merged PR #124

decalage2
1 parent d0d4c87f
Showing 3 changed files with 321 additions and 4 deletions
oletools/oleform.py
oletools/olevba.py
setup.py
+#!/usr/bin/env python
+
+import struct
+
+class OleFormParsingError(Exception):
+    pass
+
+class Mask(object):
+    def __init__(self, val):
+        self._val = [(val & (1<<i))>>i for i in range(self._size)]
+
+    def __str__(self):
+        return ', '.join(self._names[i] for i in range(self._size) if self._val[i])
+
+    def __getattr__(self, name):
+        return self._val[self._names.index(name)]
+
+    def __len__(self):
+        return self.size
+
+    def __getitem__(self, key):
+        return self._val[self._names.index(key)]
+
+class FormPropMask(Mask):
+    """FormPropMask: [MS-OFORMS] 2.2.10.2"""
+    _size = 28
+    _names = ['Unused1', 'fBackColor', 'fForeColor', 'fNextAvailableID', 'Unused2_0', 'Unused2_1',
+              'fBooleanProperties', 'fBooleanProperties', 'fMousePointer', 'fScrollBars',
+              'fDisplayedSize', 'fLogicalSize', 'fScrollPosition', 'fGroupCnt', 'Reserved',
+              'fMouseIcon', 'fCycle', 'fSpecialEffect', 'fBorderColor', 'fCaption', 'fFont',
+              'fPicture', 'fZoom', 'fPictureAlignment', 'fPictureTiling', 'fPictureSizeMode',
+              'fShapeCookie', 'fDrawBuffer']
+
+class SitePropMask(Mask):
+    """SitePropMask: [MS-OFORMS] 2.2.10.12.2"""
+    _size = 15
+    _names = ['fName', 'fTag', 'fID', 'fHelpContextID', 'fBitFlags', 'fObjectStreamSize',
+              'fTabIndex', 'fClsidCacheIndex', 'fPosition', 'fGroupID', 'Unused1',
+              'fControlTipText', 'fRuntimeLicKey', 'fControlSource', 'fRowSource']
+
+class MorphDataPropMask(Mask):
+    """MorphDataPropMask: [MS-OFORMS] 2.2.5.2"""
+    _size = 33
+    _names = ['fVariousPropertyBits', 'fBackColor', 'fForeColor', 'fMaxLength', 'fBorderStyle',
+              'fScrollBars', 'fDisplayStyle', 'fMousePointer', 'fSize', 'fPasswordChar',
+              'fListWidth', 'fBoundColumn', 'fTextColumn', 'fColumnCount', 'fListRows',
+              'fcColumnInfo', 'fMatchEntry', 'fListStyle', 'fShowDropButtonWhen', 'UnusedBits1',
+              'fDropButtonStyle', 'fMultiSelect', 'fValue', 'fCaption', 'fPicturePosition',
+              'fBorderColor', 'fSpecialEffect', 'fMouseIcon', 'fPicture', 'fAccelerator',
+              'UnusedBits2', 'Reserved', 'fGroupName']
+
+class ExtendedStream(object):
+    def __init__(self, stream, path):
+        self._pos = 0
+        self._jumps = []
+        self._stream = stream
+        self._path = path
+
+    @classmethod
+    def open(cls, ole_file, path):
+        stream = ole_file.openstream(path)
+        return cls(stream, path)
+
+    def read(self, size):
+        self._pos += size
+        return self._stream.read(size)
+
+    def will_jump_to(self, size):
+        self._next_jump = (True, size)
+        return self
+
+    def will_pad(self, pad=4):
+        self._next_jump = (False, pad)
+        return self
+
+    def __enter__(self):
+        (jump_type, size) = self._next_jump
+        self._jumps.append((self._pos, jump_type, size))
+
+    def __exit__(self, exc_type, exc_value, traceback):
+        if exc_type is None:
+            (start, jump_type, size) = self._jumps.pop()
+            if jump_type:
+                self.read(size - (self._pos - start))
+            else:
+                align = (self._pos - start) % size
+                if align:
+                    self.read(size - align)
+
+    def unpacks(self, format, size):
+        return struct.unpack(format, self.read(size))
+
+    def unpack(self, format, size):
+        return self.unpacks(format, size)[0]
+
+    def raise_error(self, reason, back=0):
+        raise OleFormParsingError('{0}:{1}: {2}'.format(self.path, self._pos - back))
+
+    def check_values(self, name, format, size, expected):
+        value = self.unpacks(format, size)
+        if value != expected:
+            self.raise_error('Invalid {0}: expected {1} got {2}'.format(name, str(expected), str(value)))
+
+    def check_value(self, name, format, size, expected):
+        self.check_values(name, format, size, (expected,))
+
+
+def consume_TextProps(stream):
+    # TextProps: [MS-OFORMS] 2.3.1
+    stream.check_values('TextProps (versions)', '<BB', 2, (0, 2))
+    cbTextProps = stream.unpack('<H', 2)
+    stream.read(cbTextProps)
