Peter M. Groen / oletools

Commit 5a23b490f898cc6a7901f6d3ad3449c2505f6850

Authored by Philippe Lagadec
1 parent ac2f7443

added olevba: a new tool to extract VBA macro code from MS Office documents

Inline Side-by-side
Showing 1 changed file with 658 additions and 0 deletions
oletools/olevba.py 0 → 100644
  View file @5a23b49
  1 +#!/usr/bin/env python
  2 +"""
  3 +olevba.py v0.02 2014-08-15
  4 +
  5 +olevba is a script to parse OLE files such as MS Office documents (e.g. Word,
  6 +Excel), to extract VBA Macro code in clear text.
  7 +
  8 +olevba project website: http://www.decalage.info/python/olevba
  9 +
  10 +olevba is part of the python-oletools package:
  11 +http://www.decalage.info/python/oletools
  12 +
  13 +Usage: olevba.py <file>
  14 +"""
  15 +
  16 +__version__ = '0.02'
  17 +
  18 +#=== LICENSE ==================================================================
  19 +
  20 +# olevba is copyright (c) 2014 Philippe Lagadec (http://www.decalage.info)
  21 +# All rights reserved.
  22 +#
  23 +# Redistribution and use in source and binary forms, with or without modification,
  24 +# are permitted provided that the following conditions are met:
  25 +#
  26 +# * Redistributions of source code must retain the above copyright notice, this
  27 +# list of conditions and the following disclaimer.
  28 +# * Redistributions in binary form must reproduce the above copyright notice,
  29 +# this list of conditions and the following disclaimer in the documentation
  30 +# and/or other materials provided with the distribution.
  31 +#
  32 +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
  33 +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
  34 +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  35 +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
  36 +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  37 +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
  38 +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  39 +# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
  40 +# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
  41 +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  42 +
  43 +
  44 +# olevba contains modified source code from the officeparser project, published
  45 +# under the following MIT License (MIT):
  46 +#
  47 +# officeparser is copyright (c) 2014 John William Davison
  48 +#
  49 +# Permission is hereby granted, free of charge, to any person obtaining a copy
  50 +# of this software and associated documentation files (the "Software"), to deal
  51 +# in the Software without restriction, including without limitation the rights
  52 +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  53 +# copies of the Software, and to permit persons to whom the Software is
  54 +# furnished to do so, subject to the following conditions:
  55 +#
  56 +# The above copyright notice and this permission notice shall be included in all
  57 +# copies or substantial portions of the Software.
  58 +#
  59 +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  60 +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  61 +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
  62 +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  63 +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  64 +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  65 +# SOFTWARE.
  66 +
  67 +#------------------------------------------------------------------------------
  68 +# CHANGELOG:
  69 +# 2014-08-05 v0.01 PL: - first version based on officeparser code
  70 +# 2014-08-14 v0.02 PL: - fixed bugs in code, added license from officeparser
  71 +# 2014-08-15 PL: - fixed incorrect value check in PROJECTHELPFILEPATH Record
  72 +
  73 +#------------------------------------------------------------------------------
  74 +# TODO:
  75 +# + optparse
  76 +# + nicer output
  77 +# + output to file
  78 +# + setup logging (common with other oletools)
  79 +# + support OpenXML files
  80 +# + process several files in dirs or zips with password
  81 +# + look for VBA in embedded documents (e.g. Excel in Word)
  82 +# - python 3.x support
  83 +# - add support for PowerPoint macros (see libclamav, libgsf)
  84 +# - check VBA macros in Visio, Access, Project, etc
  85 +# - extract_macros: convert to a class, split long function into smaller methods
  86 +# - extract_macros: read bytes from stream file objects instead of strings
  87 +# - extract_macros: use combined struct.unpack instead of many calls
  88 +
  89 +#------------------------------------------------------------------------------
  90 +# REFERENCES:
  91 +# - [MS-OVBA]: Microsoft Office VBA File Format Structure
  92 +# http://msdn.microsoft.com/en-us/library/office/cc313094%28v=office.12%29.aspx
  93 +# - officeparser: https://github.com/unixfreak0037/officeparser
  94 +
  95 +
  96 +#--- IMPORTS ------------------------------------------------------------------
  97 +
  98 +import sys, logging
  99 +import struct
  100 +import cStringIO
  101 +import math
  102 +
  103 +from thirdparty.OleFileIO_PL import OleFileIO_PL
  104 +
  105 +#--- CONSTANTS ----------------------------------------------------------------
  106 +
  107 +MODULE_EXTENSION = "bas"
  108 +CLASS_EXTENSION = "cls"
  109 +FORM_EXTENSION = "frm"
  110 +
  111 +BINFILE_PATH = "xl/vbaProject.bin"
  112 +
  113 +
  114 +#--- FUNCTIONS ----------------------------------------------------------------
  115 +
  116 +def copytoken_help(decompressed_current, decompressed_chunk_start):
  117 + """
  118 + compute bit masks to decode a CopyToken according to MS-OVBA 2.4.1.3.19.1 CopyToken Help
  119 +
  120 + decompressed_current: number of decompressed bytes so far, i.e. len(decompressed_container)
  121 + decompressed_chunk_start: offset of the current chunk in the decompressed container
  122 + return length_mask, offset_mask, bit_count, maximum_length
  123 + """
  124 + difference = decompressed_current - decompressed_chunk_start
  125 + bit_count = int(math.ceil(math.log(difference, 2)))
  126 + bit_count = max([bit_count, 4])
  127 + length_mask = 0xFFFF >> bit_count
  128 + offset_mask = ~length_mask
  129 + maximum_length = (0xFFFF >> bit_count) + 3
  130 + return length_mask, offset_mask, bit_count, maximum_length
  131 +
  132 +
  133 +def decompress_stream (compressed_container):
  134 + """
  135 + Decompress a stream according to MS-OVBA section 2.4.1
  136 +
  137 + compressed_container: string compressed according to the MS-OVBA 2.4.1.3.6 Compression algorithm
  138 + return the decompressed container as a string (bytes)
  139 + """
  140 + # 2.4.1.2 State Variables
  141 +
  142 + # The following state is maintained for the CompressedContainer (section 2.4.1.1.1):
  143 + # CompressedRecordEnd: The location of the byte after the last byte in the CompressedContainer (section 2.4.1.1.1).
