From 451f4bfa1228315cc303039725bb1284c4fbce4c Mon Sep 17 00:00:00 2001
From: decalage2 <decalage@laposte.net>
Date: Tue, 9 Jul 2019 18:23:31 +0200
Subject: [PATCH] olevba: added several suspicious keywords, fixes #49

---
 oletools/olevba.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index d8da451..c0e4e77 100644
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -219,7 +219,7 @@ from __future__ import print_function
 # 2019-05-23 v0.55 PL: - added option --pcode to call pcodedmp and display P-code
 # 2019-06-05       PL: - added VBA stomping detection
 
-__version__ = '0.55.dev2'
+__version__ = '0.55.dev3'
 
 #------------------------------------------------------------------------------
 # TODO:
@@ -704,8 +704,9 @@ SUSPICIOUS_KEYWORDS = {
     'May run code from a DLL using Excel 4 Macros (XLM/XLF)':
         ('REGISTER',),
     'May inject code into another process':
-        ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload
-        'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory'
+        ('CreateThread', 'CreateUserThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload
+        'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory',
+        'SetContextThread', 'QueueApcThread', 'WriteVirtualMemory', 'VirtualProtect'
         ),
     'May run a shellcode in memory':
         ('EnumSystemLanguageGroupsW?', # Used by Hancitor in Oct 2016
--
libgit2 0.21.4