From 622d9a2b415c5acbb4e767ce33c8949fb7bfe986 Mon Sep 17 00:00:00 2001 From: decalage2 Date: Wed, 14 Apr 2021 21:03:32 +0200 Subject: [PATCH] olevba, mraptor: added detection of Workbook_BeforeClose, fixes #518 --- oletools/mraptor.py | 7 ++++--- oletools/olevba.py | 5 +++-- setup.py | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/oletools/mraptor.py b/oletools/mraptor.py index f1fac32..f950a4b 100644 --- a/oletools/mraptor.py +++ b/oletools/mraptor.py @@ -23,7 +23,7 @@ http://www.decalage.info/python/oletools # === LICENSE ================================================================== -# MacroRaptor is copyright (c) 2016-2020 Philippe Lagadec (http://www.decalage.info) +# MacroRaptor is copyright (c) 2016-2021 Philippe Lagadec (http://www.decalage.info) # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, @@ -61,8 +61,9 @@ http://www.decalage.info/python/oletools # 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro, ShellExecuteA, XLM keywords # 2019-11-06 v0.55 PL: - added SetTimer # 2020-04-20 v0.56 PL: - added keywords RUN and CALL for XLM macros (issue #562) +# 2021-04-14 PL: - added Workbook_BeforeClose (issue #518) -__version__ = '0.56' +__version__ = '0.56.2.dev1' #------------------------------------------------------------------------------ # TODO: @@ -116,7 +117,7 @@ MSG_ISSUES = 'Please report this issue on %s' % URL_ISSUES # TODO: check if line also contains Sub or Function re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' + r'|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)' + - r'|NewDocument|Workbook(?:_Open|_Activate|_Close)' + + r'|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)' + r'|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover' + r'|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute' + r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' + diff --git a/oletools/olevba.py b/oletools/olevba.py index fbd65be..e9c9fd9 100644 --- a/oletools/olevba.py +++ b/oletools/olevba.py @@ -233,8 +233,9 @@ from __future__ import print_function # unicode on Python 3 (issues #455, #477, #587, #593) # 2020-09-28 PL: - added VBA_Parser.get_vba_code_all_modules (partial fix # for issue #619) +# 2021-04-14 PL: - added detection of Workbook_BeforeClose (issue #518) -__version__ = '0.56.1' +__version__ = '0.56.2.dev1' #------------------------------------------------------------------------------ # TODO: @@ -635,7 +636,7 @@ AUTOEXEC_KEYWORDS = { ('Auto_Open', 'Workbook_Open', 'Workbook_Activate', 'Auto_Ope'), # TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... 'Runs when the Excel Workbook is closed': - ('Auto_Close', 'Workbook_Close'), + ('Auto_Close', 'Workbook_Close', 'Workbook_BeforeClose'), #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/ 'May run when an Excel WorkSheet is opened': ('Worksheet_Calculate',), diff --git a/setup.py b/setup.py index 7c4486d..6936857 100644 --- a/setup.py +++ b/setup.py @@ -52,7 +52,7 @@ import os, fnmatch #--- METADATA ----------------------------------------------------------------- name = "oletools" -version = '0.56.1' +version = '0.56.2.dev1' desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" long_desc = open('oletools/README.rst').read() author = "Philippe Lagadec" -- libgit2 0.21.4