on the second binary value being searched, searching for link information in a record specifying the second binary value; and detoxifying the link information based on the link information being searched. Includes, wherein the first record may include an HLink, and the second record may include an MsoDrawing record.

Additionally, the first binary value may include the clsid value of the HFD record.

Additionally, the second binary value may include the CLSID_StdHl value of the HyperlinkMoniker record.

Additionally, the step of searching the link information includes searching a URLMoniker record within the HyperlinkMoniker record; may include.

Additionally, the step of detoxifying the link information includes detoxifying the url field value of the URLMoniker record; may include.

Additionally, the step of detoxifying the url field value includes leaving only the scheme in the url field value; may include.

Another aspect of the present specification is a server that disarms link information of non-executable files, comprising: a communication unit; Memory; and a processor that functionally controls the communication unit and the memory, wherein the processor selects a cell hyperlink in the work stream of the MS-XLS file based on the format of the non-executable file being an MS-XLS file. Retrieving a first record associated with a link or a second record associated with an image hyperlink, and based on the first record or the second record being retrieved, retrieving a first binary value associated with the hyperlink, the first binary Based on the value being searched, a second binary value related to the hyperlink is searched from the record specifying the first binary value, and based on the second binary value being searched, link information is retrieved from the record specifying the second binary value. Searches for, and based on the searched link information, the link information may be rendered harmless, the first record may include an HLink, and the second record may include an MsoDrawing record.

According to the embodiment of the present specification, Link can be detoxified while maintaining the overall structure of MS-XLS.

The effects that can be obtained in this specification are not limited to the effects mentioned above, and other effects not mentioned can be clearly understood by those skilled in the art from the description below. .

1 is a diagram showing a server or client related to this specification.
Figure 2 is an example of abnormal input that can be applied to this specification.
Figure 3 illustrates a URI configuration to which this specification can be applied.
Figure 4 illustrates a detoxification method to which the present disclosure can be applied.
Figure 5 illustrates a method for detoxifying an MS-DOC file to which this specification can be applied.
Figure 6 illustrates a HFD structure to which this specification can be applied.
Figure 7 illustrates a Hyperlink Object to which this specification can be applied.
Figure 8 is an example of HyperlinkMoniker to which this specification can be applied.
Figure 9 is an example of URLMoniker to which this specification can be applied.
Figure 10 is an example of a data stream to which this specification can be applied.
Figure 11 is an example of link information detoxification to which this specification can be applied.
Figure 12 illustrates a method for detoxification of MS-XLS files to which this specification can be applied.
Figure 13 illustrates an HLink record to which this specification can be applied.
Figure 14 illustrates an MsoDrawing record to which this specification can be applied.
Figure 15 illustrates an OfficeArtDgContainer record to which this specification can be applied.
Figure 16 illustrates an IHlink record to which this specification can be applied.
The accompanying drawings, which are included as part of the detailed description to aid understanding of the present specification, provide embodiments of the present specification and explain technical features of the present specification together with the detailed description.

Hereinafter, embodiments disclosed in the present specification will be described in detail with reference to the attached drawings. However, identical or similar components will be assigned the same reference numerals regardless of reference numerals, and duplicate descriptions thereof will be omitted. The suffixes “module” and “part” for components used in the following description are given or used interchangeably only for the ease of preparing the specification, and do not have distinct meanings or roles in themselves. Additionally, in describing the embodiments disclosed in this specification, if it is determined that detailed descriptions of related known technologies may obscure the gist of the embodiments disclosed in this specification, the detailed descriptions will be omitted. In addition, the attached drawings are only for easy understanding of the embodiments disclosed in this specification, and the technical idea disclosed in this specification is not limited by the attached drawings, and all changes included in the spirit and technical scope of this specification are not limited. , should be understood to include equivalents or substitutes.

Terms containing ordinal numbers, such as first, second, etc., may be used to describe various components, but the components are not limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

When a component is said to be “connected” or “connected” to another component, it is understood that it may be directly connected or connected to the other component, but that other components may exist in between. It should be. On the other hand, when it is mentioned that a component is “directly connected” or “directly connected” to another component, it should be understood that there are no other components in between.

Singular expressions include plural expressions unless the context clearly dictates otherwise.

In this specification, terms such as “comprise” or “have” are intended to designate the presence of features, numbers, steps, operations, components, parts, or combinations thereof described in the specification, but are not intended to indicate the presence of one or more other features. It should be understood that it does not exclude in advance the possibility of the existence or addition of elements, numbers, steps, operations, components, parts, or combinations thereof.

Additionally, the term “unit” used in the specification refers to a software or hardware component, and the “unit” performs certain roles. However, “wealth” is not limited to software or hardware. The “copy” may be configured to reside on an addressable storage medium and may be configured to run on one or more processors. Thus, as an example, “part” refers to software components, such as object-oriented software components, class components, and task components, processes, functions, properties, procedures, Includes subroutines, segments of program code, drivers, firmware, microcode, circuits, data, databases, data structures, tables, arrays, and variables. The functionality provided within the components and “parts” may be combined into smaller numbers of components and “parts” or may be further separated into additional components and “parts”.