  144 + # CompressedCurrent: The location of the next byte in the CompressedContainer (section 2.4.1.1.1) to be read by
  145 + # decompression or to be written by compression.
  146 +
  147 + # The following state is maintained for the current CompressedChunk (section 2.4.1.1.4):
  148 + # CompressedChunkStart: The location of the first byte of the CompressedChunk (section 2.4.1.1.4) within the
  149 + # CompressedContainer (section 2.4.1.1.1).
  150 +
  151 + # The following state is maintained for a DecompressedBuffer (section 2.4.1.1.2):
  152 + # DecompressedCurrent: The location of the next byte in the DecompressedBuffer (section 2.4.1.1.2) to be written by
  153 + # decompression or to be read by compression.
  154 + # DecompressedBufferEnd: The location of the byte after the last byte in the DecompressedBuffer (section 2.4.1.1.2).
  155 +
  156 + # The following state is maintained for the current DecompressedChunk (section 2.4.1.1.3):
  157 + # DecompressedChunkStart: The location of the first byte of the DecompressedChunk (section 2.4.1.1.3) within the
  158 + # DecompressedBuffer (section 2.4.1.1.2).
  159 +
  160 + decompressed_container = '' # result
  161 + compressed_current = 0
  162 +
  163 + sig_byte = ord(compressed_container[compressed_current])
  164 + if sig_byte != 0x01:
  165 + raise ValueError('invalid signature byte {0:02X}'.format(sig_byte))
  166 +
  167 + compressed_current += 1
  168 +
  169 + #NOTE: the definition of CompressedRecordEnd is ambiguous. Here we assume that
  170 + # CompressedRecordEnd = len(compressed_container)
  171 + while compressed_current < len(compressed_container):
  172 + # 2.4.1.1.5
  173 + compressed_chunk_start = compressed_current
  174 + # chunk header = first 16 bits
  175 + compressed_chunk_header = struct.unpack("<H", compressed_container[compressed_chunk_start:compressed_chunk_start + 2])[0]
  176 + # chunk size = 12 first bits of header + 3
  177 + chunk_size = (compressed_chunk_header & 0x0FFF) + 3
  178 + # chunk signature = 3 next bits - should always be 0b011
  179 + chunk_signature = (compressed_chunk_header >> 12) & 0x07
  180 + if chunk_signature != 0b011:
  181 + raise ValueError('Invalid CompressedChunkSignature in VBA compressed stream')
  182 + # chunk flag = next bit - 1 == compressed, 0 == uncompressed
  183 + chunk_flag = (compressed_chunk_header >> 15) & 0x01
  184 + logging.debug("chunk size = {0}, compressed flag = {1}".format(chunk_size, chunk_flag))
  185 +
  186 + #MS-OVBA 2.4.1.3.12: the maximum size of a chunk including its header is 4098 bytes (header 2 + data 4096)
  187 + # The minimum size is 3 bytes
  188 + # NOTE: there seems to be a typo in MS-OVBA, the check should be with 4098, not 4095 (which is the max value
  189 + # in chunk header before adding 3.
  190 + # Also the first test is not useful since a 12 bits value cannot be larger than 4095.
  191 + if chunk_flag == 1 and chunk_size > 4098:
  192 + raise ValueError('CompressedChunkSize > 4098 but CompressedChunkFlag == 1')
  193 + if chunk_flag == 0 and chunk_size != 4098:
  194 + raise ValueError('CompressedChunkSize != 4098 but CompressedChunkFlag == 0')
  195 +
  196 + # check if chunk_size goes beyond the compressed data, instead of silently cutting it:
  197 + #TODO: raise an exception?
