Commit 552254f1e0f198c615149cc6030f621e3762cb69
1 parent
1fb8a986
olevba: detect and replace backspace characters before printing to the console (issue #358)
Showing
2 changed files
with
10 additions
and
2 deletions
oletools/olevba.py
| ... | ... | @@ -207,8 +207,9 @@ from __future__ import print_function |
| 207 | 207 | # 2018-04-15 v0.53 PL: - added support for Word/PowerPoint 2007+ XML (FlatOPC) |
| 208 | 208 | # (issue #283) |
| 209 | 209 | # 2018-09-11 v0.54 PL: - olefile is now a dependency |
| 210 | +# 2018-10-08 PL: - replace backspace before printing to console (issue #358) | |
| 210 | 211 | |
| 211 | -__version__ = '0.54dev1' | |
| 212 | +__version__ = '0.54dev2' | |
| 212 | 213 | |
| 213 | 214 | #------------------------------------------------------------------------------ |
| 214 | 215 | # TODO: |
| ... | ... | @@ -699,6 +700,8 @@ SUSPICIOUS_KEYWORDS = { |
| 699 | 700 | 'DisableUnsafeLocationsInPV', 'blockcontentexecutionfrominternet'), |
| 700 | 701 | 'May attempt to modify the VBA code (self-modification)': |
| 701 | 702 | ('VBProject', 'VBComponents', 'CodeModule', 'AddFromString'), |
| 703 | + 'May use special characters such as backspace to obfuscate code when printed on the console': | |
| 704 | + ('\b',), | |
| 702 | 705 | } |
| 703 | 706 | |
| 704 | 707 | # Regular Expression for a URL: |
| ... | ... | @@ -3222,6 +3225,11 @@ class VBA_Parser_CLI(VBA_Parser): |
| 3222 | 3225 | if vba_code_filtered.strip() == '': |
| 3223 | 3226 | print('(empty macro)') |
| 3224 | 3227 | else: |
| 3228 | + # check if the VBA code contains special characters such as backspace (issue #358) | |
| 3229 | + if b'\x08' in vba_code_filtered: | |
| 3230 | + log.warning('The VBA code contains special characters such as backspace, that may be used for obfuscation.') | |
| 3231 | + # replace backspace by "\x08" for display | |
| 3232 | + vba_code_filtered = vba_code_filtered.replace(b'\x08', b'\\x08') | |
| 3225 | 3233 | print(vba_code_filtered) |
| 3226 | 3234 | for (subfilename, stream_path, form_string) in self.extract_form_strings(): |
| 3227 | 3235 | print('-' * 79) | ... | ... |
setup.py
| ... | ... | @@ -46,7 +46,7 @@ import os, fnmatch |
| 46 | 46 | #--- METADATA ----------------------------------------------------------------- |
| 47 | 47 | |
| 48 | 48 | name = "oletools" |
| 49 | -version = '0.54dev1' | |
| 49 | +version = '0.54dev2' | |
| 50 | 50 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 51 | 51 | long_desc = open('oletools/README.rst').read() |
| 52 | 52 | author = "Philippe Lagadec" | ... | ... |