Commit 451f4bfa1228315cc303039725bb1284c4fbce4c
1 parent
50ec5ee6
olevba: added several suspicious keywords, fixes #49
Showing
1 changed file
with
4 additions
and
3 deletions
oletools/olevba.py
| ... | ... | @@ -219,7 +219,7 @@ from __future__ import print_function |
| 219 | 219 | # 2019-05-23 v0.55 PL: - added option --pcode to call pcodedmp and display P-code |
| 220 | 220 | # 2019-06-05 PL: - added VBA stomping detection |
| 221 | 221 | |
| 222 | -__version__ = '0.55.dev2' | |
| 222 | +__version__ = '0.55.dev3' | |
| 223 | 223 | |
| 224 | 224 | #------------------------------------------------------------------------------ |
| 225 | 225 | # TODO: |
| ... | ... | @@ -704,8 +704,9 @@ SUSPICIOUS_KEYWORDS = { |
| 704 | 704 | 'May run code from a DLL using Excel 4 Macros (XLM/XLF)': |
| 705 | 705 | ('REGISTER',), |
| 706 | 706 | 'May inject code into another process': |
| 707 | - ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload | |
| 708 | - 'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory' | |
| 707 | + ('CreateThread', 'CreateUserThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload | |
| 708 | + 'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory', | |
| 709 | + 'SetContextThread', 'QueueApcThread', 'WriteVirtualMemory', 'VirtualProtect' | |
| 709 | 710 | ), |
| 710 | 711 | 'May run a shellcode in memory': |
| 711 | 712 | ('EnumSystemLanguageGroupsW?', # Used by Hancitor in Oct 2016 | ... | ... |