Commit 1b3768ada56cf79b8addebf19aaf1f12ba4c00e1
Merge remote-tracking branch 'origin/master'
Showing
2 changed files
with
4 additions
and
0 deletions
README.md
| ... | ... | @@ -84,6 +84,7 @@ including [Viper](http://viper.li/), [REMnux](https://remnux.org/), |
| 84 | 84 | [pcodedmp](https://github.com/bontchev/pcodedmp), |
| 85 | 85 | [dridex.malwareconfig.com](https://dridex.malwareconfig.com), |
| 86 | 86 | [Snake](https://github.com/countercept/snake), |
| 87 | +[DARKSURGEON](https://github.com/cryps1s/DARKSURGEON), | |
| 87 | 88 | and probably [VirusTotal](https://www.virustotal.com). |
| 88 | 89 | (Please [contact me]((http://decalage.info/contact)) if you have or know |
| 89 | 90 | a project using oletools) | ... | ... |
oletools/common/clsid.py
| ... | ... | @@ -100,6 +100,7 @@ KNOWN_CLSIDS = { |
| 100 | 100 | '14CE31DC-ABC2-484C-B061-CF3416AED8FF': 'Loads WUAEXT.DLL (Known Related to CVE-2015-6128)', |
| 101 | 101 | '1D8A9B47-3A28-4CE2-8A4B-BD34E45BCEEB': 'UPnP.DescriptionDocument', |
| 102 | 102 | '1EFB6596-857C-11D1-B16A-00C0F0283628': 'MSCOMCTL.TabStrip (may trigger CVE-2012-1856, CVE-2013-3906 - often used for heap spray)', |
| 103 | + '233C1507-6A77-46A4-9443-F871F945D258': 'Shockwave Control Objects', | |
| 103 | 104 | '23CE100B-1390-49D6-BA00-F17D3AEE149C': 'UmOutlookAddin.UmEvmCtrl (potential exploit document CVE-2016-0042 / MS16-014)', |
| 104 | 105 | '3018609E-CDBC-47E8-A255-809D46BAA319': 'SSCE DropTable Listener Object (can be used to bypass ASLR after triggering an exploit)', |
| 105 | 106 | '3050F4D8-98B5-11CF-BB82-00AA00BDCE0B': 'HTML Application (may trigger CVE-2017-0199)', |
| ... | ... | @@ -148,11 +149,13 @@ KNOWN_CLSIDS = { |
| 148 | 149 | 'CDF1C8AA-2D25-43C7-8AFE-01F73A3C66DA': 'UmOutlookAddin.InspectorContext (potential exploit document CVE-2016-0042 / MS16-014)', |
| 149 | 150 | 'CF4F55F4-8F87-4D47-80BB-5808164BB3F8': 'Microsoft Powerpoint.Show.12', |
| 150 | 151 | 'D27CDB6E-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)', |
| 152 | + 'D27CDB70-AE6D-11CF-96B8-444553540000': 'Shockwave Flash Object (may trigger many CVEs)', | |
| 151 | 153 | 'D50FED35-0A08-4B17-B3E0-A8DD0EDE375D': 'UmOutlookAddin.PlayOnPhoneDlg (potential exploit document CVE-2016-0042 / MS16-014)', |
| 152 | 154 | 'D7053240-CE69-11CD-A777-00DD01143C57': 'Microsoft Forms 2.0 CommandButton', |
| 153 | 155 | 'D70E31AD-2614-49F2-B0FC-ACA781D81F3E': 'AutoCAD 2010-2012 Document', |
| 154 | 156 | 'D93CE8B5-3BF8-462C-A03F-DED2730078BA': 'Loads WUAEXT.DLL (Known Related to CVE-2015-6128)', |
| 155 | 157 | 'DD9DA666-8594-11D1-B16A-00C0F0283628': 'MSCOMCTL.ImageComboCtrl (may trigger CVE-2014-1761)', |
| 158 | + 'DFEAF541-F3E1-4c24-ACAC-99C30715084A': 'Silverlight Objects', | |
| 156 | 159 | 'E5CA59F5-57C4-4DD8-9BD6-1DEEEDD27AF4': 'InkEd.InkEdit', |
| 157 | 160 | 'E8CC4CBE-FDFF-11D0-B865-00A0C9081C1D': 'MSDAORA.1 (potential exploit CVE TODO)', # TODO |
| 158 | 161 | 'E8CC4CBF-FDFF-11D0-B865-00A0C9081C1D': 'Loads OCI.DLL (Known Related to CVE-2015-6128)', | ... | ... |