VIRUSNAME_PREFIX("emf")
VIRUSNAMES("CVE-2008-2238")
TARGET(0)

/* Signature declaration	*/
SIGNATURES_DECL_BEGIN
DECLARE_SIGNATURE(emr_header)
SIGNATURES_DECL_END

/* Signature definition		*/
SIGNATURES_DEF_BEGIN
DEFINE_SIGNATURE(emr_header, "0:01000000{37}454d46")
SIGNATURES_END

/* All bytecode triggered by logical signatures must have this function	*/
bool logical_trigger()
{
  return matches(Signatures.emr_header);
}

/* This is the bytecode function that is actually executed when the logical signature is matched	*/
int entrypoint(void)
{
	uint8_t emf_exttextoutw[4] = "\x54\x00\x00\x00";	/* Header for EMF record EMR_EXTTEXTOUTW		*/
	int pos=0;						/* Cursor position in file				*/
	int Chars_value=0;					/* Value of the attribute Chars				*/
	uint8_t Chars[4];					/* Chars attribute. See format for EmrText block	*/ 
	
	while (1)
	{
		/* Find a EMF record EMR_EXTTEXTOUTW	*/
		pos = file_find(emf_exttextoutw,4);
		
		/* If EMF record EMR_EXTTEXTOUTW cannot be found	*/
		if (pos == -1)
			break;
		else
		{
			/* Move the cursor 44 bytes forward, to the start of Chars     */
			seek(pos+44, SEEK_SET);
		
			/** Read Chars, which is 4 bytes long, little endian **/
		        read (Chars, sizeof(Chars));    	

			/*** Convert to host system's endianess. cli_readint32 is part if the ClamAV API.
			So if your system is already little endian it does nothing (just reads
			the value), and if your system is big endian it swaps the bytes. See definition
			of cli_readint32 in other.h in the libclamav folder of your ClamAV installation	***/
			int Chars_value = cli_readint32(Chars);
			
			if (Chars_value >= 0x80000000)
			{
				foundVirus("CVE-2008-2238");
				break;
			}
			else    
        		{       
                		/** Advance by 1 position in the file **/
                		seek (pos+1, SEEK_SET);
        		}
		}
	}
return 0;
}