Commit 3d3fb43c910e8c1e30e2292a696c56d744059706
1 parent
e1e70de6
oleid: added indicators from properties
Showing
2 changed files
with
28 additions
and
20 deletions
oletools/ftguess.py
| ... | ... | @@ -518,14 +518,14 @@ class FTYpe_Excel(FType_Base): |
| 518 | 518 | name = 'MS Excel (generic)' |
| 519 | 519 | longname = 'MS Excel Workbook or Template (generic)' |
| 520 | 520 | |
| 521 | -class FType_Excel97(FTYpe_Excel): | |
| 521 | +class FType_Excel97(FTYpe_Excel, FType_Generic_OLE): | |
| 522 | 522 | filetype = FTYPE.EXCEL97 |
| 523 | 523 | name = 'MS Excel 97 Workbook' |
| 524 | 524 | longname = 'MS Excel 97-2003 Workbook or Template' |
| 525 | 525 | CLSIDS = ('00020820-0000-0000-C000-000000000046',) |
| 526 | 526 | extensions = ['xls', 'xlt', 'xla'] |
| 527 | 527 | |
| 528 | -class FType_Excel5(FTYpe_Excel): | |
| 528 | +class FType_Excel5(FTYpe_Excel, FType_Generic_OLE): | |
| 529 | 529 | filetype = FTYPE.EXCEL5 |
| 530 | 530 | name = 'MS Excel 5.0/95 Workbook' |
| 531 | 531 | longname = 'MS Excel 5.0/95 Workbook, Template or Add-in' |
| ... | ... | @@ -533,7 +533,7 @@ class FType_Excel5(FTYpe_Excel): |
| 533 | 533 | extensions = ['xls', 'xlt', 'xla'] |
| 534 | 534 | # TODO: this CLSID is also used in Excel addins (.xla) saved by MS Excel 365 |
| 535 | 535 | |
| 536 | -class FTYpe_Excel2007(FTYpe_Excel): | |
| 536 | +class FTYpe_Excel2007(FTYpe_Excel, FType_Generic_OpenXML): | |
| 537 | 537 | 'Base class for all MS Excel 2007 file types' |
| 538 | 538 | name = 'MS Excel 2007+ (generic)' |
| 539 | 539 | longname = 'MS Excel 2007+ Workbook or Template (generic)' | ... | ... |
oletools/oleid.py
| ... | ... | @@ -100,6 +100,7 @@ if _parent_dir not in sys.path: |
| 100 | 100 | from oletools.thirdparty.tablestream import tablestream |
| 101 | 101 | from oletools import crypto, ftguess, olevba, mraptor |
| 102 | 102 | from oletools.common.log_helper import log_helper |
| 103 | +from oletools.common.codepages import get_codepage_name | |
| 103 | 104 | |
| 104 | 105 | # === LOGGING ================================================================= |
| 105 | 106 | |
| ... | ... | @@ -300,23 +301,25 @@ class OleID(object): |
| 300 | 301 | :returns: 2 :py:class:`Indicator`s (for presence of summary info and |
| 301 | 302 | application name) or None if file was not opened |
| 302 | 303 | """ |
| 303 | - # TODO: use get_metadata | |
| 304 | - suminfo = Indicator('has_suminfo', False, | |
| 305 | - name='Has SummaryInformation stream') | |
| 306 | - self.indicators.append(suminfo) | |
| 307 | - appname = Indicator('appname', 'unknown', _type=str, | |
| 308 | - name='Application name') | |
| 309 | - self.indicators.append(appname) | |
| 310 | 304 | if not self.ole: |
| 311 | - return None, None | |
| 312 | - self.suminfo_data = {} | |
| 313 | - # check stream SummaryInformation (not present e.g. in encrypted ppt) | |
| 314 | - if self.ole.exists("\x05SummaryInformation"): | |
| 315 | - suminfo.value = True | |
| 316 | - self.suminfo_data = self.ole.getproperties("\x05SummaryInformation") | |
| 317 | - # check application name: | |
| 318 | - appname.value = self.suminfo_data.get(0x12, 'unknown') | |
| 319 | - return suminfo, appname | |
| 305 | + return None | |
| 306 | + meta = self.ole.get_metadata() | |
| 307 | + appname = Indicator('appname', meta.creating_application, _type=str, | |
| 308 | + name='Application name', description='Application name declared in properties', | |
| 309 | + risk=RISK.INFO) | |
| 310 | + self.indicators.append(appname) | |
| 311 | + codepage_name = None | |
| 312 | + if meta.codepage is not None: | |
| 313 | + codepage_name = '{}: {}'.format(meta.codepage, get_codepage_name(meta.codepage)) | |
| 314 | + codepage = Indicator('codepage', codepage_name, _type=str, | |
| 315 | + name='Properties code page', description='Code page used for properties', | |
| 316 | + risk=RISK.INFO) | |
| 317 | + self.indicators.append(codepage) | |
| 318 | + author = Indicator('author', meta.author, _type=str, | |
| 319 | + name='Author', description='Author declared in properties', | |
| 320 | + risk=RISK.INFO) | |
| 321 | + self.indicators.append(author) | |
| 322 | + return appname, codepage, author | |
| 320 | 323 | |
| 321 | 324 | def get_indicator(self, indicator_id): |
| 322 | 325 | """Helper function: returns an indicator if present (or None)""" |
| ... | ... | @@ -471,7 +474,12 @@ class OleID(object): |
| 471 | 474 | """ |
| 472 | 475 | vba_indicator = Indicator(_id='vba', value='No', _type=str, name='VBA Macros', |
| 473 | 476 | description='This file does not contain VBA macros.', |
| 474 | - risk=RISK.NONE) | |
| 477 | + risk=RISK.NONE, hide_if_false=False) | |
| 478 | + if self.ftg.filetype == ftguess.FTYPE.RTF: | |
| 479 | + # For RTF we don't call olevba otherwise it triggers an error | |
| 480 | + vba_indicator.description = 'RTF files cannot contain VBA macros' | |
| 481 | + self.indicators.append(vba_indicator) | |
| 482 | + return vba_indicator | |
| 475 | 483 | try: |
| 476 | 484 | vba_parser = olevba.VBA_Parser(filename=self.filename, data=self.data) |
| 477 | 485 | if vba_parser.detect_vba_macros(): | ... | ... |