+
+def consume_GuidAndFont(stream):
+    # GuidAndFont: [MS-OFORMS] 2.4.7
+    UUIDS = stream.unpacks('<LHH', 8) + stream.unpacks('>Q', 8)
+    if UUIDS == (199447043, 36753, 4558, 11376937813817407569L):
+        # UUID == {0BE35203-8F91-11CE-9DE300AA004BB851}
+        # StdFont: [MS-OFORMS] 2.4.12
+        stream.check_value('StdFont (version)', '<B', 1, 1)
+        # Skip sCharset, bFlags, sWeight, ulHeight
+        stream.read(9)
+        bFaceLen = stream.unpack('<B', 1)
+        stream.read(bFaceLen)
+    elif UUIDs == (2948729120, 55886, 4558, 13349514450607572916L):
+        # UUID == {AFC20920-DA4E-11CE-B94300AA006887B4}
+        consume_TextProps(stream)
+    else:
+        stream.raise_error('Invalid GuidAndFont (UUID)', 16)
+
+def consume_GuidAndPicture(stream):
+    # GuidAndPicture: [MS-OFORMS] 2.4.8
+    # UUID == {0BE35204-8F91-11CE-9DE3-00AA004BB851}
+    stream.check_values('GuidAndPicture (UUID part 1)', '<LHH', 8, (199447044, 36753, 4558))
+    stream.check_value('GuidAndPicture (UUID part 1)', '>Q', 8, 11376937813817407569L)
+    # StdPicture: [MS-OFORMS] 2.4.13
+    stream.check_value('StdPicture (Preamble)', '<L', 4, 0x0000746C)
+    size = stream.unpack('<L', 4)
+    stream.read(size)
+
+def consume_CountOfBytesWithCompressionFlag(stream):
+    # CountOfBytesWithCompressionFlag or CountOfCharsWithCompressionFlag: [MS-OFORMS] 2.4.14.2 or 2.4.14.3
+    count = stream.unpack('<L', 4)
+    if not count & 0x80000000 and count != 0:
+        stream.aise_error('Uncompress string length', 4)
+    return count & 0x7FFFFFFF
+
+def consume_SiteClassInfo(stream):
+   # SiteClassInfo: [MS-OFORMS] 2.2.10.10.1
+   stream.check_value('SiteClassInfo (version)', '<H', 2, 0)
+   cbClassTable = stream.unpack('<H', 2)
+   stream.read(cbClassTable)
+
+def consume_FormObjectDepthTypeCount(stream):
+   # FormObjectDepthTypeCount: [MS-OFORMS] 2.2.10.7
+   (depth, mixed) = stream.unpacks('<BB', 2)
+   if mixed & 0x80:
+       stream.check_value('FormObjectDepthTypeCount (SITE_TYPE)', '<B', 1, 1)
+       return mixed ^ 0x80
+   if mixed != 1:
+       stream.raise_error('Invalid FormObjectDepthTypeCount (SITE_TYPE): expected 1 got {0}'.format(str(mixed)))
+   return 1
+
+def consume_OleSiteConcreteControl(stream):
+    # OleSiteConcreteControl: [MS-OFORMS] 2.2.10.12.1
+    stream.check_value('OleSiteConcreteControl (version)', '<H', 2, 0)
+    cbSite = stream.unpack('<H', 2)
+    with stream.will_jump_to(cbSite):
+        propmask = SitePropMask(stream.unpack('<L', 4))
+        # SiteDataBlock: [MS-OFORMS] 2.2.10.12.3
+        name_len = tag_len = id = 0
+        if propmask.fName:
+            name_len = consume_CountOfBytesWithCompressionFlag(stream)
+        if propmask.fTag:
+            tag_len = consume_CountOfBytesWithCompressionFlag(stream)
+        if propmask.fID:
+            id = stream.unpack('<L', 4)
+        for prop in ['fHelpContextID', 'fBitFlags', 'fObjectStreamSize']:
+            if propmask[prop]:
+                stream.read(4)
+        tabindex = ClsidCacheIndex = 0
+        with stream.will_pad():
+            if propmask.fTabIndex:
+                tabindex = stream.unpack('<H', 2)
+            if propmask.fClsidCacheIndex:
+                ClsidCacheIndex = stream.unpack('<H', 2)
+            if propmask.fGroupID:
+                stream.read(2)
+        # For the next 4 entries, the documentation adds padding, but it should already be aligned??
+        for prop in ['fControlTipText', 'fRuntimeLicKey', 'fControlSource', 'fRowSource']:
+            if propmask[prop]:
+                stream.read(4)
+        # SiteExtraDataBlock: [MS-OFORMS] 2.2.10.12.4
+        name = stream.read(name_len)
+        tag = stream.read(tag_len)
+        return {'name': name, 'tag': tag, 'id': id, 'tabindex': tabindex,
+               'ClsidCacheIndex': ClsidCacheIndex}
+
+def consume_FormControl(stream):
+    # FormControl: [MS-OFORMS] 2.2.10.1
+    stream.check_values('FormControl (versions)', '<BB', 2, (0, 4))
+    cbform = stream.unpack('<H', 2)
+    with stream.will_jump_to(cbform):
+        propmask = FormPropMask(stream.unpack('<L', 4))
+        # FormDataBlock: [MS-OFORMS] 2.2.10.3
+        for prop in ['fBackColor', 'fForeColor', 'fNextAvailableID']:
+            if propmask[prop]:
+                stream.read(4)
+        if propmask.fBooleanProperties:
+            BooleanProperties = stream.unpack('<L', 4)
+            FORM_FLAG_DONTSAVECLASSTABLE = (BooleanProperties & (1<<15)) >> 15
+        else:
+            FORM_FLAG_DONTSAVECLASSTABLE = 0
+        # Skip the rest of DataBlock and ExtraDataBlock
+    # FormStreamData: [MS-OFORMS] 2.2.10.5
+    if propmask.fMouseIcon:
+        consume_GuidAndPicture(stream)
+    if propmask.fFont:
+        consume_GuidAndFont(stream)
+    if propmask.fPicture:
+        consume_GuidAndPicture(stream)
+    # FormSiteData: [MS-OFORMS] 2.2.10.6
+    if not FORM_FLAG_DONTSAVECLASSTABLE:
+        CountOfSiteClassInfo = stream.unpack('<H', 2)
+        for i in range(CountOfSiteClassInfo):
+            consume_SiteClassInfo(stream)
+    (CountOfSites, CountOfBytes) = stream.unpacks('<LL', 8)
+    remaining_SiteDepthsAndTypes = CountOfSites
+    with stream.will_pad():
+        while remaining_SiteDepthsAndTypes > 0:
+            remaining_SiteDepthsAndTypes -= consume_FormObjectDepthTypeCount(stream)
+    for i in range(CountOfSites):
+        yield consume_OleSiteConcreteControl(stream)
+
+def consume_MorphDataControl(stream):
+    # MorphDataControl: [MS-OFORMS] 2.2.5.1
+    stream.check_values('MorphDataControl (versions)', '<BB', 2, (0, 2))
+    cbMorphData = stream.unpack('<H', 2)
+    with stream.will_jump_to(cbMorphData):
+        propmask = MorphDataPropMask(stream.unpack('<Q', 8))
+        # MorphDataDataBlock: [MS-OFORMS] 2.2.5.3
+        for prop in ['fVariousPropertyBits', 'fBackColor', 'fForeColor', 'fMaxLength']:
+            if propmask[prop]:
+                stream.read(4)
+        with stream.will_pad():
+            for prop in ['fBorderStyle', 'fScrollBars', 'fDisplayStyle', 'fMousePointer']:
+                if propmask[prop]:
+                    stream.read(1)
+        # PasswordChar, BoundColumn, TextColumn, ColumnCount, and ListRows are 2B + pad = 4B
+        # ListWidth is 4B + pad = 4B
+        for prop in ['fPasswordChar', 'fListWidth', 'fBoundColumn', 'fTextColumn', 'fColumnCount',
+                     'fListRows']:
+            if propmask[prop]:
+                stream.read(4)
+        with stream.will_pad():
+            if propmask.fcColumnInfo:
+                stream.read(2)
+            for prop in ['fMatchEntry', 'fListStyle', 'fShowDropButtonWhen', 'fDropButtonStyle',
+                         'fMultiSelect']:
+                if propmask[prop]:
+                    stream.read(1)
+        if propmask.fValue:
+            value_size = consume_CountOfBytesWithCompressionFlag(stream)
+        else:
+            value_size = 0
+        # Caption, PicturePosition, BorderColor, SpecialEffect, GroupName  are 4B + pad = 4B
+        # MouseIcon, Picture, Accelerator are 2B + pad = 4B
+        for prop in ['fCaption', 'fPicturePosition', 'fBorderColor', 'fSpecialEffect',
+                     'fMouseIcon', 'fPicture', 'fAccelerator', 'fGroupName']:
+            if propmask[prop]:
+                stream.read(4)
+        # MorphDataExtraDataBlock: [MS-OFORMS] 2.2.5.4
+        stream.read(8)
+        value = stream.read(value_size)
+    # MorphDataStreamData: [MS-OFORMS] 2.2.5.5
+    if propmask.fMouseIcon:
+        consume_GuidAndPicture(stream)
+    if propmask.fPicture:
+        consume_GuidAndPicture(stream)
+    consume_TextProps(stream)
+    return value
+
+def extract_OleFormVariables(ole_file, stream_dir):
+    control = ExtendedStream.open(ole_file, '/'.join(stream_dir + ['f']))
+    variables = list(consume_FormControl(control))
+    data = ExtendedStream.open(ole_file, '/'.join(stream_dir + ['o']))
+    for var in variables:
+        if var['ClsidCacheIndex'] != 23:
+            raise OleFormParsingError('Unsupported stored type: {0}'.format(str(var['ClsidCacheIndex'])))
+        var['value'] = consume_MorphDataControl(data)
+    return variables
@@ -196,9 +196,10 @@ from __future__ import print_function
 # 2017-05-31     c1fe: - PR #135 fixing issue #132 for some Mac files
 # 2017-06-08       PL: - fixed issue #122 Chr() with negative numbers
 # 2017-06-15       PL: - deobfuscation line by line to handle large files
-# 2017-07-11 v0.51.1 PL: - raise exception instead of sys.exit (issue #180)
+# 2017-07-11 v0.52 PL: - raise exception instead of sys.exit (issue #180)
+# 2017-11-08       VB: - PR #124 adding user form parsing (Vincent Brillault)
  
