Commit 4f51278fda8d349d8b35d7f939986d14f554772a
1 parent
8a20f7b0
olevba: moved DridexUrlDecoder from 3rd party folder into olevba, fixes #485
Showing
5 changed files
with
44 additions
and
51 deletions
oletools/olevba.py
| ... | ... | @@ -218,8 +218,9 @@ from __future__ import print_function |
| 218 | 218 | # 2019-04-09 PL: - decompress_stream accepts bytes (issue #422) |
| 219 | 219 | # 2019-05-23 v0.55 PL: - added option --pcode to call pcodedmp and display P-code |
| 220 | 220 | # 2019-06-05 PL: - added VBA stomping detection |
| 221 | +# 2019-09-24 PL: - included DridexUrlDecode into olevba (issue #485) | |
| 221 | 222 | |
| 222 | -__version__ = '0.55.dev3' | |
| 223 | +__version__ = '0.55.dev4' | |
| 223 | 224 | |
| 224 | 225 | #------------------------------------------------------------------------------ |
| 225 | 226 | # TODO: |
| ... | ... | @@ -2201,6 +2202,46 @@ def detect_base64_strings(vba_code): |
| 2201 | 2202 | # if an exception occurs, it is likely not a base64-encoded string |
| 2202 | 2203 | return results |
| 2203 | 2204 | |
| 2205 | +# DridexUrlDecode written by James Habben | |
| 2206 | +# Originally published on https://github.com/JamesHabben/MalwareStuff | |
| 2207 | +# included here with James' permission | |
| 2208 | +# 2015-01-27 Slight modifications from Philippe Lagadec (PL) to use it from olevba | |
| 2209 | + | |
| 2210 | +def StripChars (input) : | |
| 2211 | + result = '' | |
| 2212 | + for c in input : | |
| 2213 | + if c.isdigit() : | |
| 2214 | + result += c | |
| 2215 | + return int(result) | |
| 2216 | + | |
| 2217 | +def StripCharsWithZero (input) : | |
| 2218 | + result = '' | |
| 2219 | + for c in input : | |
| 2220 | + if c.isdigit() : | |
| 2221 | + result += c | |
| 2222 | + else: | |
| 2223 | + result += '0' | |
| 2224 | + return int(result) | |
| 2225 | + | |
| 2226 | +def DridexUrlDecode (inputText) : | |
| 2227 | + work = inputText[4:-4] | |
| 2228 | + strKeyEnc = StripCharsWithZero(work[(len(work) / 2) - 2: (len(work) / 2)]) | |
| 2229 | + strKeySize = StripCharsWithZero(work[(len(work) / 2): (len(work) / 2) + 2]) | |
| 2230 | + nCharSize = strKeySize - strKeyEnc | |
| 2231 | + work = work[:(len(work) / 2) - 2] + work[(len(work) / 2) + 2:] | |
| 2232 | + strKeyEnc2 = StripChars(work[(len(work) / 2) - (nCharSize/2): (len(work) / 2) + (nCharSize/2)]) | |
| 2233 | + work = work[:(len(work) / 2) - (nCharSize/2)] + work[(len(work) / 2) + (nCharSize/2):] | |
| 2234 | + work_split = [work[i:i+nCharSize] for i in range(0, len(work), nCharSize)] | |
| 2235 | + decoded = '' | |
| 2236 | + for group in work_split: | |
| 2237 | + # sys.stdout.write(chr(StripChars(group)/strKeyEnc2)) | |
| 2238 | + decoded += chr(StripChars(group)/strKeyEnc2) | |
| 2239 | + return decoded | |
| 2240 | + | |
| 2241 | +# DridexUrlDecode("C3iY1epSRGe6q8g15xStVesdG717MAlg2H4hmV1vkL6Glnf0cknj") | |
| 2242 | +# DridexUrlDecode("HLIY3Nf3z2k8jD37h1n2OM3N712DGQ3c5M841RZ8C5e6P1C50C4ym1oF504WyV182p4mJ16cK9Z61l47h2dU1rVB5V681sFY728i16H3E2Qm1fn47y2cgAo156j8T1s600hukKO1568X1xE4Z7d2q17jvcwgk816Yz32o9Q216Mpr0B01vcwg856a17b9j2zAmWf1536B1t7d92rI1FZ5E36Pu1jl504Z34tm2R43i55Lg2F3eLE3T28lLX1D504348Goe8Gbdp37w443ADy36X0h14g7Wb2G3u584kEG332Ut8ws3wO584pzSTf") | |
| 2243 | +# DridexUrlDecode("YNPH1W47E211z3P6142cM4115K2J1696CURf1712N1OCJwc0w6Z16840Z1r600W16Z3273k6SR16Bf161Q92a016Vr16V1pc") | |
| 2244 | + | |
| 2204 | 2245 | |
| 2205 | 2246 | def detect_dridex_strings(vba_code): |
| 2206 | 2247 | """ |
| ... | ... | @@ -2209,9 +2250,6 @@ def detect_dridex_strings(vba_code): |
| 2209 | 2250 | :param vba_code: str, VBA source code |
| 2210 | 2251 | :return: list of str tuples (encoded string, decoded string) |
| 2211 | 2252 | """ |
| 2212 | - # TODO: move this at the beginning of script | |
| 2213 | - from oletools.thirdparty.DridexUrlDecoder.DridexUrlDecoder import DridexUrlDecode | |