  198 + if compressed_chunk_start + chunk_size > len(compressed_container):
  199 + logging.warning('Chunk size is larger than remaining compressed data')
  200 + compressed_end = min([len(compressed_container), compressed_chunk_start + chunk_size])
  201 + # read after chunk header:
  202 + compressed_current = compressed_chunk_start + 2
  203 +
  204 + if chunk_flag == 0:
  205 + # MS-OVBA 2.4.1.3.3 Decompressing a RawChunk
  206 + # uncompressed chunk: read the next 4096 bytes as-is
  207 + #TODO: check if there are at least 4096 bytes left
  208 + decompressed_container += compressed_container[compressed_current:compressed_current + 4096]
  209 + compressed_current += 4096
  210 + else:
  211 + # MS-OVBA 2.4.1.3.2 Decompressing a CompressedChunk
  212 + # compressed chunk
  213 + decompressed_chunk_start = len(decompressed_container)
  214 + while compressed_current < compressed_end:
  215 + # MS-OVBA 2.4.1.3.4 Decompressing a TokenSequence
  216 + # logging.debug('compressed_current = %d / compressed_end = %d' % (compressed_current, compressed_end))
  217 + # FlagByte: 8 bits indicating if the following 8 tokens are either literal (1 byte of plain text) or
  218 + # copy tokens (reference to a previous literal token)
  219 + flag_byte = ord(compressed_container[compressed_current])
  220 + compressed_current += 1
  221 + for bit_index in xrange(0, 8):
  222 + # logging.debug('bit_index=%d / compressed_current=%d / compressed_end=%d' % (bit_index, compressed_current, compressed_end))
  223 + if compressed_current >= compressed_end:
  224 + break
  225 + # MS-OVBA 2.4.1.3.5 Decompressing a Token
  226 + # MS-OVBA 2.4.1.3.17 Extract FlagBit
  227 + flag_bit = (flag_byte >> bit_index) & 1
  228 + #logging.debug('bit_index=%d: flag_bit=%d' % (bit_index, flag_bit))
  229 + if flag_bit == 0: # LiteralToken
  230 + # copy one byte directly to output
  231 + decompressed_container += compressed_container[compressed_current]
  232 + compressed_current += 1
  233 + else: # CopyToken
  234 + # MS-OVBA 2.4.1.3.19.2 Unpack CopyToken
  235 + copy_token = struct.unpack("<H", compressed_container[compressed_current:compressed_current + 2])[0]
  236 + #TODO: check this
  237 + length_mask, offset_mask, bit_count, maximum_length = copytoken_help(
  238 + len(decompressed_container), decompressed_chunk_start)
  239 + length = (copy_token & length_mask) + 3
  240 + temp1 = copy_token & offset_mask
  241 + temp2 = 16 - bit_count
  242 + offset = (temp1 >> temp2) + 1
  243 + #logging.debug('offset=%d length=%d' % (offset, length))
  244 + copy_source = len(decompressed_container) - offset
  245 + for index in xrange(copy_source, copy_source + length):
  246 + decompressed_container += decompressed_container[index]
  247 + compressed_current += 2
  248 + return decompressed_container
  249 +
  250 +
  251 +def extract_macros(ole):
  252 + """
  253 + Extract VBA macros from an OLE file
  254 + """
  255 + # Find the VBA project root (different in MS Word, Excel, etc):
  256 + vba_root = None
  257 + for stream in ('Macros', '_VBA_PROJECT_CUR'):
  258 + if ole.exists(stream):
  259 + logging.debug('found VBA root stream: %s' % stream)
  260 + vba_root = stream
  261 + break
  262 + if vba_root is None:
  263 + logging.debug('VBA root stream not found')
  264 + return None
  265 + # Find the PROJECT stream:
  266 + project = None
  267 + project_path = vba_root + '/PROJECT'
  268 + if ole.exists(project_path):
  269 + logging.debug('found PROJECT stream: %s' % project_path)
  270 + project = ole.openstream(project_path)
  271 + else:
  272 + logging.debug('missing PROJECT stream')
  273 + return None
  274 +
  275 + # sample content of the PROJECT stream:
  276 +
  277 + ## ID="{5312AC8A-349D-4950-BDD0-49BE3C4DD0F0}"
  278 + ## Document=ThisDocument/&H00000000
  279 + ## Module=NewMacros
  280 + ## Name="Project"
  281 + ## HelpContextID="0"
  282 + ## VersionCompatible32="393222000"
  283 + ## CMG="F1F301E705E705E705E705"
  284 + ## DPB="8F8D7FE3831F2020202020"
  285 + ## GC="2D2FDD81E51EE61EE6E1"
  286 + ##
  287 + ## [Host Extender Info]
  288 + ## &H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000
  289 + ## &H00000002={000209F2-0000-0000-C000-000000000046};Word8.0;&H00000000
  290 + ##
