Peter M. Groen / oletools

Commit 622d9a2b415c5acbb4e767ce33c8949fb7bfe986

Authored by decalage2
1 parent c638dcc7

olevba, mraptor: added detection of Workbook_BeforeClose, fixes #518

Inline Side-by-side
Showing 3 changed files with 8 additions and 6 deletions
oletools/mraptor.py
  View file @622d9a2
@@ -23,7 +23,7 @@ http://www.decalage.info/python/oletools @@ -23,7 +23,7 @@ http://www.decalage.info/python/oletools
23 23
24 # === LICENSE ================================================================== 24 # === LICENSE ==================================================================
25 25
26 -# MacroRaptor is copyright (c) 2016-2020 Philippe Lagadec (http://www.decalage.info) 26 +# MacroRaptor is copyright (c) 2016-2021 Philippe Lagadec (http://www.decalage.info)
27 # All rights reserved. 27 # All rights reserved.
28 # 28 #
29 # Redistribution and use in source and binary forms, with or without modification, 29 # Redistribution and use in source and binary forms, with or without modification,
@@ -61,8 +61,9 @@ http://www.decalage.info/python/oletools @@ -61,8 +61,9 @@ http://www.decalage.info/python/oletools
61 # 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro, ShellExecuteA, XLM keywords 61 # 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro, ShellExecuteA, XLM keywords
62 # 2019-11-06 v0.55 PL: - added SetTimer 62 # 2019-11-06 v0.55 PL: - added SetTimer
63 # 2020-04-20 v0.56 PL: - added keywords RUN and CALL for XLM macros (issue #562) 63 # 2020-04-20 v0.56 PL: - added keywords RUN and CALL for XLM macros (issue #562)
  64 +# 2021-04-14 PL: - added Workbook_BeforeClose (issue #518)
64 65
65 -__version__ = '0.56' 66 +__version__ = '0.56.2.dev1'
66 67
67 #------------------------------------------------------------------------------ 68 #------------------------------------------------------------------------------
68 # TODO: 69 # TODO:
@@ -116,7 +117,7 @@ MSG_ISSUES = 'Please report this issue on %s' % URL_ISSUES @@ -116,7 +117,7 @@ MSG_ISSUES = 'Please report this issue on %s' % URL_ISSUES
116 # TODO: check if line also contains Sub or Function 117 # TODO: check if line also contains Sub or Function
117 re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' + 118 re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' +
118 r'|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)' + 119 r'|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)' +
119 - r'|NewDocument|Workbook(?:_Open|_Activate|_Close)' + 120 + r'|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)' +
120 r'|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover' + 121 r'|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover' +
121 r'|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute' + 122 r'|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute' +
122 r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' + 123 r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' +
oletools/olevba.py
  View file @622d9a2
@@ -233,8 +233,9 @@ from __future__ import print_function @@ -233,8 +233,9 @@ from __future__ import print_function
233 # unicode on Python 3 (issues #455, #477, #587, #593) 233 # unicode on Python 3 (issues #455, #477, #587, #593)
234 # 2020-09-28 PL: - added VBA_Parser.get_vba_code_all_modules (partial fix 234 # 2020-09-28 PL: - added VBA_Parser.get_vba_code_all_modules (partial fix
235 # for issue #619) 235 # for issue #619)
  236 +# 2021-04-14 PL: - added detection of Workbook_BeforeClose (issue #518)
236 237
237 -__version__ = '0.56.1' 238 +__version__ = '0.56.2.dev1'
238 239
239 #------------------------------------------------------------------------------ 240 #------------------------------------------------------------------------------
240 # TODO: 241 # TODO:
@@ -635,7 +636,7 @@ AUTOEXEC_KEYWORDS = { @@ -635,7 +636,7 @@ AUTOEXEC_KEYWORDS = {
635 ('Auto_Open', 'Workbook_Open', 'Workbook_Activate', 'Auto_Ope'), 636 ('Auto_Open', 'Workbook_Open', 'Workbook_Activate', 'Auto_Ope'),
636 # TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... 637 # TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"...
637 'Runs when the Excel Workbook is closed': 638 'Runs when the Excel Workbook is closed':
638 - ('Auto_Close', 'Workbook_Close'), 639 + ('Auto_Close', 'Workbook_Close', 'Workbook_BeforeClose'),
639 #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/ 640 #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/
640 'May run when an Excel WorkSheet is opened': 641 'May run when an Excel WorkSheet is opened':
641 ('Worksheet_Calculate',), 642 ('Worksheet_Calculate',),
setup.py
  View file @622d9a2
@@ -52,7 +52,7 @@ import os, fnmatch @@ -52,7 +52,7 @@ import os, fnmatch
52 #--- METADATA ----------------------------------------------------------------- 52 #--- METADATA -----------------------------------------------------------------
53 53
54 name = "oletools" 54 name = "oletools"
55 -version = '0.56.1' 55 +version = '0.56.2.dev1'
56 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" 56 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
57 long_desc = open('oletools/README.rst').read() 57 long_desc = open('oletools/README.rst').read()
58 author = "Philippe Lagadec" 58 author = "Philippe Lagadec"