Peter M. Groen / oletools

Commit 3d3fb43c910e8c1e30e2292a696c56d744059706

Authored by decalage2
1 parent e1e70de6

oleid: added indicators from properties

Inline Side-by-side
Showing 2 changed files with 28 additions and 20 deletions
oletools/ftguess.py
  View file @3d3fb43
@@ -518,14 +518,14 @@ class FTYpe_Excel(FType_Base): @@ -518,14 +518,14 @@ class FTYpe_Excel(FType_Base):
518 name = 'MS Excel (generic)' 518 name = 'MS Excel (generic)'
519 longname = 'MS Excel Workbook or Template (generic)' 519 longname = 'MS Excel Workbook or Template (generic)'
520 520
521 -class FType_Excel97(FTYpe_Excel): 521 +class FType_Excel97(FTYpe_Excel, FType_Generic_OLE):
522 filetype = FTYPE.EXCEL97 522 filetype = FTYPE.EXCEL97
523 name = 'MS Excel 97 Workbook' 523 name = 'MS Excel 97 Workbook'
524 longname = 'MS Excel 97-2003 Workbook or Template' 524 longname = 'MS Excel 97-2003 Workbook or Template'
525 CLSIDS = ('00020820-0000-0000-C000-000000000046',) 525 CLSIDS = ('00020820-0000-0000-C000-000000000046',)
526 extensions = ['xls', 'xlt', 'xla'] 526 extensions = ['xls', 'xlt', 'xla']
527 527
528 -class FType_Excel5(FTYpe_Excel): 528 +class FType_Excel5(FTYpe_Excel, FType_Generic_OLE):
529 filetype = FTYPE.EXCEL5 529 filetype = FTYPE.EXCEL5
530 name = 'MS Excel 5.0/95 Workbook' 530 name = 'MS Excel 5.0/95 Workbook'
531 longname = 'MS Excel 5.0/95 Workbook, Template or Add-in' 531 longname = 'MS Excel 5.0/95 Workbook, Template or Add-in'
@@ -533,7 +533,7 @@ class FType_Excel5(FTYpe_Excel): @@ -533,7 +533,7 @@ class FType_Excel5(FTYpe_Excel):
533 extensions = ['xls', 'xlt', 'xla'] 533 extensions = ['xls', 'xlt', 'xla']
534 # TODO: this CLSID is also used in Excel addins (.xla) saved by MS Excel 365 534 # TODO: this CLSID is also used in Excel addins (.xla) saved by MS Excel 365
535 535
536 -class FTYpe_Excel2007(FTYpe_Excel): 536 +class FTYpe_Excel2007(FTYpe_Excel, FType_Generic_OpenXML):
537 'Base class for all MS Excel 2007 file types' 537 'Base class for all MS Excel 2007 file types'
538 name = 'MS Excel 2007+ (generic)' 538 name = 'MS Excel 2007+ (generic)'
539 longname = 'MS Excel 2007+ Workbook or Template (generic)' 539 longname = 'MS Excel 2007+ Workbook or Template (generic)'
oletools/oleid.py
  View file @3d3fb43
@@ -100,6 +100,7 @@ if _parent_dir not in sys.path: @@ -100,6 +100,7 @@ if _parent_dir not in sys.path:
100 from oletools.thirdparty.tablestream import tablestream 100 from oletools.thirdparty.tablestream import tablestream
101 from oletools import crypto, ftguess, olevba, mraptor 101 from oletools import crypto, ftguess, olevba, mraptor
102 from oletools.common.log_helper import log_helper 102 from oletools.common.log_helper import log_helper
  103 +from oletools.common.codepages import get_codepage_name
103 104
104 # === LOGGING ================================================================= 105 # === LOGGING =================================================================
105 106
@@ -300,23 +301,25 @@ class OleID(object): @@ -300,23 +301,25 @@ class OleID(object):
300 :returns: 2 :py:class:`Indicator`s (for presence of summary info and 301 :returns: 2 :py:class:`Indicator`s (for presence of summary info and
301 application name) or None if file was not opened 302 application name) or None if file was not opened
302 """ 303 """
303 - # TODO: use get_metadata  
304 - suminfo = Indicator('has_suminfo', False,  
305 - name='Has SummaryInformation stream')  
306 - self.indicators.append(suminfo)  
307 - appname = Indicator('appname', 'unknown', _type=str,  
308 - name='Application name')  
309 - self.indicators.append(appname)  
310 if not self.ole: 304 if not self.ole:
311 - return None, None  
312 - self.suminfo_data = {}  
313 - # check stream SummaryInformation (not present e.g. in encrypted ppt)  
314 - if self.ole.exists("\x05SummaryInformation"):  
315 - suminfo.value = True  
316 - self.suminfo_data = self.ole.getproperties("\x05SummaryInformation")  
317 - # check application name:  
318 - appname.value = self.suminfo_data.get(0x12, 'unknown')  
319 - return suminfo, appname 305 + return None
  306 + meta = self.ole.get_metadata()
  307 + appname = Indicator('appname', meta.creating_application, _type=str,
  308 + name='Application name', description='Application name declared in properties',
  309 + risk=RISK.INFO)
  310 + self.indicators.append(appname)
  311 + codepage_name = None
  312 + if meta.codepage is not None:
  313 + codepage_name = '{}: {}'.format(meta.codepage, get_codepage_name(meta.codepage))
  314 + codepage = Indicator('codepage', codepage_name, _type=str,
  315 + name='Properties code page', description='Code page used for properties',
  316 + risk=RISK.INFO)
  317 + self.indicators.append(codepage)
  318 + author = Indicator('author', meta.author, _type=str,
  319 + name='Author', description='Author declared in properties',
  320 + risk=RISK.INFO)
  321 + self.indicators.append(author)
  322 + return appname, codepage, author
320 323
321 def get_indicator(self, indicator_id): 324 def get_indicator(self, indicator_id):
322 """Helper function: returns an indicator if present (or None)""" 325 """Helper function: returns an indicator if present (or None)"""
@@ -471,7 +474,12 @@ class OleID(object): @@ -471,7 +474,12 @@ class OleID(object):
471 """ 474 """
472 vba_indicator = Indicator(_id='vba', value='No', _type=str, name='VBA Macros', 475 vba_indicator = Indicator(_id='vba', value='No', _type=str, name='VBA Macros',
473 description='This file does not contain VBA macros.', 476 description='This file does not contain VBA macros.',
474 - risk=RISK.NONE) 477 + risk=RISK.NONE, hide_if_false=False)
  478 + if self.ftg.filetype == ftguess.FTYPE.RTF:
  479 + # For RTF we don't call olevba otherwise it triggers an error
  480 + vba_indicator.description = 'RTF files cannot contain VBA macros'
  481 + self.indicators.append(vba_indicator)
  482 + return vba_indicator
475 try: 483 try:
476 vba_parser = olevba.VBA_Parser(filename=self.filename, data=self.data) 484 vba_parser = olevba.VBA_Parser(filename=self.filename, data=self.data)
477 if vba_parser.detect_vba_macros(): 485 if vba_parser.detect_vba_macros():