Additionally, according to an embodiment of the present specification, “unit” may be implemented with a processor and memory. The term “processor” should be interpreted broadly to include general purpose processors, central processing units (CPUs), microprocessors, digital signal processors (DSPs), controllers, microcontrollers, state machines, etc. In some contexts, “processor” may refer to an application-specific integrated circuit (ASIC), programmable logic device (PLD), field programmable gate array (FPGA), etc. The term “processor” refers to a combination of processing devices, such as, for example, a combination of a DSP and a microprocessor, a combination of a plurality of microprocessors, a combination of one or more microprocessors in combination with a DSP core, or any other such combination of configurations. It may also refer to

The term “memory” should be interpreted broadly to include any electronic component capable of storing electronic information. The terms memory include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), programmable read-only memory (PROM), erasable-programmable read-only memory (EPROM), electrical may refer to various types of processor-readable media, such as erasable PROM (EEPROM), flash memory, magnetic or optical data storage, registers, etc. A memory is said to be in electronic communication with a processor if the processor can read information from and/or write information to the memory. The memory integrated into the processor is in electronic communication with the processor.

As used herein, “non-executable file” refers to a file that does not execute on its own, as opposed to an executable file or executable file. For example, non-executable files may be document files such as PDF files, Hangul files, Word files, image files such as JPG files, video files, JavaScript files, HTML files, etc., but are not limited thereto.

Below, with reference to the attached drawings, embodiments will be described in detail so that those skilled in the art can easily implement them. In order to clearly explain the present disclosure in the drawings, parts unrelated to the description may be omitted.

1 is a diagram showing a server or client related to this specification.

In this specification, a server (or cloud server) or client may include a control unit 100 and a communication unit 130. The control unit 100 may include a processor 110 and a memory 120. The processor 110 may execute instructions stored in the memory 120. The processor 110 can control the communication unit 130.

The processor 110 may control the operation of the server or client based on instructions stored in the memory 120. A server or client may include one processor or may include multiple processors. When a server or client includes a plurality of processors, at least some of the plurality of processors may be located physically spaced apart from each other. Additionally, the server or client is not limited to this and may be implemented in various known ways.

The communication unit 130 may include one or more modules that enable wireless communication between a server or client and a wireless communication system, between a server or client and another server or client, or between a server or client and an external server. Additionally, the communication unit 110 may include one or more modules that connect servers or clients to one or more networks.

The control unit 100 may control at least some of the components of the server or client to run the application program stored in the memory 120. Furthermore, the control unit 100 can operate at least two of the components included in the server or client in combination with each other to run the application program.

In this specification, the server may include a reversing engine or/and a CDR engine that provides a CDR service.

Reversing engine

The reversing engine is an analysis/diagnosis engine that automates the reverse engineering process for malicious non-executable files.

For example, a reversing engine can perform the following steps:

One. File analysis: This is the step of analyzing the appearance of the non-executable file itself (e.g., properties, author, creation date, file type). Similar to a general anti-virus program, maliciousness can be diagnosed using only the information of the non-executable file itself. .

2. Static analysis: This is a step to extract and analyze the data in a non-executable file to determine whether it is normal or malicious. Non-executable files are not executed, but internal data can be extracted and compared and analyzed according to the file structure to diagnose maliciousness. This can be suitable for macros, URL extraction analysis, etc.

3. Dynamic analysis: This is a step to determine whether or not a non-executable file is malicious by reading and monitoring it through an application program that includes an editor and reader and analyzing its behavior. It is used to detect malicious behavior using normal functions such as macros, hyperlinks, and DDE. It's easy.

4. Debugging analysis: This is the step of reading and debugging non-executable files to analyze vulnerabilities, exploits, etc., to detect vulnerabilities in applications using the body of the document, tables, fonts, pictures, etc., including macros, hyperlinks, and DDE. Suitable.

The reversing engine may include a debugging engine that can be used for debugging analysis. The debugging engine can diagnose vulnerabilities that occur in the document input, processing, and output stages by debugging the viewing process of non-executable files. Here, a vulnerability refers to taking advantage of an error or bug that occurs when an application receives an unexpected value from the code (logic) developed by the application developer. An attacker can use the vulnerability to cause denial of service due to abnormal termination, etc. It can perform malicious actions such as remote code execution.

Content Disarm and Reconstruction (CDR)

The CDR service is a solution that creates a new file by disassembling non-executable files, removing malicious or unnecessary files, and keeping the content as identical as possible to the original.

In other words, Contents Disarm and Reconstruction (CDR) refers to a service that creates safe documents and provides them to customers by disarming and reconstructing the content in the document, and the files subject to detoxification are all non-executable files (e.g. For example, Word, Excel, PowerPoint, Hangul, PDF) can be targeted, and the content targeted for detoxification can be active content (eg, macros, hyperlinks, OLE objects, etc.).

Figure 2 is an example of abnormal input that can be applied to this specification.

