Peter M. Groen / oletools

Commit 1f318944cbf8c01b9415e384cfb23230a561c955

Authored by Philippe Lagadec
1 parent 23169cd9

olevba: improved display

Inline Side-by-side
Showing 1 changed file with 11 additions and 35 deletions
oletools/olevba.py
  View file @1f31894
... ... @@ -98,9 +98,7 @@ __version__ = '0.12'
98 98  
99 99 #------------------------------------------------------------------------------
100 100 # TODO:
101   -# + process several files in dirs or zips with password
102 101 # + do not use logging, but a provided logger (null logger by default)
103   -# + nicer output
104 102 # + setup logging (common with other oletools)
105 103 # + update readme, wiki and decalage.info, pypi (link to sample files)
106 104  
... ... @@ -207,7 +205,7 @@ RE_PATTERNS = (
207 205 ('IPv4 address', re.compile(r"\b(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\b")),
208 206 ('E-mail address', re.compile(r'(?i)\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+(?:[A-Z]{2,12}|XN--[A-Z0-9]{4,18})\b')),
209 207 ('Domain name', re.compile(r'(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)')),
210   - ("Executable file name", re.compile(r"(?i)\b\w+\.(EXE|COM|VBS|JS|VBE|JSE|BAT|CMD|DLL|SCR|CLASS|JAR)\b")),
  208 + ("Executable file name", re.compile(r"(?i)\b\w+\.(EXE|COM|PIF|APPLICATION|GADGET|MSI|MSP|MSC|VB|VBS|JS|VBE|JSE|WS|WSF|WSC|WSH|BAT|CMD|DLL|SCR|HTA|CPL|CLASS|JAR|PS1|PS1XML|PS2|PS2XML|PSC1|PSC2|SCF|LNK|INF|REG)\b")),
211 209 )
212 210  
213 211  
... ... @@ -1064,45 +1062,23 @@ def process_file (container, filename, data):
1064 1062 print '- '*39
1065 1063 print 'ANALYSIS:'
1066 1064 autoexec_keywords = detect_autoexec(vba_code)
1067   - if autoexec_keywords:
1068   - print 'Auto-executable macro keywords found:'
1069   - t = prettytable.PrettyTable(('Keyword', 'Description'))
1070   - t.align = 'l'
1071   - t.max_width['Keyword'] = 20
1072   - t.max_width['Description'] = 59
1073   - for keyword, description in autoexec_keywords:
1074   - t.add_row((keyword, description))
1075   - print t
1076   - else:
1077   - print 'Auto-executable macro keywords: None found'
1078   -
1079   - print '- '*39
1080 1065 suspicious_keywords = detect_suspicious(vba_code)
1081   - if suspicious_keywords:
1082   - print 'Suspicious macro keywords found:'
1083   - t = prettytable.PrettyTable(('Keyword', 'Description'))
  1066 + patterns = detect_patterns(vba_code)
  1067 + if autoexec_keywords or suspicious_keywords or patterns:
  1068 + t = prettytable.PrettyTable(('Type', 'Keyword', 'Description'))
1084 1069 t.align = 'l'
  1070 + t.max_width['Type'] = 10
1085 1071 t.max_width['Keyword'] = 20
1086   - t.max_width['Description'] = 59
  1072 + t.max_width['Description'] = 40
  1073 + for keyword, description in autoexec_keywords:
  1074 + t.add_row(('AutoExec', keyword, description))
1087 1075 for keyword, description in suspicious_keywords:
1088   - t.add_row((keyword, description))
1089   - print t
1090   - else:
1091   - print 'Suspicious macro keywords: None found'
1092   -
1093   - print '- '*39
1094   - patterns = detect_patterns(vba_code)
1095   - if patterns:
1096   - print 'Patterns found:'
1097   - t = prettytable.PrettyTable(('Value', 'Pattern type'))
1098   - t.align = 'l'
1099   - t.max_width['Value'] = 40
1100   - t.max_width['Pattern type'] = 39
  1076 + t.add_row(('Suspicious', keyword, description))
1101 1077 for pattern_type, value in patterns:
1102   - t.add_row((value, pattern_type))
  1078 + t.add_row(('IOC', value, pattern_type))
1103 1079 print t
1104 1080 else:
1105   - print 'Patterns: None found'
  1081 + print 'No suspicious keyword or pattern found.'
1106 1082  
1107 1083 else:
1108 1084 print 'No VBA macros found.'
... ...