diff --git a/oletools/olevba.py b/oletools/olevba.py index 37dab67..50650e1 100644 --- a/oletools/olevba.py +++ b/oletools/olevba.py @@ -225,7 +225,7 @@ from __future__ import print_function # 2019-09-24 PL: - included DridexUrlDecode into olevba (issue #485) # 2019-12-03 PL: - added support for SLK files and XLM macros in SLK -__version__ = '0.55.1' +__version__ = '0.55.2' #------------------------------------------------------------------------------ # TODO: @@ -2646,9 +2646,11 @@ class VBA_Parser(object): if data is None: # open file from disk: _file = filename + self.file_on_disk = True else: # file already read in memory, make it a file-like object for zipfile: _file = BytesIO(data) + self.file_on_disk = False #self.file = _file self.ole_file = None self.ole_subfiles = [] @@ -3636,6 +3638,11 @@ class VBA_Parser(object): if self.type in (TYPE_SLK, TYPE_TEXT): self.vba_stomping_detected = False return False + # TODO: Files in memory cannot be analysed with pcodedmp yet + if not self.file_on_disk: + log.info('For now, VBA stomping cannot be detected for files in memory') + self.vba_stomping_detected = False + return False # only run it once: if self.vba_stomping_detected is None: log.debug('Analysing the P-code to detect VBA stomping') diff --git a/setup.py b/setup.py index 70ae972..fc4d71b 100644 --- a/setup.py +++ b/setup.py @@ -52,7 +52,7 @@ import os, fnmatch #--- METADATA ----------------------------------------------------------------- name = "oletools" -version = '0.55.1' +version = '0.55.2' desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" long_desc = open('oletools/README.rst').read() author = "Philippe Lagadec"