Referring to Figure 2, when an application program receives an abnormal value (for example, when the input value exceeds the normal range of 2) through a non-executable file, the execution flow is changed to an unintentional one by the developer, resulting in a vulnerability. This can work. The debugging engine automatically debugs the document viewing process, sets breakpoints at specific points related to vulnerabilities, checks specific values related to input values, and determines whether the input value causes a vulnerability or not, thereby diagnosing whether it is malicious.

More specifically, the debugging engine can identify non-executable files and start debugging by running an application to view them. When a module is loaded in the process of viewing a non-executable file, the debugging engine checks whether the module is the target of analysis, and if so, can set a breakpoint at the specified address.

For example, a malicious non-executable file may terminate the application if certain conditions, such as the version of the application or the operating system environment, are not met, or may have branching points that diverge to a flow in which no malicious action occurs. The server is analyzed by an analyst in advance and breakpoints can be set at branch points that have this possibility.

In addition, the server can set conditions in relation to the branch point that can continue to run the application without terminating it or lead to a flow in which malicious actions can occur.

If the process stops at the breakpoint point during execution of the application process, the server can detect vulnerabilities according to detection logic and then store the results in an analysis report.

The automated reversing engine included in the server automatically performs and analyzes the above-mentioned steps, and can diagnose and block malicious non-executable files through diagnostic algorithms researched and developed by analysts.

Figure 3 illustrates a URI configuration to which this specification can be applied.

Referring to FIG. 3, URI (Uniform Resource Identifier), which is link information subject to detoxification in this specification, is illustrated.

Generally, URI syntax may include scheme, authority, path, query, and fragment.

Table 1 is an example of a hierarchical sequence of URI syntax to which this specification can be applied.

URI = scheme ":" hier-part [ "?" query ] [ "#" fragment ]

hier-part = "//" authority path-abempty
/path-absolute
/path-rootless
/path-empty

For example, the URI syntax may be composed of a hierarchical sequence as shown in Table 1 below. Referring to Figure 3 and Table 1, the rules related to “/” in URI may be as follows. (1) When authority is present, the path must either be empty or begin with a slash ("/") character.

(2) When authority is not present, the path cannot begin with two slash characters ("//").

Therefore, in URI, the number of “/” related to the path can be determined depending on the presence or absence of authority. For example, the server can determine authority through “/”.

If all URIs are removed through the detoxification process, the link indicator may disappear from the office document, so the detoxification result may have a different layout from the original. To prevent this problem from occurring, in this specification, only the slash (“/”) from the scheme can be left as a way to make the link information harmless.

Through this, documents subject to detoxification can maintain their layout, and users can intuitively recognize what type of existing link information was (e.g. http, file, mailto, etc.).

Table 2 is an example of detoxification results to which this specification can be applied.

original Detoxification result foo://example.com:8042/over/there?name=ferret#nose foo:// urn:example:animal:ferret:nose urn: https://seculetter.com https:// mailto:anesin@seculleter.com mailto:

Figure 4 illustrates a detoxification method to which the present disclosure can be applied. Referring to FIG. 4, the server can determine the document format of the non-executable file (S4010). For example, in order to determine the document format of a non-executable file, the server can open the non-executable file and check the signature type in the binary code to determine the format of the document.

For example, each non-executable file has its own unique format, and the basic content of the format is the file signature. File signatures can also be used to distinguish file formats by specifying the specific bytes located at the beginning of the file.

If the server determines that the format of the non-executable file is an MS-DOC file, it performs detoxification of the DOC file (S4020), and if it determines that the format of the non-executable file is an MS-XLS file, it detoxifies the MS-XLS file. It can be performed (S4030).

Figure 5 illustrates a method for detoxification of MS-DOC files to which this specification can be applied.

Referring to FIG. 5, when the server determines that the format of the non-executable file is an MS-DOC file, a method for detoxifying the MS-DOC file is illustrated.

If you decompress CFB files, including MS-DOC files, you can check the directory and file structure. At this time, the directory type is called storage and the file type is called stream.

MS-DOC inserts link information using HYPERLINK among the field functions. This field function may also be common to WordprocessingML, which is based on MS-OOXML.

The server can detoxify link information for objects (e.g., images, shapes, etc.) stored in the data stream.

For example, the server can find the NilPICFAndBinData - HFD item based on the MS-DOC specification (Spec) and detoxify the link information in URLMoniker inside the Hyperlink Object based on the MS-OSHARED specification (Spec).

Specifications that can be applied to this specification are as follows.

[MS-DOC]: Word (.doc) Binary File Format

( https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-doc/ccd7b486-7881-484c-a137-51170af7cc22 )

One. Introduction

The Word Binary File Format is a collection of records and structures that specify text, tables, fields, pictures, embedded XML markup, and other document content. Content can be printed on pages of different sizes or displayed on a variety of devices.

The Word binary file format begins with a master record called the File Information Block, which can reference all other data within the file. Through links in file information blocks, an application can find all text and other objects in a file and calculate the properties of those objects.

2. Structures

2.9 Basic Types

2.9.115 HFD

Figure 6 illustrates a HFD structure to which this specification can be applied.

