Commit 028634725b14677b01de76c7169d794e89b63887
1 parent
49b35ec2
olevba: fixed bug when decompressing raw chunks in VBA (fixes #575)
Showing
2 changed files
with
5 additions
and
3 deletions
oletools/olevba.py
| @@ -226,8 +226,9 @@ from __future__ import print_function | @@ -226,8 +226,9 @@ from __future__ import print_function | ||
| 226 | # 2019-12-03 PL: - added support for SLK files and XLM macros in SLK | 226 | # 2019-12-03 PL: - added support for SLK files and XLM macros in SLK |
| 227 | # 2020-01-31 v0.56 KS: - added option --no-xlm, improved MHT detection | 227 | # 2020-01-31 v0.56 KS: - added option --no-xlm, improved MHT detection |
| 228 | # 2020-03-22 PL: - uses plugin_biff to display DCONN objects and their URL | 228 | # 2020-03-22 PL: - uses plugin_biff to display DCONN objects and their URL |
| 229 | +# 2020-06-11 PL: - fixed issue #575 when decompressing raw chunks in VBA | ||
| 229 | 230 | ||
| 230 | -__version__ = '0.56dev5' | 231 | +__version__ = '0.56dev6' |
| 231 | 232 | ||
| 232 | #------------------------------------------------------------------------------ | 233 | #------------------------------------------------------------------------------ |
| 233 | # TODO: | 234 | # TODO: |
| @@ -1369,7 +1370,7 @@ def decompress_stream(compressed_container): | @@ -1369,7 +1370,7 @@ def decompress_stream(compressed_container): | ||
| 1369 | # MS-OVBA 2.4.1.3.3 Decompressing a RawChunk | 1370 | # MS-OVBA 2.4.1.3.3 Decompressing a RawChunk |
| 1370 | # uncompressed chunk: read the next 4096 bytes as-is | 1371 | # uncompressed chunk: read the next 4096 bytes as-is |
| 1371 | #TODO: check if there are at least 4096 bytes left | 1372 | #TODO: check if there are at least 4096 bytes left |
| 1372 | - decompressed_container.extend([compressed_container[compressed_current:compressed_current + 4096]]) | 1373 | + decompressed_container.extend(compressed_container[compressed_current:compressed_current + 4096]) |
| 1373 | compressed_current += 4096 | 1374 | compressed_current += 4096 |
| 1374 | else: | 1375 | else: |
| 1375 | # MS-OVBA 2.4.1.3.2 Decompressing a CompressedChunk | 1376 | # MS-OVBA 2.4.1.3.2 Decompressing a CompressedChunk |
| @@ -2702,6 +2703,7 @@ class VBA_Parser(object): | @@ -2702,6 +2703,7 @@ class VBA_Parser(object): | ||
| 2702 | self.open_ole(_file) | 2703 | self.open_ole(_file) |
| 2703 | 2704 | ||
| 2704 | # if this worked, try whether it is a ppt file (special ole file) | 2705 | # if this worked, try whether it is a ppt file (special ole file) |
| 2706 | + # TODO: instead of this we should have a function to test if it is a PPT | ||
| 2705 | self.open_ppt() | 2707 | self.open_ppt() |
| 2706 | if self.type is None and zipfile.is_zipfile(_file): | 2708 | if self.type is None and zipfile.is_zipfile(_file): |
| 2707 | # Zip file, which may be an OpenXML document | 2709 | # Zip file, which may be an OpenXML document |
setup.py
| @@ -52,7 +52,7 @@ import os, fnmatch | @@ -52,7 +52,7 @@ import os, fnmatch | ||
| 52 | #--- METADATA ----------------------------------------------------------------- | 52 | #--- METADATA ----------------------------------------------------------------- |
| 53 | 53 | ||
| 54 | name = "oletools" | 54 | name = "oletools" |
| 55 | -version = '0.56dev5' | 55 | +version = '0.56dev6' |
| 56 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" | 56 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 57 | long_desc = open('oletools/README.rst').read() | 57 | long_desc = open('oletools/README.rst').read() |
| 58 | author = "Philippe Lagadec" | 58 | author = "Philippe Lagadec" |