Commit 622d9a2b415c5acbb4e767ce33c8949fb7bfe986
1 parent
c638dcc7
olevba, mraptor: added detection of Workbook_BeforeClose, fixes #518
Showing
3 changed files
with
8 additions
and
6 deletions
oletools/mraptor.py
| ... | ... | @@ -23,7 +23,7 @@ http://www.decalage.info/python/oletools |
| 23 | 23 | |
| 24 | 24 | # === LICENSE ================================================================== |
| 25 | 25 | |
| 26 | -# MacroRaptor is copyright (c) 2016-2020 Philippe Lagadec (http://www.decalage.info) | |
| 26 | +# MacroRaptor is copyright (c) 2016-2021 Philippe Lagadec (http://www.decalage.info) | |
| 27 | 27 | # All rights reserved. |
| 28 | 28 | # |
| 29 | 29 | # Redistribution and use in source and binary forms, with or without modification, |
| ... | ... | @@ -61,8 +61,9 @@ http://www.decalage.info/python/oletools |
| 61 | 61 | # 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro, ShellExecuteA, XLM keywords |
| 62 | 62 | # 2019-11-06 v0.55 PL: - added SetTimer |
| 63 | 63 | # 2020-04-20 v0.56 PL: - added keywords RUN and CALL for XLM macros (issue #562) |
| 64 | +# 2021-04-14 PL: - added Workbook_BeforeClose (issue #518) | |
| 64 | 65 | |
| 65 | -__version__ = '0.56' | |
| 66 | +__version__ = '0.56.2.dev1' | |
| 66 | 67 | |
| 67 | 68 | #------------------------------------------------------------------------------ |
| 68 | 69 | # TODO: |
| ... | ... | @@ -116,7 +117,7 @@ MSG_ISSUES = 'Please report this issue on %s' % URL_ISSUES |
| 116 | 117 | # TODO: check if line also contains Sub or Function |
| 117 | 118 | re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' + |
| 118 | 119 | r'|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)' + |
| 119 | - r'|NewDocument|Workbook(?:_Open|_Activate|_Close)' + | |
| 120 | + r'|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)' + | |
| 120 | 121 | r'|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover' + |
| 121 | 122 | r'|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute' + |
| 122 | 123 | r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' + | ... | ... |
oletools/olevba.py
| ... | ... | @@ -233,8 +233,9 @@ from __future__ import print_function |
| 233 | 233 | # unicode on Python 3 (issues #455, #477, #587, #593) |
| 234 | 234 | # 2020-09-28 PL: - added VBA_Parser.get_vba_code_all_modules (partial fix |
| 235 | 235 | # for issue #619) |
| 236 | +# 2021-04-14 PL: - added detection of Workbook_BeforeClose (issue #518) | |
| 236 | 237 | |
| 237 | -__version__ = '0.56.1' | |
| 238 | +__version__ = '0.56.2.dev1' | |
| 238 | 239 | |
| 239 | 240 | #------------------------------------------------------------------------------ |
| 240 | 241 | # TODO: |
| ... | ... | @@ -635,7 +636,7 @@ AUTOEXEC_KEYWORDS = { |
| 635 | 636 | ('Auto_Open', 'Workbook_Open', 'Workbook_Activate', 'Auto_Ope'), |
| 636 | 637 | # TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... |
| 637 | 638 | 'Runs when the Excel Workbook is closed': |
| 638 | - ('Auto_Close', 'Workbook_Close'), | |
| 639 | + ('Auto_Close', 'Workbook_Close', 'Workbook_BeforeClose'), | |
| 639 | 640 | #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/ |
| 640 | 641 | 'May run when an Excel WorkSheet is opened': |
| 641 | 642 | ('Worksheet_Calculate',), | ... | ... |
setup.py
| ... | ... | @@ -52,7 +52,7 @@ import os, fnmatch |
| 52 | 52 | #--- METADATA ----------------------------------------------------------------- |
| 53 | 53 | |
| 54 | 54 | name = "oletools" |
| 55 | -version = '0.56.1' | |
| 55 | +version = '0.56.2.dev1' | |
| 56 | 56 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 57 | 57 | long_desc = open('oletools/README.rst').read() |
| 58 | 58 | author = "Philippe Lagadec" | ... | ... |