Referring to FIG. 6, the HFD structure can specify hyperlink field data, including how to handle a hyperlink when passing through it, and its location in the document or an external document or web page.

bits (1 byte): HFDBit specifies how to handle hyperlinks when passing through them.

clsid (16 bytes): A CLSID (class identifier) that specifies the COM (Component Object Model) component used to create hyperlinks.

hyperlink (variable): [MS-OSHARED] A hyperlink object specified in section 2.3.7.1. This object specifies a location in this document or an external document or web page.

2.9.158 NilPICFAndBinData

The NilPICFndBinData structure can store header information and binary data for hyperlinks, form fields, or additional fields. The NilPICFanndBinData structure must be stored in the data stream.

[MS-OSHARED]: Office Common Data Types and Objects Structures

(https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-oshared/d93502fa-5b8f-4f47-a3fe-5574046f4b8d)

One. Introduction

Office Common Data Types and Objects Structures can provide a collection of common data types, objects, and algorithms used in various Office application binary file formats.

2.Structures

2.3 Common Objects

2.3.7 Hyperlinks

Below are examples of objects related to hyperlinks.

2.3.7.1 Hyperlink Object

Figure 7 illustrates a Hyperlink Object to which this specification can be applied.

Referring to FIG. 7, the structure of the Hyperlink Object can specify hyperlinks and hyperlink-related information.

moniker (variable): Optional HyperlinkString to specify a hyperlink moniker. Exists only when hlstmfHasMoniker is 1 and hlstmfMonikerSavedAsStr is 1.

2.3.7.2 HyperlinkMoniker

* Figure 8 is an example of HyperlinkMoniker to which this specification can be applied.

Referring to Figure 8, a structure for specifying a hyperlink moniker is illustrated.

monikerClsid (16 bytes): CLSID (class identifier) that specifies COM (Component Object Model) components.

Table 3 is an example of monikerClsid.

Value Meaning {0x79EAC9E0, 0xBAF9, 0x11CE, 0x8C, 0x82, 0x00, 0xAA, 0x00, 0x4B, 0xA9, 0x0B} Data field contains a URLMoniker (section 2.3.7.6). {0x00000303, 0x0000, 0x0000, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} Data field contains a FileMoniker (section 2.3.7.8). {0x00000309, 0x0000, 0x0000, 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46} Data field contains a CompositeMoniker (section 2.3.7.3). {0x00000305, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 } Data field contains an AntiMoniker (section 2.3.7.4). {0x00000304, 0x0000, 0x0000, { 0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46 } Data field contains an ItemMoniker (section 2.3.7.5).

2.3.7.6 URLMoniker Figure 9 is an example of URLMoniker to which this specification can be applied.

Referring to Figure 9, the structure of URLMoniker is illustrated.

url (variable): A null-terminated array of Unicode strings that specifies a URL. The number of characters in an array can be determined by the position of the terminating NULL character.

The above-mentioned specification list may have an inclusion relationship from top to bottom. For example, NilPICFAndBinData may contain HFD, and HFD may contain Hyperlink Object.

Figure 10 is an example of a data stream to which this specification can be applied.

Referring to FIG. 10, link information about an object may be stored in a data stream. This link information can be found by sequentially searching the records listed in the above specification.

If you use a CLSID that exists only in some records, you can approach it in a way that is advantageous in terms of performance and simplicity. In other words, while searching for records sequentially requires searching through the record header structure, using CLSID involves performing a binary search on the stream itself, which has advantages in terms of performance and simplicity.

Referring again to FIG. 5, the server searches the data stream for the first binary value related to the hyperlink (S5010). For example, the server can sequentially search whether the binary value of the data stream is {79eac9d0-baf9-11ce-8c82-00aa004ba90b}. More specifically, the first binary value may include clsid(1010) of the HFD record.

Based on the search for the first binary value, the server searches for the second binary value related to the hyperlink in the record specifying the first binary value (S5020). For example, the server can sequentially search whether the value of HyperlinkMoniker is {79eac9e0-baf9-11ce-8c82-00aa004ba90b} within the range of the HFD record. More specifically, the second binary value may include CLSID_StdHlink (1020) of the HyperlinkMoniker record.

Based on the search for the second binary value, the server searches for link information in the record specifying the second binary value (S5030). For example, the server can search for a URLMoniker record 1030 within a HyperlinkMoniker record.

Based on the link information being retrieved, the server renders the link information harmless (S5040). For example, a server may benign the value of the url field of a URLMoniker record. More specifically, the server can leave only the scheme in the url field value, or if “/” exists, only the scheme and “/”.

Figure 11 is an example of link information detoxification to which this specification can be applied.

Referring to FIG. 11, the server may not remove link information using the null character (\0) in FIG. 10, but may perform detoxification using a space (0x20). The reason for not using the null character is that the MS-CFB specification for some strings may be null-terminated strings.

Figure 12 illustrates a method for detoxification of MS-XLS files to which this specification can be applied.

Referring to FIG. 12, when the server determines that the format of the non-executable file is an MS-XLS file, a method for detoxifying the MS-XLS file is illustrated.

For example, in MS-XLS, link information can be included in cells, objects, and formulas.

The related specifications are as follows.