  291 + ## [Workspace]
  292 + ## ThisDocument=22, 29, 339, 477, Z
  293 + ## NewMacros=-4, 42, 832, 510, C
  294 +
  295 + code_modules = {}
  296 +
  297 + for line in project:
  298 + line = line.strip()
  299 + if '=' in line:
  300 + # split line at the 1st equal sign:
  301 + name, value = line.split('=', 1)
  302 + # looking for code modules
  303 + # add the code module as a key in the dictionary
  304 + # the value will be the extension needed later
  305 + if name == 'Document':
  306 + # split value at the 1st slash, keep 1st part:
  307 + value = value.split('/', 1)[0]
  308 + code_modules[value] = CLASS_EXTENSION
  309 + elif name == 'Module':
  310 + code_modules[value] = MODULE_EXTENSION
  311 + elif name == 'Class':
  312 + code_modules[value] = CLASS_EXTENSION
  313 + elif name == 'BaseClass':
  314 + code_modules[value] = FORM_EXTENSION
  315 +
  316 + # Find the dir stream
  317 + dir_path = vba_root + '/VBA/dir'
  318 + if not ole.exists(dir_path):
  319 + logging.debug('missing dir stream')
  320 + return None
  321 + # read data from dir stream (compressed)
  322 + dir_compressed = ole.openstream(dir_path).read()
  323 +
  324 + def check_value(name, expected, value):
  325 + if expected != value:
  326 + logging.error("invalid value for {0} expected {1:04X} got {2:04X}".format(name, expected, value))
  327 +
  328 + dir_stream = cStringIO.StringIO(decompress_stream(dir_compressed))
  329 +
  330 + # PROJECTSYSKIND Record
  331 + PROJECTSYSKIND_Id = struct.unpack("<H", dir_stream.read(2))[0]
  332 + check_value('PROJECTSYSKIND_Id', 0x0001, PROJECTSYSKIND_Id)
  333 + PROJECTSYSKIND_Size = struct.unpack("<L", dir_stream.read(4))[0]
  334 + check_value('PROJECTSYSKIND_Size', 0x0004, PROJECTSYSKIND_Size)
  335 + PROJECTSYSKIND_SysKind = struct.unpack("<L", dir_stream.read(4))[0]
  336 + if PROJECTSYSKIND_SysKind == 0x00:
  337 + logging.debug("16-bit Windows")
  338 + elif PROJECTSYSKIND_SysKind == 0x01:
  339 + logging.debug("32-bit Windows")
  340 + elif PROJECTSYSKIND_SysKind == 0x02:
  341 + logging.debug("Macintosh")
  342 + elif PROJECTSYSKIND_SysKind == 0x03:
  343 + logging.debug("64-bit Windows")
  344 + else:
  345 + logging.error("invalid PROJECTSYSKIND_SysKind {0:04X}".format(PROJECTSYSKIND_SysKind))
  346 +
  347 + # PROJECTLCID Record
  348 + PROJECTLCID_Id = struct.unpack("<H", dir_stream.read(2))[0]
  349 + check_value('PROJECTLCID_Id', 0x0002, PROJECTLCID_Id)
  350 + PROJECTLCID_Size = struct.unpack("<L", dir_stream.read(4))[0]
  351 + check_value('PROJECTLCID_Size', 0x0004, PROJECTLCID_Size)
  352 + PROJECTLCID_Lcid = struct.unpack("<L", dir_stream.read(4))[0]
  353 + check_value('PROJECTLCID_Lcid', 0x409, PROJECTLCID_Lcid)
  354 +
  355 + # PROJECTLCIDINVOKE Record
  356 + PROJECTLCIDINVOKE_Id = struct.unpack("<H", dir_stream.read(2))[0]
  357 + check_value('PROJECTLCIDINVOKE_Id', 0x0014, PROJECTLCIDINVOKE_Id)
  358 + PROJECTLCIDINVOKE_Size = struct.unpack("<L", dir_stream.read(4))[0]
  359 + check_value('PROJECTLCIDINVOKE_Size', 0x0004, PROJECTLCIDINVOKE_Size)
  360 + PROJECTLCIDINVOKE_LcidInvoke = struct.unpack("<L", dir_stream.read(4))[0]
  361 + check_value('PROJECTLCIDINVOKE_LcidInvoke', 0x409, PROJECTLCIDINVOKE_LcidInvoke)
  362 +
  363 + # PROJECTCODEPAGE Record
  364 + PROJECTCODEPAGE_Id = struct.unpack("<H", dir_stream.read(2))[0]
  365 + check_value('PROJECTCODEPAGE_Id', 0x0003, PROJECTCODEPAGE_Id)
  366 + PROJECTCODEPAGE_Size = struct.unpack("<L", dir_stream.read(4))[0]
  367 + check_value('PROJECTCODEPAGE_Size', 0x0002, PROJECTCODEPAGE_Size)
  368 + PROJECTCODEPAGE_CodePage = struct.unpack("<H", dir_stream.read(2))[0]
  369 +
  370 + # PROJECTNAME Record
  371 + PROJECTNAME_Id = struct.unpack("<H", dir_stream.read(2))[0]
  372 + check_value('PROJECTNAME_Id', 0x0004, PROJECTNAME_Id)
  373 + PROJECTNAME_SizeOfProjectName = struct.unpack("<L", dir_stream.read(4))[0]
  374 + if PROJECTNAME_SizeOfProjectName < 1 or PROJECTNAME_SizeOfProjectName > 128:
  375 + logging.error("PROJECTNAME_SizeOfProjectName value not in range: {0}".format(PROJECTNAME_SizeOfProjectName))
  376 + PROJECTNAME_ProjectName = dir_stream.read(PROJECTNAME_SizeOfProjectName)
  377 +
  378 + # PROJECTDOCSTRING Record
  379 + PROJECTDOCSTRING_Id = struct.unpack("<H", dir_stream.read(2))[0]
