diff --git a/oletools/crypto.py b/oletools/crypto.py index be732ee..73fe947 100644 --- a/oletools/crypto.py +++ b/oletools/crypto.py @@ -64,7 +64,7 @@ http://www.decalage.info/python/oletools # === LICENSE ================================================================= -# crypto is copyright (c) 2014-2019 Philippe Lagadec (http://www.decalage.info) +# crypto is copyright (c) 2014-2021 Philippe Lagadec (http://www.decalage.info) # All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -93,8 +93,10 @@ http://www.decalage.info/python/oletools # 2019-02-14 v0.01 CH: - first version with encryption check from oleid # 2019-04-01 v0.54 PL: - fixed bug in is_encrypted_ole # 2019-05-23 PL: - added DEFAULT_PASSWORDS list +# 2021-05-22 v0.60 PL: - added PowerPoint transparent password +# '/01Hannes Ruescher/01' (issue #627) -__version__ = '0.55' +__version__ = '0.60.dev2' import sys import struct @@ -309,12 +311,20 @@ def _is_encrypted_ole(ole): return False -#: one way to achieve "write protection" in office files is to encrypt the file +#: one way to achieve "write protection" in Excel files is to encrypt the file #: using this password -WRITE_PROTECT_ENCRYPTION_PASSWORD = 'VelvetSweatshop' +# ref: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/6b4a08cb-195a-442e-b31c-7c94624a8c29#Appendix_A_25 +# ref: https://twitter.com/BouncyHat/status/1308897568773083138 +EXCEL_TRANSPARENT_PASSWORD = 'VelvetSweatshop' + +# PowerPoint password which is transparent for the user: +# ref: https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/57fc02f0-c1de-4fc6-908f-d146104662f5 +# ref: https://twitter.com/BouncyHat/status/1308897932389896192 +POWERPOINT_TRANSPARENT_PASSWORD = '/01Hannes Ruescher/01' #: list of common passwords to be tried by default, used by malware -DEFAULT_PASSWORDS = [WRITE_PROTECT_ENCRYPTION_PASSWORD, '123', '1234', '12345', '123456', '4321'] +DEFAULT_PASSWORDS = [EXCEL_TRANSPARENT_PASSWORD, POWERPOINT_TRANSPARENT_PASSWORD, + '123', '1234', '12345', '123456', '4321'] def _check_msoffcrypto(): diff --git a/setup.py b/setup.py index bc8846c..8e829ff 100644 --- a/setup.py +++ b/setup.py @@ -33,6 +33,7 @@ to install this package. # 2019-05-23 v0.55 PL: - added pcodedmp as dependency # 2019-09-24 PL: - removed oletools.thirdparty.DridexUrlDecoder # 2019-11-10 PL: - changed pyparsing from 2.2.0 to 2.1.0 for issue #481 +# 2021-05-22 v0.60 PL: - entry points: added ftguess, removed olevba3/mraptor3 #--- TODO --------------------------------------------------------------------- @@ -52,7 +53,7 @@ import os, fnmatch #--- METADATA ----------------------------------------------------------------- name = "oletools" -version = '0.56.2' +version = '0.60.dev2' desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" long_desc = open('oletools/README.rst').read() author = "Philippe Lagadec" @@ -268,8 +269,9 @@ package_data={ entry_points = { 'console_scripts': [ 'ezhexviewer=oletools.ezhexviewer:main', + 'ftguess=oletools.ftguess:main', 'mraptor=oletools.mraptor:main', - 'mraptor3=oletools.mraptor3:main', + 'msodde=oletools.msodde:main', 'olebrowse=oletools.olebrowse:main', 'oledir=oletools.oledir:main', 'oleid=oletools.oleid:main', @@ -277,11 +279,9 @@ entry_points = { 'olemeta=oletools.olemeta:main', 'oletimes=oletools.oletimes:main', 'olevba=oletools.olevba:main', - 'olevba3=oletools.olevba3:main', 'pyxswf=oletools.pyxswf:main', 'rtfobj=oletools.rtfobj:main', 'oleobj=oletools.oleobj:main', - 'msodde=oletools.msodde:main', 'olefile=olefile.olefile:main', ], }