[MS-XLS]: Excel Binary File Format (.xls) Structure

( https://learn.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/cd03cb5f-ca02-4934-a391-bb674cb8aa06 )

One. Introduction

The Excel Binary File Format (.xls) structure can specify the Excel Binary File Format (.xls). The Excel binary file format (.xls) is a collection of records and structures that specify the workbook content: unstructured or semi-structured tables of numbers, text, or numbers and text, formulas, external data connections, charts, and images. may include. Workbook content can generally be organized into a layout-based grid and often includes numeric data, structured data, and formulas.

2. Structures

2.1 File Structure

2.1.7 Storage and Streams

Below you can specify the storage, stream, and substream of the Excel binary file format (.xls) file.

2.1.7.20 Workbook Stream (Workbook)

The workbook stream can specify the global properties and data of the workbook, and the sheets that make up the workbook.

2.1.7.20.5 Workbook Substream

The workbook substream specifies a worksheet.

Table 4 illustrates the structure of Workbook Substream.

WORKSHEETCONTENT = [Uncalced] Index GLOBALS PAGESETUP [HeaderFooter] [BACKGROUND] *BIGNAME [PROTECTION] COLUMNS [SCENARIOS] SORTANDFILTER Dimensions [CELLTABLE] OBJECTS *HFPicture *Note *PIVOTVIEW [DCON] 1*WINDOW *CUSTOMVIEW *2SORT [DxGCol] *MergeCells [LRng] *QUERYTABLE [PHONETICINFO] CONDFMTS *HLINK [DVAL] [CodeName] *WebPub *CellWatch [SheetExt] *FEAT *FEAT11 *RECORD12 EOF

WORKSHEET = BOF WORKSHEETCONTENT

SCENARIOS = ScenMan *(SCENARIO *Continue)

SORTANDFILTER = [Sort] [SORTDATA12] [FilterMode] [DropDownObjIds] [AUTOFILTER]

PIVOTVIEW = PIVOTCORE [PIVOTFRT]

PIVOTCORE = SxView *PIVOTVD *2PIVOTIVD [PIVOTPI] *SXDI *PIVOTLI PIVOTEX

PIVOTFRT = PIVOTFRT9 [PIVOTADDL]

PIVOTFRT9 = QsiSXTag [DBQUERYEXT] [PIVOTVIEWEX] SXViewEx9

PIVOTVD = Sxvd *SXVI SXVDEx

PIVOTIVD = SxIvd *Continue

PIVOTPI = SXPI *Continue

PIVOTLI = SXLI *Continue

PIVOTEX = SXEx *PIVOTSELECT *PIVOTFORMAT

PIVOTSELECT = SxSelect PIVOTRULE

PIVOTFORMAT = SxFormat PIVOTRULE [SxDXF]

PIVOTVIEWEX = SXViewEx *PIVOTTH *SXPIEx *PIVOTVDTEX

PIVOTTH = SXTH *ContinueFrt

PIVOTVDTEX = SXVDTEx *ContinueFrt

QUERYTABLE = Qsi DBQUERY QsiSXTag DBQUERYEXT [SXADDLQSI] [QSIR] [SORTDATA12]

SXADDLQSI = SXAddl_SXCQsi_SXDId SXADDLDBQUERY *UNKNOWNFRT SXAddl_SXCQsi_SXDEnd

QSIR = Qsir *Qsif

DBQUERY = DbOrParamQry [1*SXString [DbOrParamQry *(SXString DbOrParamQry)]] *SXString

DBQUERYEXT = DBQueryExt [ExtString] *4[OleDbConn *ExtString] [TxtQry *ExtString]

CONDFMTS = *(CONDFMT / CONDFMT12) *(CFEx [CF12])

CONDFMT = CondFmt 1*3CF

CONDFMT12 = CondFmt12 1*CF12

HLINK = HLink [HLinkTooltip]

DVAL = DVal *65534Dv

PIVOTADDL = SXAddl_SXCView_SXDId *Continue_SxaddlSxString [SXAddl_SXCView_SXDVer10Info] [SXAddl_SXCView_SXDVer12Info] *SXADDLCALCMEMBER *SXADDLHIERARCHY *SXADDLFIELD *UNKNOWNFRT [SXAddl_SXCView_ SXDTableStyleClient] [SXAddl_SXCView_SXDCompactRwHdr *Continue_SxaddlSxString] [SXAddl_SXCView_SXDCompactColHdr *Continue_SxaddlSxString] [SXAddl_SXCView_SXDVerUpdInv] [SXADDLCONDFMTS] [SXADDLSXFILTERS12] *S S

SXADDLCALCMEMBER = (SXAddl_SXCView_SXDCalcMember [SXAddl_SXCView_SXDCalcMemString *Continue_SxaddlSxString])

SXADDLCONDFMTS = SXAddl_SXCSXCondFmts_SXDId *SXADDLCONDFMT SXAddl_SXCSXCondFmts_SXDEnd

SXADDLCONDFMT = SXAddl_SXCSXCondFmt_SXDSXCondFmt *SXADDLSXRULE SXAddl_SXCSXCondFmt_SXDEnd

