Commit 26f83bf45a3eced5d0c8f554bb84069d77f5f079
1 parent
bacfd4b6
added DocVarDump.vba
Showing
1 changed file
with
117 additions
and
0 deletions
oletools/DocVarDump.vba
0 → 100644
| 1 | +' DocVarDump.vba | ||
| 2 | +' | ||
| 3 | +' DocVarDump is a VBA macro that can be used to dump the content of all document | ||
| 4 | +' variables stored in a MS Word document. | ||
| 5 | +' | ||
| 6 | +' USAGE: | ||
| 7 | +' 1. Open the document to be analyzed in MS Word | ||
| 8 | +' 2. Do NOT click on "Enable Content", to avoid running malicious macros | ||
| 9 | +' 3. Save the document with a new name, using the DOCX format (not doc, not docm) | ||
| 10 | +' This will remove all VBA macro code. | ||
| 11 | +' 4. Close the file, and reopen the DOCX file you just saved | ||
| 12 | +' 5. Press Alt+F11 to open the VBA Editor | ||
| 13 | +' 6. Double-click on "This Document" under Project | ||
| 14 | +' 7. Copy and Paste all the code from DocVarDump.vba | ||
| 15 | +' 8. Move the cursor on the line "Sub DocVarDump()" | ||
| 16 | +' 9. Press F5: This should run the code, and create a file "docvardump.txt" | ||
| 17 | +' containing a hex dump of all document variables. | ||
| 18 | +' | ||
| 19 | +' ALTERNATIVE: Open the document in LibreOffice/OpenOffice, | ||
| 20 | +' then go to File / Properties / Custom Properties | ||
| 21 | +' | ||
| 22 | +' Author: Philippe Lagadec - http://www.decalage.info | ||
| 23 | +' License: BSD, see source code or documentation | ||
| 24 | +' | ||
| 25 | +' DocVarDump is part of the python-oletools package: | ||
| 26 | +' http://www.decalage.info/python/oletools | ||
| 27 | + | ||
| 28 | +' CHANGELOG: | ||
| 29 | +' 2016-09-21 v0.01 PL: - First working version | ||
| 30 | +' 2017-04-10 v0.02 PL: - Added usage instructions | ||
| 31 | + | ||
| 32 | +Sub DocVarDump() | ||
| 33 | + intFileNum = FreeFile | ||
| 34 | + FName = Environ("TEMP") & "\docvardump.txt" | ||
| 35 | + Open FName For Output As intFileNum | ||
| 36 | + For Each myvar In ActiveDocument.Variables | ||
| 37 | + Write #intFileNum, "Name = " & myvar.Name | ||
| 38 | + 'TODO: check VarType, and only use hexdump for strings with non-printable chars | ||
| 39 | + Write #intFileNum, "Value = " & HexDump(myvar.value) | ||
| 40 | + Write #intFileNum, | ||
| 41 | + Next myvar | ||
| 42 | + Close intFileNum | ||
| 43 | + Documents.Open (FName) | ||
| 44 | +End Sub | ||
| 45 | + | ||
| 46 | +Function Hex2(value As Integer) | ||
| 47 | + h = Hex(value) | ||
| 48 | + If Len(h) < 2 Then | ||
| 49 | + h = "0" & h | ||
| 50 | + End If | ||
| 51 | + Hex2 = h | ||
| 52 | +End Function | ||
| 53 | + | ||
| 54 | +Function HexN(value As Integer, nchars As Integer) | ||
| 55 | + h = Hex(value) | ||
| 56 | + Do While Len(h) < nchars | ||
| 57 | + h = "0" & h | ||
| 58 | + Loop | ||
| 59 | + HexN = h | ||
| 60 | +End Function | ||
| 61 | + | ||
| 62 | +Function ReplaceClean1(sText As String) | ||
| 63 | + Dim J As Integer | ||
| 64 | + Dim vAddText | ||
| 65 | + | ||
| 66 | + vAddText = Array(Chr(129), Chr(141), Chr(143), Chr(144), Chr(157)) | ||
| 67 | + For J = 0 To 31 | ||
| 68 | + sText = Replace(sText, Chr(J), "\x" & Hex2(J)) | ||
| 69 | + Next | ||
| 70 | + For J = 0 To UBound(vAddText) | ||
| 71 | + c = vAddText(J) | ||
| 72 | + a = Asc(c) | ||
| 73 | + sText = Replace(sText, c, "\x" & Hex2(a)) | ||
| 74 | + Next | ||
| 75 | + ReplaceClean1 = sText | ||
| 76 | +End Function | ||
| 77 | + | ||
| 78 | +Function ReplaceClean3(sText As String) | ||
| 79 | + Dim J As Integer | ||
| 80 | + For J = 0 To 31 | ||
| 81 | + sText = Replace(sText, Chr(J), ".") | ||
| 82 | + Next | ||
| 83 | + For J = 127 To 255 | ||
| 84 | + sText = Replace(sText, Chr(J), ".") | ||
| 85 | + Next | ||
| 86 | + ReplaceClean3 = sText | ||
| 87 | +End Function | ||
| 88 | + | ||
| 89 | +Function HexBytes(sText As String) | ||
| 90 | + Dim i As Integer | ||
| 91 | + HexBytes = "" | ||
| 92 | + For i = 1 To Len(sText) | ||
| 93 | + HexBytes = HexBytes & Hex2(Asc(Mid(sText, i))) & " " | ||
| 94 | + Next | ||
| 95 | +End Function | ||
| 96 | + | ||
| 97 | + | ||
| 98 | +Function HexDump(sText As String) | ||
| 99 | + Dim chunk As String | ||
| 100 | + Dim i As Long | ||
| 101 | + ' "\" is integer division, "/" is normal division (float) | ||
| 102 | + nbytes = 8 | ||
| 103 | + nchunks = Len(sText) \ nbytes | ||
| 104 | + lastchunk = Len(sText) Mod nbytes | ||
| 105 | + HexDump = "" | ||
| 106 | + For i = 0 To nchunks - 1 | ||
| 107 | + Offset = HexN(i * nbytes, 8) | ||
| 108 | + chunk = Mid(sText, i * nbytes + 1, nbytes) | ||
| 109 | + HexDump = HexDump & Offset & " " & HexBytes(chunk) & " " & ReplaceClean3(chunk) & vbCrLf | ||
| 110 | + Next i | ||
| 111 | + 'TODO: LAST CHUNK! | ||
| 112 | + If lastchunk > 0 Then | ||
| 113 | + Offset = HexN(nchunks * nbytes, 8) | ||
| 114 | + chunk = Mid(sText, nchunks * nbytes + 1, lastchunk) | ||
| 115 | + HexDump = HexDump & Offset & " " & HexBytes(chunk) & " " & ReplaceClean3(chunk) & vbCrLf | ||
| 116 | + End If | ||
| 117 | +End Function |