Commit 1f318944cbf8c01b9415e384cfb23230a561c955
1 parent
23169cd9
olevba: improved display
Showing
1 changed file
with
11 additions
and
35 deletions
oletools/olevba.py
| @@ -98,9 +98,7 @@ __version__ = '0.12' | @@ -98,9 +98,7 @@ __version__ = '0.12' | ||
| 98 | 98 | ||
| 99 | #------------------------------------------------------------------------------ | 99 | #------------------------------------------------------------------------------ |
| 100 | # TODO: | 100 | # TODO: |
| 101 | -# + process several files in dirs or zips with password | ||
| 102 | # + do not use logging, but a provided logger (null logger by default) | 101 | # + do not use logging, but a provided logger (null logger by default) |
| 103 | -# + nicer output | ||
| 104 | # + setup logging (common with other oletools) | 102 | # + setup logging (common with other oletools) |
| 105 | # + update readme, wiki and decalage.info, pypi (link to sample files) | 103 | # + update readme, wiki and decalage.info, pypi (link to sample files) |
| 106 | 104 | ||
| @@ -207,7 +205,7 @@ RE_PATTERNS = ( | @@ -207,7 +205,7 @@ RE_PATTERNS = ( | ||
| 207 | ('IPv4 address', re.compile(r"\b(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\b")), | 205 | ('IPv4 address', re.compile(r"\b(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\b")), |
| 208 | ('E-mail address', re.compile(r'(?i)\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+(?:[A-Z]{2,12}|XN--[A-Z0-9]{4,18})\b')), | 206 | ('E-mail address', re.compile(r'(?i)\b[A-Z0-9._%+-]+@(?:[A-Z0-9-]+\.)+(?:[A-Z]{2,12}|XN--[A-Z0-9]{4,18})\b')), |
| 209 | ('Domain name', re.compile(r'(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)')), | 207 | ('Domain name', re.compile(r'(?=^.{1,254}$)(^(?:(?!\d+\.|-)[a-zA-Z0-9_\-]{1,63}(?<!-)\.?)+(?:[a-zA-Z]{2,})$)')), |
| 210 | - ("Executable file name", re.compile(r"(?i)\b\w+\.(EXE|COM|VBS|JS|VBE|JSE|BAT|CMD|DLL|SCR|CLASS|JAR)\b")), | 208 | + ("Executable file name", re.compile(r"(?i)\b\w+\.(EXE|COM|PIF|APPLICATION|GADGET|MSI|MSP|MSC|VB|VBS|JS|VBE|JSE|WS|WSF|WSC|WSH|BAT|CMD|DLL|SCR|HTA|CPL|CLASS|JAR|PS1|PS1XML|PS2|PS2XML|PSC1|PSC2|SCF|LNK|INF|REG)\b")), |
| 211 | ) | 209 | ) |
| 212 | 210 | ||
| 213 | 211 | ||
| @@ -1064,45 +1062,23 @@ def process_file (container, filename, data): | @@ -1064,45 +1062,23 @@ def process_file (container, filename, data): | ||
| 1064 | print '- '*39 | 1062 | print '- '*39 |
| 1065 | print 'ANALYSIS:' | 1063 | print 'ANALYSIS:' |
| 1066 | autoexec_keywords = detect_autoexec(vba_code) | 1064 | autoexec_keywords = detect_autoexec(vba_code) |
| 1067 | - if autoexec_keywords: | ||
| 1068 | - print 'Auto-executable macro keywords found:' | ||
| 1069 | - t = prettytable.PrettyTable(('Keyword', 'Description')) | ||
| 1070 | - t.align = 'l' | ||
| 1071 | - t.max_width['Keyword'] = 20 | ||
| 1072 | - t.max_width['Description'] = 59 | ||
| 1073 | - for keyword, description in autoexec_keywords: | ||
| 1074 | - t.add_row((keyword, description)) | ||
| 1075 | - print t | ||
| 1076 | - else: | ||
| 1077 | - print 'Auto-executable macro keywords: None found' | ||
| 1078 | - | ||
| 1079 | - print '- '*39 | ||
| 1080 | suspicious_keywords = detect_suspicious(vba_code) | 1065 | suspicious_keywords = detect_suspicious(vba_code) |
| 1081 | - if suspicious_keywords: | ||
| 1082 | - print 'Suspicious macro keywords found:' | ||
| 1083 | - t = prettytable.PrettyTable(('Keyword', 'Description')) | 1066 | + patterns = detect_patterns(vba_code) |
| 1067 | + if autoexec_keywords or suspicious_keywords or patterns: | ||
| 1068 | + t = prettytable.PrettyTable(('Type', 'Keyword', 'Description')) | ||
| 1084 | t.align = 'l' | 1069 | t.align = 'l' |
| 1070 | + t.max_width['Type'] = 10 | ||
| 1085 | t.max_width['Keyword'] = 20 | 1071 | t.max_width['Keyword'] = 20 |
| 1086 | - t.max_width['Description'] = 59 | 1072 | + t.max_width['Description'] = 40 |
| 1073 | + for keyword, description in autoexec_keywords: | ||
| 1074 | + t.add_row(('AutoExec', keyword, description)) | ||
| 1087 | for keyword, description in suspicious_keywords: | 1075 | for keyword, description in suspicious_keywords: |
| 1088 | - t.add_row((keyword, description)) | ||
| 1089 | - print t | ||
| 1090 | - else: | ||
| 1091 | - print 'Suspicious macro keywords: None found' | ||
| 1092 | - | ||
| 1093 | - print '- '*39 | ||
| 1094 | - patterns = detect_patterns(vba_code) | ||
| 1095 | - if patterns: | ||
| 1096 | - print 'Patterns found:' | ||
| 1097 | - t = prettytable.PrettyTable(('Value', 'Pattern type')) | ||
| 1098 | - t.align = 'l' | ||
| 1099 | - t.max_width['Value'] = 40 | ||
| 1100 | - t.max_width['Pattern type'] = 39 | 1076 | + t.add_row(('Suspicious', keyword, description)) |
| 1101 | for pattern_type, value in patterns: | 1077 | for pattern_type, value in patterns: |
| 1102 | - t.add_row((value, pattern_type)) | 1078 | + t.add_row(('IOC', value, pattern_type)) |
| 1103 | print t | 1079 | print t |
| 1104 | else: | 1080 | else: |
| 1105 | - print 'Patterns: None found' | 1081 | + print 'No suspicious keyword or pattern found.' |
| 1106 | 1082 | ||
| 1107 | else: | 1083 | else: |
| 1108 | print 'No VBA macros found.' | 1084 | print 'No VBA macros found.' |