Commit 2fa61161d0c4b3cfb4333d5d89ef99b42f605a34
1 parent
45db7680
olevba: disabled VBA stomping detection for files in memory, because it is not y…
…et supported by pcodedmp (see issue #519)
Showing
2 changed files
with
9 additions
and
2 deletions
oletools/olevba.py
| @@ -225,7 +225,7 @@ from __future__ import print_function | @@ -225,7 +225,7 @@ from __future__ import print_function | ||
| 225 | # 2019-09-24 PL: - included DridexUrlDecode into olevba (issue #485) | 225 | # 2019-09-24 PL: - included DridexUrlDecode into olevba (issue #485) |
| 226 | # 2019-12-03 PL: - added support for SLK files and XLM macros in SLK | 226 | # 2019-12-03 PL: - added support for SLK files and XLM macros in SLK |
| 227 | 227 | ||
| 228 | -__version__ = '0.55.1' | 228 | +__version__ = '0.55.2' |
| 229 | 229 | ||
| 230 | #------------------------------------------------------------------------------ | 230 | #------------------------------------------------------------------------------ |
| 231 | # TODO: | 231 | # TODO: |
| @@ -2646,9 +2646,11 @@ class VBA_Parser(object): | @@ -2646,9 +2646,11 @@ class VBA_Parser(object): | ||
| 2646 | if data is None: | 2646 | if data is None: |
| 2647 | # open file from disk: | 2647 | # open file from disk: |
| 2648 | _file = filename | 2648 | _file = filename |
| 2649 | + self.file_on_disk = True | ||
| 2649 | else: | 2650 | else: |
| 2650 | # file already read in memory, make it a file-like object for zipfile: | 2651 | # file already read in memory, make it a file-like object for zipfile: |
| 2651 | _file = BytesIO(data) | 2652 | _file = BytesIO(data) |
| 2653 | + self.file_on_disk = False | ||
| 2652 | #self.file = _file | 2654 | #self.file = _file |
| 2653 | self.ole_file = None | 2655 | self.ole_file = None |
| 2654 | self.ole_subfiles = [] | 2656 | self.ole_subfiles = [] |
| @@ -3636,6 +3638,11 @@ class VBA_Parser(object): | @@ -3636,6 +3638,11 @@ class VBA_Parser(object): | ||
| 3636 | if self.type in (TYPE_SLK, TYPE_TEXT): | 3638 | if self.type in (TYPE_SLK, TYPE_TEXT): |
| 3637 | self.vba_stomping_detected = False | 3639 | self.vba_stomping_detected = False |
| 3638 | return False | 3640 | return False |
| 3641 | + # TODO: Files in memory cannot be analysed with pcodedmp yet | ||
| 3642 | + if not self.file_on_disk: | ||
| 3643 | + log.info('For now, VBA stomping cannot be detected for files in memory') | ||
| 3644 | + self.vba_stomping_detected = False | ||
| 3645 | + return False | ||
| 3639 | # only run it once: | 3646 | # only run it once: |
| 3640 | if self.vba_stomping_detected is None: | 3647 | if self.vba_stomping_detected is None: |
| 3641 | log.debug('Analysing the P-code to detect VBA stomping') | 3648 | log.debug('Analysing the P-code to detect VBA stomping') |
setup.py
| @@ -52,7 +52,7 @@ import os, fnmatch | @@ -52,7 +52,7 @@ import os, fnmatch | ||
| 52 | #--- METADATA ----------------------------------------------------------------- | 52 | #--- METADATA ----------------------------------------------------------------- |
| 53 | 53 | ||
| 54 | name = "oletools" | 54 | name = "oletools" |
| 55 | -version = '0.55.1' | 55 | +version = '0.55.2' |
| 56 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" | 56 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 57 | long_desc = open('oletools/README.rst').read() | 57 | long_desc = open('oletools/README.rst').read() |
| 58 | author = "Philippe Lagadec" | 58 | author = "Philippe Lagadec" |