  380 + check_value('PROJECTDOCSTRING_Id', 0x0005, PROJECTDOCSTRING_Id)
  381 + PROJECTDOCSTRING_SizeOfDocString = struct.unpack("<L", dir_stream.read(4))[0]
  382 + if PROJECTNAME_SizeOfProjectName > 2000:
  383 + logging.error("PROJECTDOCSTRING_SizeOfDocString value not in range: {0}".format(PROJECTDOCSTRING_SizeOfDocString))
  384 + PROJECTDOCSTRING_DocString = dir_stream.read(PROJECTDOCSTRING_SizeOfDocString)
  385 + PROJECTDOCSTRING_Reserved = struct.unpack("<H", dir_stream.read(2))[0]
  386 + check_value('PROJECTDOCSTRING_Reserved', 0x0040, PROJECTDOCSTRING_Reserved)
  387 + PROJECTDOCSTRING_SizeOfDocStringUnicode = struct.unpack("<L", dir_stream.read(4))[0]
  388 + if PROJECTDOCSTRING_SizeOfDocStringUnicode % 2 != 0:
  389 + logging.error("PROJECTDOCSTRING_SizeOfDocStringUnicode is not even")
  390 + PROJECTDOCSTRING_DocStringUnicode = dir_stream.read(PROJECTDOCSTRING_SizeOfDocStringUnicode)
  391 +
  392 + # PROJECTHELPFILEPATH Record - MS-OVBA 2.3.4.2.1.7
  393 + PROJECTHELPFILEPATH_Id = struct.unpack("<H", dir_stream.read(2))[0]
  394 + check_value('PROJECTHELPFILEPATH_Id', 0x0006, PROJECTHELPFILEPATH_Id)
  395 + PROJECTHELPFILEPATH_SizeOfHelpFile1 = struct.unpack("<L", dir_stream.read(4))[0]
  396 + if PROJECTHELPFILEPATH_SizeOfHelpFile1 > 260:
  397 + logging.error("PROJECTHELPFILEPATH_SizeOfHelpFile1 value not in range: {0}".format(PROJECTHELPFILEPATH_SizeOfHelpFile1))
  398 + PROJECTHELPFILEPATH_HelpFile1 = dir_stream.read(PROJECTHELPFILEPATH_SizeOfHelpFile1)
  399 + PROJECTHELPFILEPATH_Reserved = struct.unpack("<H", dir_stream.read(2))[0]
  400 + check_value('PROJECTHELPFILEPATH_Reserved', 0x003D, PROJECTHELPFILEPATH_Reserved)
  401 + PROJECTHELPFILEPATH_SizeOfHelpFile2 = struct.unpack("<L", dir_stream.read(4))[0]
  402 + if PROJECTHELPFILEPATH_SizeOfHelpFile2 != PROJECTHELPFILEPATH_SizeOfHelpFile1:
  403 + logging.error("PROJECTHELPFILEPATH_SizeOfHelpFile1 does not equal PROJECTHELPFILEPATH_SizeOfHelpFile2")
  404 + PROJECTHELPFILEPATH_HelpFile2 = dir_stream.read(PROJECTHELPFILEPATH_SizeOfHelpFile2)
  405 + if PROJECTHELPFILEPATH_HelpFile2 != PROJECTHELPFILEPATH_HelpFile1:
  406 + logging.error("PROJECTHELPFILEPATH_HelpFile1 does not equal PROJECTHELPFILEPATH_HelpFile2")
  407 +
  408 + # PROJECTHELPCONTEXT Record
  409 + PROJECTHELPCONTEXT_Id = struct.unpack("<H", dir_stream.read(2))[0]
  410 + check_value('PROJECTHELPCONTEXT_Id', 0x0007, PROJECTHELPCONTEXT_Id)
  411 + PROJECTHELPCONTEXT_Size = struct.unpack("<L", dir_stream.read(4))[0]
  412 + check_value('PROJECTHELPCONTEXT_Size', 0x0004, PROJECTHELPCONTEXT_Size)
  413 + PROJECTHELPCONTEXT_HelpContext = struct.unpack("<L", dir_stream.read(4))[0]
  414 +
  415 + # PROJECTLIBFLAGS Record
  416 + PROJECTLIBFLAGS_Id = struct.unpack("<H", dir_stream.read(2))[0]
  417 + check_value('PROJECTLIBFLAGS_Id', 0x0008, PROJECTLIBFLAGS_Id)
  418 + PROJECTLIBFLAGS_Size = struct.unpack("<L", dir_stream.read(4))[0]
  419 + check_value('PROJECTLIBFLAGS_Size', 0x0004, PROJECTLIBFLAGS_Size)
  420 + PROJECTLIBFLAGS_ProjectLibFlags = struct.unpack("<L", dir_stream.read(4))[0]
  421 + check_value('PROJECTLIBFLAGS_ProjectLibFlags', 0x0000, PROJECTLIBFLAGS_ProjectLibFlags)
  422 +
  423 + # PROJECTVERSION Record
  424 + PROJECTVERSION_Id = struct.unpack("<H", dir_stream.read(2))[0]
  425 + check_value('PROJECTVERSION_Id', 0x0009, PROJECTVERSION_Id)
  426 + PROJECTVERSION_Reserved = struct.unpack("<L", dir_stream.read(4))[0]
  427 + check_value('PROJECTVERSION_Reserved', 0x0004, PROJECTVERSION_Reserved)
  428 + PROJECTVERSION_VersionMajor = struct.unpack("<L", dir_stream.read(4))[0]
  429 + PROJECTVERSION_VersionMinor = struct.unpack("<H", dir_stream.read(2))[0]
  430 +
  431 + # PROJECTCONSTANTS Record
  432 + PROJECTCONSTANTS_Id = struct.unpack("<H", dir_stream.read(2))[0]
  433 + check_value('PROJECTCONSTANTS_Id', 0x000C, PROJECTCONSTANTS_Id)
  434 + PROJECTCONSTANTS_SizeOfConstants = struct.unpack("<L", dir_stream.read(4))[0]
  435 + if PROJECTCONSTANTS_SizeOfConstants > 1015:
  436 + logging.error("PROJECTCONSTANTS_SizeOfConstants value not in range: {0}".format(PROJECTCONSTANTS_SizeOfConstants))
  437 + PROJECTCONSTANTS_Constants = dir_stream.read(PROJECTCONSTANTS_SizeOfConstants)
