Commit 61c29e8095982b048e8e8409abf3e68949aac060
1 parent
3ec4b066
mraptor3: updated to match mraptor
Showing
1 changed file
with
18 additions
and
5 deletions
oletools/mraptor3.py
| @@ -11,6 +11,7 @@ Supported formats: | @@ -11,6 +11,7 @@ Supported formats: | ||
| 11 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) | 11 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) |
| 12 | - Word 2003 XML (.xml) | 12 | - Word 2003 XML (.xml) |
| 13 | - Word/Excel Single File Web Page / MHTML (.mht) | 13 | - Word/Excel Single File Web Page / MHTML (.mht) |
| 14 | +- Publisher (.pub) | ||
| 14 | 15 | ||
| 15 | Author: Philippe Lagadec - http://www.decalage.info | 16 | Author: Philippe Lagadec - http://www.decalage.info |
| 16 | License: BSD, see source code or documentation | 17 | License: BSD, see source code or documentation |
| @@ -21,7 +22,7 @@ http://www.decalage.info/python/oletools | @@ -21,7 +22,7 @@ http://www.decalage.info/python/oletools | ||
| 21 | 22 | ||
| 22 | # === LICENSE ================================================================== | 23 | # === LICENSE ================================================================== |
| 23 | 24 | ||
| 24 | -# MacroRaptor is copyright (c) 2016 Philippe Lagadec (http://www.decalage.info) | 25 | +# MacroRaptor is copyright (c) 2016-2017 Philippe Lagadec (http://www.decalage.info) |
| 25 | # All rights reserved. | 26 | # All rights reserved. |
| 26 | # | 27 | # |
| 27 | # Redistribution and use in source and binary forms, with or without modification, | 28 | # Redistribution and use in source and binary forms, with or without modification, |
| @@ -53,8 +54,9 @@ http://www.decalage.info/python/oletools | @@ -53,8 +54,9 @@ http://www.decalage.info/python/oletools | ||
| 53 | # 2016-07-19 v0.50 SL: - converted to Python 3 | 54 | # 2016-07-19 v0.50 SL: - converted to Python 3 |
| 54 | # 2016-08-26 PL: - changed imports for Python 3 | 55 | # 2016-08-26 PL: - changed imports for Python 3 |
| 55 | # 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141) | 56 | # 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141) |
| 57 | +# 2017-06-29 PL: - synced with mraptor.py 0.51 | ||
| 56 | 58 | ||
| 57 | -__version__ = '0.51dev6' | 59 | +__version__ = '0.51' |
| 58 | 60 | ||
| 59 | #------------------------------------------------------------------------------ | 61 | #------------------------------------------------------------------------------ |
| 60 | # TODO: | 62 | # TODO: |
| @@ -97,15 +99,24 @@ MSG_ISSUES = 'Please report this issue on %s' % URL_ISSUES | @@ -97,15 +99,24 @@ MSG_ISSUES = 'Please report this issue on %s' % URL_ISSUES | ||
| 97 | 99 | ||
| 98 | # 'AutoExec', 'AutoOpen', 'Auto_Open', 'AutoClose', 'Auto_Close', 'AutoNew', 'AutoExit', | 100 | # 'AutoExec', 'AutoOpen', 'Auto_Open', 'AutoClose', 'Auto_Close', 'AutoNew', 'AutoExit', |
| 99 | # 'Document_Open', 'DocumentOpen', | 101 | # 'Document_Open', 'DocumentOpen', |
| 100 | -# 'Document_Close', 'DocumentBeforeClose', | 102 | +# 'Document_Close', 'DocumentBeforeClose', 'Document_BeforeClose', |
| 101 | # 'DocumentChange','Document_New', | 103 | # 'DocumentChange','Document_New', |
| 102 | # 'NewDocument' | 104 | # 'NewDocument' |
| 103 | # 'Workbook_Open', 'Workbook_Close', | 105 | # 'Workbook_Open', 'Workbook_Close', |
| 106 | +# *_Painted such as InkPicture1_Painted | ||
| 107 | +# *_GotFocus|LostFocus|MouseHover for other ActiveX objects | ||
| 108 | +# reference: http://www.greyhathacker.net/?p=948 | ||
| 104 | 109 | ||
| 105 | # TODO: check if line also contains Sub or Function | 110 | # TODO: check if line also contains Sub or Function |
| 106 | re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' + | 111 | re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' + |
| 107 | - r'|Document(?:_?Open|_Close|BeforeClose|Change|_New)' + | ||
| 108 | - r'|NewDocument|Workbook(?:_Open|_Activate|_Close))\b') | 112 | + r'|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)' + |
| 113 | + r'|NewDocument|Workbook(?:_Open|_Activate|_Close)' + | ||
| 114 | + r'|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover' + | ||
| 115 | + r'|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute' + | ||
| 116 | + r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' + | ||
| 117 | + r'|NavigateComplete2|NavigateError|ProgressChange|PropertyChange' + | ||
| 118 | + r'|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove' + | ||
| 119 | + r'|MouseEnter|MouseLeave|))\b') | ||
| 109 | 120 | ||
| 110 | # MS-VBAL 5.4.5.1 Open Statement: | 121 | # MS-VBAL 5.4.5.1 Open Statement: |
| 111 | RE_OPEN_WRITE = r'(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)' | 122 | RE_OPEN_WRITE = r'(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)' |
| @@ -249,6 +260,8 @@ def main(): | @@ -249,6 +260,8 @@ def main(): | ||
| 249 | 260 | ||
| 250 | # Print help if no arguments are passed | 261 | # Print help if no arguments are passed |
| 251 | if len(args) == 0: | 262 | if len(args) == 0: |
| 263 | + print('MacroRaptor %s - http://decalage.info/python/oletools' % __version__) | ||
| 264 | + print('This is work in progress, please report issues at %s' % URL_ISSUES) | ||
| 252 | print(__doc__) | 265 | print(__doc__) |
| 253 | parser.print_help() | 266 | parser.print_help() |
| 254 | print('\nAn exit code is returned based on the analysis result:') | 267 | print('\nAn exit code is returned based on the analysis result:') |