From 2fa61161d0c4b3cfb4333d5d89ef99b42f605a34 Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Wed, 4 Dec 2019 13:35:59 +0100
Subject: [PATCH] olevba: disabled VBA stomping detection for files in memory, because it is not yet supported by pcodedmp (see issue #519)

---
 oletools/olevba.py |  9 ++++++++-
 setup.py           |  2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index 37dab67..50650e1 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -225,7 +225,7 @@ from __future__ import print_function
 # 2019-09-24       PL: - included DridexUrlDecode into olevba (issue #485)
 # 2019-12-03       PL: - added support for SLK files and XLM macros in SLK
 
-__version__ = '0.55.1'
+__version__ = '0.55.2'
 
 #------------------------------------------------------------------------------
 # TODO:
@@ -2646,9 +2646,11 @@ class VBA_Parser(object):
         if data is None:
             # open file from disk:
             _file = filename
+            self.file_on_disk = True
         else:
             # file already read in memory, make it a file-like object for zipfile:
             _file = BytesIO(data)
+            self.file_on_disk = False
         #self.file = _file
         self.ole_file = None
         self.ole_subfiles = []
@@ -3636,6 +3638,11 @@ class VBA_Parser(object):
         if self.type in (TYPE_SLK, TYPE_TEXT):
             self.vba_stomping_detected = False
             return False
+        # TODO: Files in memory cannot be analysed with pcodedmp yet
+        if not self.file_on_disk:
+            log.info('For now, VBA stomping cannot be detected for files in memory')
+            self.vba_stomping_detected = False
+            return False
         # only run it once:
         if self.vba_stomping_detected is None:
             log.debug('Analysing the P-code to detect VBA stomping')
diff --git a/setup.py b/setup.py
index 70ae972..fc4d71b 100644
--- a/setup.py
+++ b/setup.py
@@ -52,7 +52,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
 
 name         = "oletools"
-version      = '0.55.1'
+version      = '0.55.2'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"
--
libgit2 0.21.4