  438 + PROJECTCONSTANTS_Reserved = struct.unpack("<H", dir_stream.read(2))[0]
  439 + check_value('PROJECTCONSTANTS_Reserved', 0x003C, PROJECTCONSTANTS_Reserved)
  440 + PROJECTCONSTANTS_SizeOfConstantsUnicode = struct.unpack("<L", dir_stream.read(4))[0]
  441 + if PROJECTCONSTANTS_SizeOfConstantsUnicode % 2 != 0:
  442 + logging.error("PROJECTCONSTANTS_SizeOfConstantsUnicode is not even")
  443 + PROJECTCONSTANTS_ConstantsUnicode = dir_stream.read(PROJECTCONSTANTS_SizeOfConstantsUnicode)
  444 +
  445 + # array of REFERENCE records
  446 + check = None
  447 + while True:
  448 + check = struct.unpack("<H", dir_stream.read(2))[0]
  449 + logging.debug("reference type = {0:04X}".format(check))
  450 + if check == 0x000F:
  451 + break
  452 +
  453 + if check == 0x0016:
  454 + # REFERENCENAME
  455 + REFERENCE_Id = check
  456 + REFERENCE_SizeOfName = struct.unpack("<L", dir_stream.read(4))[0]
  457 + REFERENCE_Name = dir_stream.read(REFERENCE_SizeOfName)
  458 + REFERENCE_Reserved = struct.unpack("<H", dir_stream.read(2))[0]
  459 + check_value('REFERENCE_Reserved', 0x003E, REFERENCE_Reserved)
  460 + REFERENCE_SizeOfNameUnicode = struct.unpack("<L", dir_stream.read(4))[0]
  461 + REFERENCE_NameUnicode = dir_stream.read(REFERENCE_SizeOfNameUnicode)
  462 + continue
  463 +
  464 + if check == 0x0033:
  465 + # REFERENCEORIGINAL (followed by REFERENCECONTROL)
  466 + REFERENCEORIGINAL_Id = check
  467 + REFERENCEORIGINAL_SizeOfLibidOriginal = struct.unpack("<L", dir_stream.read(4))[0]
  468 + REFERENCEORIGINAL_LibidOriginal = dir_stream.read(REFERENCEORIGINAL_SizeOfLibidOriginal)
  469 + continue
  470 +
  471 + if check == 0x002F:
  472 + # REFERENCECONTROL
  473 + REFERENCECONTROL_Id = check
  474 + REFERENCECONTROL_SizeTwiddled = struct.unpack("<L", dir_stream.read(4))[0] # ignore
  475 + REFERENCECONTROL_SizeOfLibidTwiddled = struct.unpack("<L", dir_stream.read(4))[0]
  476 + REFERENCECONTROL_LibidTwiddled = dir_stream.read(REFERENCECONTROL_SizeOfLibidTwiddled)
  477 + REFERENCECONTROL_Reserved1 = struct.unpack("<L", dir_stream.read(4))[0] # ignore
  478 + check_value('REFERENCECONTROL_Reserved1', 0x0000, REFERENCECONTROL_Reserved1)
  479 + REFERENCECONTROL_Reserved2 = struct.unpack("<H", dir_stream.read(2))[0] # ignore
  480 + check_value('REFERENCECONTROL_Reserved2', 0x0000, REFERENCECONTROL_Reserved2)
  481 + # optional field
  482 + check2 = struct.unpack("<H", dir_stream.read(2))[0]
  483 + if check2 == 0x0016:
  484 + REFERENCECONTROL_NameRecordExtended_Id = check
  485 + REFERENCECONTROL_NameRecordExtended_SizeofName = struct.unpack("<L", dir_stream.read(4))[0]
  486 + REFERENCECONTROL_NameRecordExtended_Name = dir_stream.read(REFERENCECONTROL_NameRecordExtended_SizeofName)
  487 + REFERENCECONTROL_NameRecordExtended_Reserved = struct.unpack("<H", dir_stream.read(2))[0]
  488 + check_value('REFERENCECONTROL_NameRecordExtended_Reserved', 0x003E, REFERENCECONTROL_NameRecordExtended_Reserved)
  489 + REFERENCECONTROL_NameRecordExtended_SizeOfNameUnicode = struct.unpack("<L", dir_stream.read(4))[0]
  490 + REFERENCECONTROL_NameRecordExtended_NameUnicode = dir_stream.read(REFERENCECONTROL_NameRecordExtended_SizeOfNameUnicode)
  491 + REFERENCECONTROL_Reserved3 = struct.unpack("<H", dir_stream.read(2))[0]
  492 + else:
  493 + REFERENCECONTROL_Reserved3 = check2
  494 +
  495 + check_value('REFERENCECONTROL_Reserved3', 0x0030, REFERENCECONTROL_Reserved3)
  496 + REFERENCECONTROL_SizeExtended = struct.unpack("<L", dir_stream.read(4))[0]
  497 + REFERENCECONTROL_SizeOfLibidExtended = struct.unpack("<L", dir_stream.read(4))[0]
  498 + REFERENCECONTROL_LibidExtended = dir_stream.read(REFERENCECONTROL_SizeOfLibidExtended)
  499 + REFERENCECONTROL_Reserved4 = struct.unpack("<L", dir_stream.read(4))[0]
  500 + REFERENCECONTROL_Reserved5 = struct.unpack("<H", dir_stream.read(2))[0]
  501 + REFERENCECONTROL_OriginalTypeLib = dir_stream.read(16)
  502 + REFERENCECONTROL_Cookie = struct.unpack("<L", dir_stream.read(4))[0]
  503 + continue
  504 +
  505 + if check == 0x000D:
  506 + # REFERENCEREGISTERED
  507 + REFERENCEREGISTERED_Id = check
  508 + REFERENCEREGISTERED_Size = struct.unpack("<L", dir_stream.read(4))[0]
  509 + REFERENCEREGISTERED_SizeOfLibid = struct.unpack("<L", dir_stream.read(4))[0]
