Commit 45db768096945ce5a17fa64a836761235a0069cb
1 parent
35786cc7
olevba: slight bugfix for VBA stomping detection, bumped to 0.55.1
Showing
2 changed files
with
6 additions
and
6 deletions
oletools/olevba.py
| @@ -225,7 +225,7 @@ from __future__ import print_function | @@ -225,7 +225,7 @@ from __future__ import print_function | ||
| 225 | # 2019-09-24 PL: - included DridexUrlDecode into olevba (issue #485) | 225 | # 2019-09-24 PL: - included DridexUrlDecode into olevba (issue #485) |
| 226 | # 2019-12-03 PL: - added support for SLK files and XLM macros in SLK | 226 | # 2019-12-03 PL: - added support for SLK files and XLM macros in SLK |
| 227 | 227 | ||
| 228 | -__version__ = '0.55' | 228 | +__version__ = '0.55.1' |
| 229 | 229 | ||
| 230 | #------------------------------------------------------------------------------ | 230 | #------------------------------------------------------------------------------ |
| 231 | # TODO: | 231 | # TODO: |
| @@ -3570,8 +3570,8 @@ class VBA_Parser(object): | @@ -3570,8 +3570,8 @@ class VBA_Parser(object): | ||
| 3570 | :return: VBA P-code disassembly | 3570 | :return: VBA P-code disassembly |
| 3571 | :rtype: str | 3571 | :rtype: str |
| 3572 | """ | 3572 | """ |
| 3573 | - # Only run on OLE files | ||
| 3574 | - if self.type != TYPE_OLE: | 3573 | + # Text and SLK files cannot be stomped: |
| 3574 | + if self.type in (TYPE_SLK, TYPE_TEXT): | ||
| 3575 | self.pcodedmp_output = '' | 3575 | self.pcodedmp_output = '' |
| 3576 | return '' | 3576 | return '' |
| 3577 | # only run it once: | 3577 | # only run it once: |
| @@ -3632,8 +3632,8 @@ class VBA_Parser(object): | @@ -3632,8 +3632,8 @@ class VBA_Parser(object): | ||
| 3632 | :return: True if VBA stomping detected, False otherwise | 3632 | :return: True if VBA stomping detected, False otherwise |
| 3633 | :rtype: bool | 3633 | :rtype: bool |
| 3634 | """ | 3634 | """ |
| 3635 | - # Only run on OLE files | ||
| 3636 | - if self.type != TYPE_OLE: | 3635 | + # Text and SLK files cannot be stomped: |
| 3636 | + if self.type in (TYPE_SLK, TYPE_TEXT): | ||
| 3637 | self.vba_stomping_detected = False | 3637 | self.vba_stomping_detected = False |
| 3638 | return False | 3638 | return False |
| 3639 | # only run it once: | 3639 | # only run it once: |
setup.py
| @@ -52,7 +52,7 @@ import os, fnmatch | @@ -52,7 +52,7 @@ import os, fnmatch | ||
| 52 | #--- METADATA ----------------------------------------------------------------- | 52 | #--- METADATA ----------------------------------------------------------------- |
| 53 | 53 | ||
| 54 | name = "oletools" | 54 | name = "oletools" |
| 55 | -version = '0.55' | 55 | +version = '0.55.1' |
| 56 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" | 56 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 57 | long_desc = open('oletools/README.rst').read() | 57 | long_desc = open('oletools/README.rst').read() |
| 58 | author = "Philippe Lagadec" | 58 | author = "Philippe Lagadec" |