SXADDLAUTOSORT = SXAddl_SXCAutoSort_SXDId SXADDLSXRULE SXAddl_SXCAutoSort_SXDEnd

SXADDLSXRULE = SXAddl_SXCSXrule_SXDId SXAddl_SXCSXrule_SXDSXrule *SXADDLSXFILT SXAddl_SXCSXrule_SXDEnd

SXADDLSXFILT = SXAddl_SXCSXfilt_SXDId SXAddl_SXCSXfilt_SXDSXfilt [SXAddl_SXCSXfilt_SXDSXItm] SXAddl_SXCSXfilt_SXDEnd

SXADDLSXFILTERS12 = SXAddl_SXCSXFilters12_SXDId *SXADDLSXFILTER12 SXAddl_SXCSXFilters12_SXDEnd

SXADDLSXFILTER12 = SXAddl_SXCSXFilter12_SXDId SXAddl_SXCSXFilter12_SXDSXFilter [SXAddl_SXCSXFilter12_SXDCaption *Continue_SxaddlSxString] [SXAddl_SXCSXFilter12_SXDSXFilterDesc *Continue_SxaddlSxStr ing] [SXAddl_SXCSXFilter12_SXDSXFilterValue1 *Continue_SxaddlSxString] [SXAddl_SXCSXFilter12_SXDSXFilterValue2 *Continue_SxaddlSxString] SXAddl_SXCSXFilter12_SXDXlsFilter [SXAddl_SXCSXFilter12_SXDX lsFilterValue1 *Continue_SxaddlSxString] [SXAddl_SXCSXFilter12_SXDXlsFilterValue2 *Continue_SxaddlSxString] SXAddl_SXCSXFilter12_SXDEnd

SXADDLFIELD = [SXAddl_SXCField_SXDId *Continue_SxaddlSxString SXAddl_SXCField_SXDVer10Info SXAddl_SXCField_SXDEnd] [SXADDLFIELD12]

Sxaddlfield12 = sxaddl_sxcfield12_sxdid FIELD2_SXDMEMBERCAPTION *Continue_sxadlsxString] [sxaddl_sxcfield12_sxdautoshow] [sxaddl_sxcfield12_sxdisxth] Sxcfield12_sxdverupdinv *unknownfrt sxaddl_sxcfield12_sxdend

SXADDLHIERARCHY = SXAddl_SXCHierarchy_SXDId *Continue_SxaddlSxString *SXAddl_SXCHierarchy_SXDProperty *SXADDLGRPLEVEL [SXAddl_SXCHierarchy_SXDVerUpdInv] *SXAddl_SXCHierarchy_SXDFilterMember [SXAddl_SXCH ierarchy_SXDVerUpdInv] [SXAddl_SXCHierarchy_SXDSXSetParentUnique *Continue_SxaddlSxString] [SXAddl_SXCHierarchy_SXDIconSet] [SXAddl_SXCHierarchy_SXDUserCaption *Continue_SxaddlSxString] *UNKNOWNFRT [SXAddl_SXCHier archy_SXDVerUpdInv] *SXAddl_SXCHierarchy_SXDFilterMember12 [SXAddl_SXCHierarchy_SXDVerUpdInv] [SXAddl_SXCHierarchy_SXDInfo12] [SXAddl_SXCHierarchy_SXDDisplayFolder *Continue_SxaddlSxString] [SXAddl_S XCHierarchy_SXDMeasureGrp *Continue_SxaddlSxString] [SXAddl_SXCHierarchy_SXDParentKPI *Continue_SxaddlSxString] [SXAddl_SXCHierarchy_SXDKPIValue *Continue_SxaddlSxString] [SXAddl_SXCHierarchy_SXDKPIGoal *Continue_SxaddlSxString] [SX Addl_SXCHierarchy_SXDKPIStatus *Continue_SxaddlSxString] [SXAddl_SXCHierarchy_SXDKPITrend *Continue_SxaddlSxString] [SXAddl_SXCHierarchy_SXDKPIWeight *Continue_SxaddlSxString] [SXAddl_SXCHierarchy_SXDKPITime *Continue_SxaddlSxString] SXAddl_SXCHierarchy_SXDEnd

SXADDLGRPLEVEL = SXAddl_SXCGrpLevel_SXDId *Continue_SxaddlSxString SXAddl_SXCGrpLevel_SXDGrpLevelInfo *SXADDLGROUP *UNKNOWNFRT SXAddl_SXCGrpLevel_SXDEnd

SXADDLGROUP = SXAddl_SXCGroup_SXDId *Continue_SxaddlSxString SXAddl_SXCGroup_SXDGrpInfo *SXAddl_SXCGroup_SXDMember *UNKNOWNFRT SXAddl_SXCGroup_SXDEnd

Referring to Table 4, each record in the workbook sub-stream may have sub-records. Among these sequences, the record for the hyperlink is HLink. 2.1.7.20.6 Common Productions Record sequence fragments that can be common to multiple sub-streams can be specified.

Table 5 illustrates the structure of Common Productions.

