Commit 451f4bfa1228315cc303039725bb1284c4fbce4c
1 parent
50ec5ee6
olevba: added several suspicious keywords, fixes #49
Showing
1 changed file
with
4 additions
and
3 deletions
oletools/olevba.py
| @@ -219,7 +219,7 @@ from __future__ import print_function | @@ -219,7 +219,7 @@ from __future__ import print_function | ||
| 219 | # 2019-05-23 v0.55 PL: - added option --pcode to call pcodedmp and display P-code | 219 | # 2019-05-23 v0.55 PL: - added option --pcode to call pcodedmp and display P-code |
| 220 | # 2019-06-05 PL: - added VBA stomping detection | 220 | # 2019-06-05 PL: - added VBA stomping detection |
| 221 | 221 | ||
| 222 | -__version__ = '0.55.dev2' | 222 | +__version__ = '0.55.dev3' |
| 223 | 223 | ||
| 224 | #------------------------------------------------------------------------------ | 224 | #------------------------------------------------------------------------------ |
| 225 | # TODO: | 225 | # TODO: |
| @@ -704,8 +704,9 @@ SUSPICIOUS_KEYWORDS = { | @@ -704,8 +704,9 @@ SUSPICIOUS_KEYWORDS = { | ||
| 704 | 'May run code from a DLL using Excel 4 Macros (XLM/XLF)': | 704 | 'May run code from a DLL using Excel 4 Macros (XLM/XLF)': |
| 705 | ('REGISTER',), | 705 | ('REGISTER',), |
| 706 | 'May inject code into another process': | 706 | 'May inject code into another process': |
| 707 | - ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload | ||
| 708 | - 'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory' | 707 | + ('CreateThread', 'CreateUserThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload |
| 708 | + 'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory', | ||
| 709 | + 'SetContextThread', 'QueueApcThread', 'WriteVirtualMemory', 'VirtualProtect' | ||
| 709 | ), | 710 | ), |
| 710 | 'May run a shellcode in memory': | 711 | 'May run a shellcode in memory': |
| 711 | ('EnumSystemLanguageGroupsW?', # Used by Hancitor in Oct 2016 | 712 | ('EnumSystemLanguageGroupsW?', # Used by Hancitor in Oct 2016 |