  510 + REFERENCEREGISTERED_Libid = dir_stream.read(REFERENCEREGISTERED_SizeOfLibid)
  511 + REFERENCEREGISTERED_Reserved1 = struct.unpack("<L", dir_stream.read(4))[0]
  512 + check_value('REFERENCEREGISTERED_Reserved1', 0x0000, REFERENCEREGISTERED_Reserved1)
  513 + REFERENCEREGISTERED_Reserved2 = struct.unpack("<H", dir_stream.read(2))[0]
  514 + check_value('REFERENCEREGISTERED_Reserved2', 0x0000, REFERENCEREGISTERED_Reserved2)
  515 + continue
  516 +
  517 + if check == 0x000E:
  518 + # REFERENCEPROJECT
  519 + REFERENCEPROJECT_Id = check
  520 + REFERENCEPROJECT_Size = struct.unpack("<L", dir_stream.read(4))[0]
  521 + REFERENCEPROJECT_SizeOfLibidAbsolute = struct.unpack("<L", dir_stream.read(4))[0]
  522 + REFERENCEPROJECT_LibidAbsolute = dir_stream.read(REFERENCEPROJECT_SizeOfLibidAbsolute)
  523 + REFERENCEPROJECT_SizeOfLibidRelative = struct.unpack("<L", dir_stream.read(4))[0]
  524 + REFERENCEPROJECT_LibidRelative = dir_stream.read(REFERENCEPROJECT_SizeOfLibidRelative)
  525 + REFERENCEPROJECT_MajorVersion = struct.unpack("<L", dir_stream.read(4))[0]
  526 + REFERENCEPROJECT_MinorVersion = struct.unpack("<H", dir_stream.read(2))[0]
  527 + continue
  528 +
  529 + logging.error('invalid or unknown check Id {0:04X}'.format(check))
  530 + sys.exit(0)
  531 +
  532 + PROJECTMODULES_Id = check #struct.unpack("<H", dir_stream.read(2))[0]
  533 + check_value('PROJECTMODULES_Id', 0x000F, PROJECTMODULES_Id)
  534 + PROJECTMODULES_Size = struct.unpack("<L", dir_stream.read(4))[0]
  535 + check_value('PROJECTMODULES_Size', 0x0002, PROJECTMODULES_Size)
  536 + PROJECTMODULES_Count = struct.unpack("<H", dir_stream.read(2))[0]
  537 + PROJECTMODULES_ProjectCookieRecord_Id = struct.unpack("<H", dir_stream.read(2))[0]
  538 + check_value('PROJECTMODULES_ProjectCookieRecord_Id', 0x0013, PROJECTMODULES_ProjectCookieRecord_Id)
  539 + PROJECTMODULES_ProjectCookieRecord_Size = struct.unpack("<L", dir_stream.read(4))[0]
  540 + check_value('PROJECTMODULES_ProjectCookieRecord_Size', 0x0002, PROJECTMODULES_ProjectCookieRecord_Size)
  541 + PROJECTMODULES_ProjectCookieRecord_Cookie = struct.unpack("<H", dir_stream.read(2))[0]
  542 +
  543 + logging.debug("parsing {0} modules".format(PROJECTMODULES_Count))
  544 + for x in xrange(0, PROJECTMODULES_Count):
  545 + MODULENAME_Id = struct.unpack("<H", dir_stream.read(2))[0]
  546 + check_value('MODULENAME_Id', 0x0019, MODULENAME_Id)
  547 + MODULENAME_SizeOfModuleName = struct.unpack("<L", dir_stream.read(4))[0]
  548 + MODULENAME_ModuleName = dir_stream.read(MODULENAME_SizeOfModuleName)
  549 + # account for optional sections
  550 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  551 + if section_id == 0x0047:
  552 + MODULENAMEUNICODE_Id = section_id
  553 + MODULENAMEUNICODE_SizeOfModuleNameUnicode = struct.unpack("<L", dir_stream.read(4))[0]
  554 + MODULENAMEUNICODE_ModuleNameUnicode = dir_stream.read(MODULENAMEUNICODE_SizeOfModuleNameUnicode)
  555 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  556 + if section_id == 0x001A:
  557 + MODULESTREAMNAME_id = section_id
  558 + MODULESTREAMNAME_SizeOfStreamName = struct.unpack("<L", dir_stream.read(4))[0]
  559 + MODULESTREAMNAME_StreamName = dir_stream.read(MODULESTREAMNAME_SizeOfStreamName)
  560 + MODULESTREAMNAME_Reserved = struct.unpack("<H", dir_stream.read(2))[0]
  561 + check_value('MODULESTREAMNAME_Reserved', 0x0032, MODULESTREAMNAME_Reserved)
  562 + MODULESTREAMNAME_SizeOfStreamNameUnicode = struct.unpack("<L", dir_stream.read(4))[0]
  563 + MODULESTREAMNAME_StreamNameUnicode = dir_stream.read(MODULESTREAMNAME_SizeOfStreamNameUnicode)
  564 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  565 + if section_id == 0x001C:
  566 + MODULEDOCSTRING_Id = section_id
  567 + check_value('MODULEDOCSTRING_Id', 0x001C, MODULEDOCSTRING_Id)
  568 + MODULEDOCSTRING_SizeOfDocString = struct.unpack("<L", dir_stream.read(4))[0]
  569 + MODULEDOCSTRING_DocString = dir_stream.read(MODULEDOCSTRING_SizeOfDocString)
  570 + MODULEDOCSTRING_Reserved = struct.unpack("<H", dir_stream.read(2))[0]
  571 + check_value('MODULEDOCSTRING_Reserved', 0x0048, MODULEDOCSTRING_Reserved)
  572 + MODULEDOCSTRING_SizeOfDocStringUnicode = struct.unpack("<L", dir_stream.read(4))[0]