GLOBALS = CalcMode CalcCount CalcRefMode CalcIter CalcDelta CalcSaveRecalc PrintRowCol PrintGrid GridSet Guts DefaultRowHeight WsBool [Sync] [LPr] [HorizontalPageBreaks] [VerticalPageBreaks]

PAGESETUP = Header Footer HCenter VCenter [LeftMargin] [RightMargin] [TopMargin] [BottomMargin] [Pls *Continue] Setup

BACKGROUND = BkHim *Continue

BIGNAME = BigName *ContinueBigName

PROTECTION = [Protect] [ScenarioProtect] [ObjProtect] [Password]

COLUMNS = DefColWidth *255ColInfo

AUTOFILTER = AutoFilterInfo *(AutoFilter / (AutoFilter12 *ContinueFrt12)) *SORTDATA12

CELLTABLE = 1*(1*Row *CELL 1*DBCell) *EntExU2

CELL = FORMULA / Blank / MulBlank / RK / MulRk / BoolErr / Number / LabelSst

FORMULA = [Uncalced] Formula [Array / Table / ShrFmla / SUB] [String *Continue]

PHONETICINFO = PhoneticInfo *Continue

OBJECTS = *(MSODRAWING *(TEXTOBJECT / OBJ)) [MsoDrawingSelection]

MSODRAWING = MsoDrawing *Continue

OBJ = Obj *Continue *CHART

CHART = CHARTSHEET *Continue

TEXTOBJECT = TxO *Continue

DCON = DCon *(DConName / DConBin / DConRef)

WINDOW = Window2 [PLV] [Scl] [Pane] *Selection

CUSTOMVIEW = UserSViewBegin *Selection [HorizontalPageBreaks] [VerticalPageBreaks] [Header] [Footer] [HCenter] [VCenter] [LeftMargin] [RightMargin] [TopMargin] [BottomMargin] [Pls] [Setup] [PrintSize] [HeaderFooter] [AUTOFILTER] UserSViewEnd

SORT = RRSort *Continue

SORTDATA12 = SortData *ContinueFrt12

PIVOTRULE = SxRule *PRFILTER

PRFILTER = SxFilt [SxItm *Continue]

FEAT = FeatHdr *(Feat *ContinueFrt)

FEAT11 = FeatHdr11 *((Feature11 / Feature12) *ContinueFrt11 *List12 [AutoFilter12 *ContinueFrt12] *List12 [SORTDATA12])

RECORD12 = HeaderFooter

SXADDLDBQUERY = [SXAddl_SXCQuery_SXDXMLSource *Continue_SxaddlSxString] [SXAddl_SXCQuery_SXDSrcDataFile *Continue_SxaddlSxString] [SXAddl_SXCQuery_SXDSrcConnFile *Continue_SxaddlSxString] [SXAddl_SXCQuery_ SXDReconnCond] SXAddl_SXCQuery_SXDEnd

UNKNOWNFRT = SXAddl

Referring to Table 5, the record associated with the image hyperlink is MsoDrawing.2.4 Records2.4.140 HLink

Figure 13 illustrates an HLink record to which this specification can be applied.

Referring to Figure 13, an HLink record can specify a hyperlink associated with a cell range.

ref8 (8 bytes): Ref8U structure that specifies the range of cells containing hyperlinks.

hlinkClsid (16 bytes): A class identifier (CLSID) that specifies the COM component that stores the hyperlink's hyperlink object (as defined in [MS-OSHARED] section 2.3.7.1).

hyperlink (variable): A hyperlink object (as defined in [MS-OSHARED] section 2.3.7.1) that specifies a hyperlink and hyperlink-related information.

Here, hlinkClsid may have a binary value {79eac9d0-baf9-11ce-8c82-00aa004ba90b} in UUID (universally unique identifier) format. A hyperlink record can include a Hyperlink Object, and HyperlinkMoniker and URLMoniker can be included as child records.

2.4.170 MsoDrawing

Figure 14 illustrates an MsoDrawing record to which this specification can be applied.

Referring to FIG. 14, the MsoDrawing record can specify a drawing.

rgChildRec (variable): OfficeArtDgContainer structure described in [MS-ODRAW] that specifies a picture.

2.2.13 OfficeArtDgContainer

Figure 15 illustrates an OfficeArtDgContainer record to which this specification can be applied.

Referring to Figure 15, the OfficeArtDgContainer record can specify the container of all file records for a picture object.

shape (variable): OfficeArtSpContainer record. You can specify a container for shapes that are not included in the group.

OfficeArtSpContainer records contain link information related to images. In the OfficeArtSpContainer record, pihlShape and pihlShape_complex can be listed as equal. More specifically, information about whether the latter (pihlShape_complex) exists may be contained in the former (pihlShape) field.

pihlShape_complex can contain child IHlink records.

2.2.60 IHlink

Figure 16 illustrates an IHlink record to which this specification can be applied.

Referring to Figure 16, an IHlink record can specify a hyperlink.

CLSID_StdHlink (16 bytes): GUID must be {79eac9d0-baf9-11ce-8c82-00aa004ba90b}.

hyperlink (variable): [MS-OSHARED] A variable-length field that specifies a serialized hyperlink object, as described in section 2.3.7.1.