-__version__ = '0.51.1dev1'
+__version__ = '0.52dev3'
  
 #------------------------------------------------------------------------------
 # TODO:
@@ -265,6 +266,8 @@ except ImportError:
                                + "see http://codespeak.net/lxml " \
                                + "or http://effbot.org/zone/element-index.htm")
  
+from oleform import extract_OleFormVariables
+
 # IMPORTANT: it should be possible to run oletools directly as scripts
 # in any directory without installing them with pip or setup.py.
 # In that case, relative imports are NOT usable.
@@ -1465,7 +1468,7 @@ def _extract_vba(ole, vba_root, project_path, dir_path, relaxed=False):
             # So let's ignore it, otherwise it crashes on some files (issue #132)
             # PR #135 by @c1fe:
             # contrary to the specification I think that the unicode name
-            # is optional. if reference_reserved is not 0x003E I think it 
+            # is optional. if reference_reserved is not 0x003E I think it
             # is actually the start of another REFERENCE record
             # at least when projectsyskind_syskind == 0x02 (Macintosh)
             if reference_reserved == 0x003E:
@@ -2986,6 +2989,24 @@ class VBA_Parser(object):
                     log.debug('Printable string found in form: %r' % m.group())
                     yield (self.filename, '/'.join(o_stream), m.group())
  
+    def extract_form_strings_extended(self):
+        if self.ole_file is None:
+            # This may be either an OpenXML/PPT or a text file:
+            if self.type == TYPE_TEXT:
+                # This is a text file, return no results:
+                return
+            else:
+                # OpenXML/PPT: recursively yield results from each OLE subfile:
+                for ole_subfile in self.ole_subfiles:
+                    for results in ole_subfile.extract_form_strings_extended():
+                        yield results
+        else:
+            # This is an OLE file:
+            self.find_vba_forms()
+            ole = self.ole_file
+            for form_storage in self.vba_forms:
+                for variable in extract_OleFormVariables(ole, form_storage):
+                    yield (self.filename, '/'.join(form_storage), variable)
  
     def close(self):
         """
@@ -3115,6 +3136,11 @@ class VBA_Parser_CLI(VBA_Parser):
                     print('VBA FORM STRING IN %r - OLE stream: %r' % (subfilename, stream_path))
                     print('- ' * 39)
                     print(form_string)
+                for (subfilename, stream_path, form_variables) in self.extract_form_strings_extended():
+                    print('-' * 79)
+                    print('VBA FORM Variable "%s" IN %r - OLE stream: %r' % (form_variables['name'], subfilename, stream_path))
+                    print('- ' * 39)
+                    print(str(form_variables['value']))
                 if not vba_code_only:
                     # analyse the code from all modules at once:
                     self.print_analysis(show_decoded_strings, deobfuscate)
@@ -42,7 +42,7 @@ import os, fnmatch
 #--- METADATA -----------------------------------------------------------------
  
 name         = "oletools"
-version      = '0.52dev2'
+version      = '0.52dev3'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"