oleform/olevba: fixed a few issues related to #218 (work in progress)

decalage2
1 parent ca0087b0
Showing 2 changed files with 12 additions and 8 deletions
oletools/oleform.py
oletools/olevba.py
@@ -94,7 +94,7 @@ class ExtendedStream(object):
         return self.unpacks(format, size)[0]
     def raise_error(self, reason, back=0):
-        raise OleFormParsingError('{0}:{1}: {2}'.format(self.path, self._pos - back))
+        raise OleFormParsingError('{0}:{1}: {2}'.format(self._path, self._pos - back, reason))
     def check_values(self, name, format, size, expected):
         value = self.unpacks(format, size)
@@ -283,6 +283,7 @@ def consume_MorphDataControl(stream):
 def extract_OleFormVariables(ole_file, stream_dir):
     control = ExtendedStream.open(ole_file, '/'.join(stream_dir + ['f']))
     variables = list(consume_FormControl(control))
+    print('/'.join(stream_dir + ['o']))
     data = ExtendedStream.open(ole_file, '/'.join(stream_dir + ['o']))
     for var in variables:
         if var['ClsidCacheIndex'] != 23:
@@ -198,8 +198,9 @@ from __future__ import print_function
 # 2017-06-15       PL: - deobfuscation line by line to handle large files
 # 2017-07-11 v0.52 PL: - raise exception instead of sys.exit (issue #180)
 # 2017-11-08       VB: - PR #124 adding user form parsing (Vincent Brillault)
+# 2017-11-17       PL: - fixed a few issues with form parsing
-__version__ = '0.52dev3'
+__version__ = '0.52dev4'
 #------------------------------------------------------------------------------
 # TODO:
@@ -266,7 +267,6 @@ except ImportError:
                                + "see http://codespeak.net/lxml " \
                                + "or http://effbot.org/zone/element-index.htm")
-from oleform import extract_OleFormVariables
 # IMPORTANT: it should be possible to run oletools directly as scripts
 # in any directory without installing them with pip or setup.py.
@@ -289,6 +289,7 @@ from oletools.thirdparty.pyparsing.pyparsing import \
         alphanums, alphas, hexnums,nums, opAssoc, srange, \
         infixNotation, ParserElement
 from oletools import ppt_parser
+from oletools import oleform
 # monkeypatch email to fix issue #32:
@@ -3005,7 +3006,7 @@ class VBA_Parser(object):
             self.find_vba_forms()
             ole = self.ole_file
             for form_storage in self.vba_forms:
-                for variable in extract_OleFormVariables(ole, form_storage):
+                for variable in oleform.extract_OleFormVariables(ole, form_storage):
                     yield (self.filename, '/'.join(form_storage), variable)
     def close(self):
@@ -3137,10 +3138,12 @@ class VBA_Parser_CLI(VBA_Parser):
                     print('- ' * 39)
                     print(form_string)
                 for (subfilename, stream_path, form_variables) in self.extract_form_strings_extended():
-                    print('-' * 79)
-                    print('VBA FORM Variable "%s" IN %r - OLE stream: %r' % (form_variables['name'], subfilename, stream_path))
-                    print('- ' * 39)
-                    print(str(form_variables['value']))
+                    if form_variables is not None:
+                        print('-' * 79)
+                        print('VBA FORM Variable "%s" IN %r - OLE stream: %r' % (form_variables['name'], subfilename, stream_path))
+                        print('- ' * 39)
+                        print(str(form_variables['value']))
+                    # TODO: display error message otherwise (form parsing error)
                 if not vba_code_only:
                     # analyse the code from all modules at once:
                     self.print_analysis(show_decoded_strings, deobfuscate)