CLSID_StdHlink is fixed to {79eac9d0-baf9-11ce-8c82-00aa004ba90b}. In other words, it can have the same value as the hlinkClsid field in the HLink item. The hyperlink in IHlink can have the same value as the hyperlink field in the HLink item.

Therefore, the detoxification method in MS-DOC can be similarly applied.

In other words, both HyperlinkMoniker and URLMoniker have the same structure, and the monikerClsid field in the HyperlinkMoniker record, which is the main value, can be {0x79EAC9E0, 0xBAF9, 0x11CE, 0x8C, 0x82, 0x00, 0xAA, 0x00, 0x4B, 0xA9, 0x0B}.

Referring again to FIG. 12, the server searches the work stream for a first record related to a cell hyperlink or a second record related to an image hyperlink (S1210). For example, the first record may include an HLink and the second record may include an MsoDrawing record. Since each record is in the form of a sequence rather than a nested form in the Work Stream, the server can immediately search for these records.

The server searches for the first binary value related to the hyperlink based on whether the first record or the second record was searched (S1220). For example, the server may sequentially search for the binary value {79eac9d0-baf9-11ce-8c82-00aa004ba90b} within the searched first record or second record. More specifically, the first binary value may include the clsid of the HFD record.

Based on the search for the first binary value, the server searches for a second binary value related to the hyperlink in the record specifying the first binary value (S1230). For example, the server can sequentially search whether the value of HyperlinkMoniker is {79eac9e0-baf9-11ce-8c82-00aa004ba90b} within the range of the HFD record. More specifically, the second binary value may include the CLSID_StdHlink of the HyperlinkMoniker record.

Based on the search for the second binary value, the server searches for link information in the record specifying the second binary value (S1240). For example, a server can search for a URLMoniker record within a HyperlinkMoniker record.

The server renders the link information harmless based on the link information being searched (S1250).

For example, a server may benign the value of the url field of a URLMoniker record. More specifically, the server can leave only the scheme in the url field value, or if “/” exists, only the scheme and “/”.

The above-described specification can be implemented as computer-readable code on a program-recorded medium. Computer-readable media includes all types of recording devices that store data that can be read by a computer system. Examples of computer-readable media include HDD (Hard Disk Drive), SSD (Solid State Disk), SDD (Silicon Disk Drive), ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc. This also includes those implemented in the form of carrier waves (e.g., transmission via the Internet). Accordingly, the above detailed description should not be construed as restrictive in all respects and should be considered illustrative. The scope of this specification should be determined by reasonable interpretation of the appended claims, and all changes within the equivalent scope of this specification are included in the scope of this specification.

In addition, although the above description focuses on the services and embodiments, this is only an example and does not limit the present specification, and those of ordinary skill in the field to which this specification pertains will understand that it does not deviate from the essential characteristics of the services and embodiments. It can be seen that various modifications and applications not exemplified above are possible. For example, each component specifically shown in the embodiments can be modified and implemented. And the differences related to these modifications and applications should be construed as being included in the scope of the present specification as defined in the attached claims.

Claims (7)

In a method for a server to disarm the link information of a non-executable file,
Based on the format of the non-executable file being an MS-XLS file, searching for a first record related to a cell hyperlink or a second record related to an image hyperlink in the Work Stream of the MS-XLS file;
retrieving a first binary value associated with a hyperlink based on whether the first record or the second record is retrieved;
Based on the search for the first binary value, searching for a second binary value related to a hyperlink in the record specifying the first binary value;
Based on the second binary value being searched, searching for link information in a record specifying the second binary value; and
Based on the link information being searched, detoxifying the link information;
Includes,
The first record includes HLink,
The method of claim 1, wherein the second record includes a MsoDrawing record.
According to paragraph 1,
The first binary value is
Decomposition method, including the clsid value of the HFD record.
According to paragraph 2,
The second binary value is
A decomposition method, including the CLSID_StdHl value of the HyperlinkMoniker record.
According to paragraph 3,
The step of retrieving the link information is
searching for a URLMoniker record within the HyperlinkMoniker record;
Detoxification method, including.
According to paragraph 4,
The step of detoxifying the link information is
Detoxifying the url field value of the URLMoniker record;
Detoxification method, including.
According to clause 5,
The step of detoxifying the url field value is
Leaving only scheme in the url field value;
Detoxification method, including.
In a server that disarms link information of non-executable files,
Ministry of Communications;
Memory; and
It includes a processor that functionally controls the communication unit and the memory,
The processor is
Based on the format of the non-executable file being an MS-XLS file, a first record related to a cell hyperlink or a second record related to an image hyperlink is searched in the Work Stream of the MS-XLS file, Based on whether the first record or the second record was retrieved, a first binary value associated with the hyperlink is retrieved, and based on the first binary value being retrieved, a first binary value associated with the hyperlink is retrieved from the record specifying the first binary value. Retrieving a second binary value, searching for link information in a record specifying the second binary value based on the second binary value being retrieved, and detoxifying the link information based on the link information being retrieved; , wherein the first record includes an HLink and the second record includes an MsoDrawing record.