  573 + MODULEDOCSTRING_DocStringUnicode = dir_stream.read(MODULEDOCSTRING_SizeOfDocStringUnicode)
  574 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  575 + if section_id == 0x0031:
  576 + MODULEOFFSET_Id = section_id
  577 + check_value('MODULEOFFSET_Id', 0x0031, MODULEOFFSET_Id)
  578 + MODULEOFFSET_Size = struct.unpack("<L", dir_stream.read(4))[0]
  579 + check_value('MODULEOFFSET_Size', 0x0004, MODULEOFFSET_Size)
  580 + MODULEOFFSET_TextOffset = struct.unpack("<L", dir_stream.read(4))[0]
  581 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  582 + if section_id == 0x001E:
  583 + MODULEHELPCONTEXT_Id = section_id
  584 + check_value('MODULEHELPCONTEXT_Id', 0x001E, MODULEHELPCONTEXT_Id)
  585 + MODULEHELPCONTEXT_Size = struct.unpack("<L", dir_stream.read(4))[0]
  586 + check_value('MODULEHELPCONTEXT_Size', 0x0004, MODULEHELPCONTEXT_Size)
  587 + MODULEHELPCONTEXT_HelpContext = struct.unpack("<L", dir_stream.read(4))[0]
  588 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  589 + if section_id == 0x002C:
  590 + MODULECOOKIE_Id = section_id
  591 + check_value('MODULECOOKIE_Id', 0x002C, MODULECOOKIE_Id)
  592 + MODULECOOKIE_Size = struct.unpack("<L", dir_stream.read(4))[0]
  593 + check_value('MODULECOOKIE_Size', 0x0002, MODULECOOKIE_Size)
  594 + MODULECOOKIE_Cookie = struct.unpack("<H", dir_stream.read(2))[0]
  595 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  596 + if section_id == 0x0021 or section_id == 0x0022:
  597 + MODULETYPE_Id = section_id
  598 + MODULETYPE_Reserved = struct.unpack("<L", dir_stream.read(4))[0]
  599 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  600 + if section_id == 0x0025:
  601 + MODULEREADONLY_Id = section_id
  602 + check_value('MODULEREADONLY_Id', 0x0025, MODULEREADONLY_Id)
  603 + MODULEREADONLY_Reserved = struct.unpack("<L", dir_stream.read(4))[0]
  604 + check_value('MODULEREADONLY_Reserved', 0x0000, MODULEREADONLY_Reserved)
  605 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  606 + if section_id == 0x0028:
  607 + MODULEPRIVATE_Id = section_id
  608 + check_value('MODULEPRIVATE_Id', 0x0028, MODULEPRIVATE_Id)
  609 + MODULEPRIVATE_Reserved = struct.unpack("<L", dir_stream.read(4))[0]
  610 + check_value('MODULEPRIVATE_Reserved', 0x0000, MODULEPRIVATE_Reserved)
  611 + section_id = struct.unpack("<H", dir_stream.read(2))[0]
  612 + if section_id == 0x002B: # TERMINATOR
  613 + MODULE_Reserved = struct.unpack("<L", dir_stream.read(4))[0]
  614 + check_value('MODULE_Reserved', 0x0000, MODULE_Reserved)
  615 + section_id = None
  616 + if section_id != None:
  617 + logging.warning('unknown or invalid module section id {0:04X}'.format(section_id))
  618 +
  619 + logging.debug("ModuleName = {0}".format(MODULENAME_ModuleName))
  620 + logging.debug("StreamName = {0}".format(MODULESTREAMNAME_StreamName))
  621 + logging.debug("TextOffset = {0}".format(MODULEOFFSET_TextOffset))
  622 +
  623 + code_path = vba_root + '/VBA/' + MODULESTREAMNAME_StreamName
  624 + #TODO: test if stream exists
  625 + code_data = ole.openstream(code_path).read()
  626 + logging.debug("length of code_data = {0}".format(len(code_data)))
  627 + logging.debug("offset of code_data = {0}".format(MODULEOFFSET_TextOffset))
  628 + code_data = code_data[MODULEOFFSET_TextOffset:]
  629 + if len(code_data) > 0:
  630 + code_data = decompress_stream(code_data)
  631 + filext = code_modules[MODULENAME_ModuleName]
  632 + filename = '{0}.{1}'.format(MODULENAME_ModuleName, filext)
  633 + #TODO: return list of strings or dict instead of printing
  634 + print '-'*79
  635 + print filename
  636 + print ''
  637 + print code_data
  638 + print ''
  639 + logging.debug('extracted file {0}'.format(filename))
  640 + else:
  641 + logging.warning("module stream {0} has code data length 0".format(MODULESTREAMNAME_StreamName))
  642 + return
  643 +
  644 +
  645 +#=== MAIN =====================================================================
  646 +
  647 +if __name__ == '__main__':
  648 +
  649 + if len(sys.argv)<2:
  650 + print __doc__
  651 + sys.exit(1)
  652 +
  653 + logging.basicConfig(format='%(levelname)s: %(message)s', level=logging.WARNING)
  654 +
  655 + ole = OleFileIO_PL.OleFileIO(sys.argv[1])
  656 + extract_macros(ole)
  657 +
  658 + ole.close()
... ...