| 2214 | - | |
| 2215 | 2253 | results = [] |
| 2216 | 2254 | found = set() |
| 2217 | 2255 | for match in re_dridex_string.finditer(vba_code): | ... | ... |
oletools/thirdparty/DridexUrlDecoder/DridexUrlDecoder.py deleted
| 1 | -# Written by @JamesHabben | |
| 2 | -# https://github.com/JamesHabben/MalwareStuff | |
| 3 | - | |
| 4 | -# 2015-01-27 Slight modifications from Philippe Lagadec (PL) to use it from olevba | |
| 5 | - | |
| 6 | -import sys | |
| 7 | - | |
| 8 | -def DridexUrlDecode (inputText) : | |
| 9 | - work = inputText[4:-4] | |
| 10 | - strKeyEnc = StripCharsWithZero(work[(len(work) / 2) - 2: (len(work) / 2)]) | |
| 11 | - strKeySize = StripCharsWithZero(work[(len(work) / 2): (len(work) / 2) + 2]) | |
| 12 | - nCharSize = strKeySize - strKeyEnc | |
| 13 | - work = work[:(len(work) / 2) - 2] + work[(len(work) / 2) + 2:] | |
| 14 | - strKeyEnc2 = StripChars(work[(len(work) / 2) - (nCharSize/2): (len(work) / 2) + (nCharSize/2)]) | |
| 15 | - work = work[:(len(work) / 2) - (nCharSize/2)] + work[(len(work) / 2) + (nCharSize/2):] | |
| 16 | - work_split = [work[i:i+nCharSize] for i in range(0, len(work), nCharSize)] | |
| 17 | - decoded = '' | |
| 18 | - for group in work_split: | |
| 19 | - # sys.stdout.write(chr(StripChars(group)/strKeyEnc2)) | |
| 20 | - decoded += chr(StripChars(group)/strKeyEnc2) | |
| 21 | - return decoded | |
| 22 | - | |
| 23 | -def StripChars (input) : | |
| 24 | - result = '' | |
| 25 | - for c in input : | |
| 26 | - if c.isdigit() : | |
| 27 | - result += c | |
| 28 | - return int(result) | |
| 29 | - | |
| 30 | -def StripCharsWithZero (input) : | |
| 31 | - result = '' | |
| 32 | - for c in input : | |
| 33 | - if c.isdigit() : | |
| 34 | - result += c | |
| 35 | - else: | |
| 36 | - result += '0' | |
| 37 | - return int(result) | |
| 38 | - | |
| 39 | - | |
| 40 | -# DridexUrlDecode("C3iY1epSRGe6q8g15xStVesdG717MAlg2H4hmV1vkL6Glnf0cknj") | |
| 41 | -# DridexUrlDecode("HLIY3Nf3z2k8jD37h1n2OM3N712DGQ3c5M841RZ8C5e6P1C50C4ym1oF504WyV182p4mJ16cK9Z61l47h2dU1rVB5V681sFY728i16H3E2Qm1fn47y2cgAo156j8T1s600hukKO1568X1xE4Z7d2q17jvcwgk816Yz32o9Q216Mpr0B01vcwg856a17b9j2zAmWf1536B1t7d92rI1FZ5E36Pu1jl504Z34tm2R43i55Lg2F3eLE3T28lLX1D504348Goe8Gbdp37w443ADy36X0h14g7Wb2G3u584kEG332Ut8ws3wO584pzSTf") | |
| 42 | -# DridexUrlDecode("YNPH1W47E211z3P6142cM4115K2J1696CURf1712N1OCJwc0w6Z16840Z1r600W16Z3273k6SR16Bf161Q92a016Vr16V1pc") |
oletools/thirdparty/DridexUrlDecoder/LICENSE.txt deleted
oletools/thirdparty/DridexUrlDecoder/__init__.py deleted
setup.py
| ... | ... | @@ -31,6 +31,7 @@ to install this package. |
| 31 | 31 | # 2019-02-26 CH: - add optional dependency msoffcrypto for decryption |
| 32 | 32 | # 2019-05-22 PL: - 'msoffcrypto-tool' is now a required dependency |
| 33 | 33 | # 2019-05-23 v0.55 PL: - added pcodedmp as dependency |
| 34 | +# 2019-09-24 PL: - removed oletools.thirdparty.DridexUrlDecoder | |
| 34 | 35 | |
| 35 | 36 | #--- TODO --------------------------------------------------------------------- |
| 36 | 37 | |
| ... | ... | @@ -50,7 +51,7 @@ import os, fnmatch |
| 50 | 51 | #--- METADATA ----------------------------------------------------------------- |
| 51 | 52 | |
| 52 | 53 | name = "oletools" |
| 53 | -version = '0.55.dev3' | |
| 54 | +version = '0.55.dev4' | |
| 54 | 55 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 55 | 56 | long_desc = open('oletools/README.rst').read() |
| 56 | 57 | author = "Philippe Lagadec" |
| ... | ... | @@ -91,7 +92,6 @@ packages=[ |
| 91 | 92 | 'oletools.thirdparty.xxxswf', |
| 92 | 93 | 'oletools.thirdparty.prettytable', |
| 93 | 94 | 'oletools.thirdparty.xglob', |
| 94 | - 'oletools.thirdparty.DridexUrlDecoder', | |
| 95 | 95 | 'oletools.thirdparty.tablestream', |
| 96 | 96 | 'oletools.thirdparty.oledump', |
| 97 | 97 | ] | ... | ... |