Commit 7d06d02f06bb98fee5e7df0f3bab1420ed8a6d8c
1 parent
3764d73b
oleid: removed obsolete checks
Showing
2 changed files
with
7 additions
and
100 deletions
oletools/ftguess.py
| ... | ... | @@ -473,6 +473,7 @@ class FType_Word97(FType_OLE_CLSID_Base): |
| 473 | 473 | PUID = 'fmt/40' |
| 474 | 474 | may_contain_vba = True |
| 475 | 475 | may_contain_ole = True |
| 476 | + # TODO: if no CLSID, check stream 'WordDocument' | |
| 476 | 477 | |
| 477 | 478 | class FType_Word6(FType_OLE_CLSID_Base): |
| 478 | 479 | application = APP.MSWORD |
| ... | ... | @@ -527,6 +528,7 @@ class FType_Excel97(FTYpe_Excel, FType_Generic_OLE): |
| 527 | 528 | longname = 'MS Excel 97-2003 Workbook or Template' |
| 528 | 529 | CLSIDS = ('00020820-0000-0000-C000-000000000046',) |
| 529 | 530 | extensions = ['xls', 'xlt', 'xla'] |
| 531 | + # TODO: if no CLSID, check stream 'Workbook' or 'Book' (maybe Excel 5) | |
| 530 | 532 | |
| 531 | 533 | class FType_Excel5(FTYpe_Excel, FType_Generic_OLE): |
| 532 | 534 | filetype = FTYPE.EXCEL5 |
| ... | ... | @@ -557,6 +559,9 @@ class FType_Excel2007_XLSM (FTYpe_Excel2007): |
| 557 | 559 | content_types = ('application/vnd.ms-excel.sheet.macroEnabled.12',) |
| 558 | 560 | PUID = 'fmt/445' |
| 559 | 561 | |
| 562 | +# TODO: for PPT, check for stream 'PowerPoint Document' | |
| 563 | +# TODO: for Visio, check for stream 'VisioDocument' | |
| 564 | + | |
| 560 | 565 | clsid_ftypes = { |
| 561 | 566 | # mapping from CLSID of root storage to FType classes: |
| 562 | 567 | # WORD | ... | ... |
oletools/oleid.py
| ... | ... | @@ -294,10 +294,6 @@ class OleID(object): |
| 294 | 294 | # TODO: add try/except around each check |
| 295 | 295 | self.check_properties() |
| 296 | 296 | self.check_encrypted() |
| 297 | - # self.check_word() | |
| 298 | - # self.check_excel() | |
| 299 | - # self.check_powerpoint() | |
| 300 | - # self.check_visio() | |
| 301 | 297 | self.check_macros() |
| 302 | 298 | self.check_external_relationships() |
| 303 | 299 | self.check_object_pool() |
| ... | ... | @@ -382,99 +378,6 @@ class OleID(object): |
| 382 | 378 | ext_rels.risk = RISK.HIGH |
| 383 | 379 | return ext_rels |
| 384 | 380 | |
| 385 | - def check_word(self): | |
| 386 | - """ | |
| 387 | - Check whether this file is a word document | |
| 388 | - | |
| 389 | - If this finds evidence of encryption, will correct/add encryption | |
| 390 | - indicator. | |
| 391 | - | |
| 392 | - :returns: 2 :py:class:`Indicator`s (for word and vba_macro) or None if | |
| 393 | - file was not opened | |
| 394 | - """ | |
| 395 | - word = Indicator( | |
| 396 | - 'word', False, name='Word Document', | |
| 397 | - description='Contains a WordDocument stream, very likely to be a ' | |
| 398 | - 'Microsoft Word Document.') | |
| 399 | - self.indicators.append(word) | |
| 400 | - macros = Indicator('vba_macros', False, name='VBA Macros', risk=RISK.MEDIUM) | |
| 401 | - self.indicators.append(macros) | |
| 402 | - if not self.ole: | |
| 403 | - return None, None | |
| 404 | - if self.ole.exists('WordDocument'): | |
| 405 | - word.value = True | |
| 406 | - | |
| 407 | - # check for VBA macros: | |
| 408 | - if self.ole.exists('Macros'): | |
| 409 | - macros.value = True | |
| 410 | - return word, macros | |
| 411 | - | |
| 412 | - def check_excel(self): | |
| 413 | - """ | |
| 414 | - Check whether this file is an excel workbook. | |
| 415 | - | |
| 416 | - If this finds macros, will add/correct macro indicator. | |
| 417 | - | |
| 418 | - see also: :py:func:`xls_parser.is_xls` | |
| 419 | - | |
| 420 | - :returns: :py:class:`Indicator` for excel or (None, None) if file was | |
| 421 | - not opened | |
| 422 | - """ | |
| 423 | - excel = Indicator( | |
| 424 | - 'excel', False, name='Excel Workbook', | |
| 425 | - description='Contains a Workbook or Book stream, very likely to be ' | |
| 426 | - 'a Microsoft Excel Workbook.') | |
| 427 | - self.indicators.append(excel) | |
| 428 | - if not self.ole: | |
| 429 | - return None | |
| 430 | - #self.macros = Indicator('vba_macros', False, name='VBA Macros') | |
| 431 | - #self.indicators.append(self.macros) | |
| 432 | - if self.ole.exists('Workbook') or self.ole.exists('Book'): | |
| 433 | - excel.value = True | |
| 434 | - # check for VBA macros: | |
| 435 | - if self.ole.exists('_VBA_PROJECT_CUR'): | |
| 436 | - # correct macro indicator if present or add one | |
| 437 | - macro_ind = self.get_indicator('vba_macros') | |
| 438 | - if macro_ind: | |
| 439 | - macro_ind.value = True | |
| 440 | - else: | |
| 441 | - macros = Indicator('vba_macros', True, name='VBA Macros') | |
| 442 | - self.indicators.append(macros) | |
| 443 | - return excel | |
| 444 | - | |
| 445 | - def check_powerpoint(self): | |
| 446 | - """ | |
| 447 | - Check whether this file is a powerpoint presentation | |
| 448 | - | |
| 449 | - see also: :py:func:`ppt_record_parser.is_ppt` | |
| 450 | - | |
| 451 | - :returns: :py:class:`Indicator` for whether this is a powerpoint | |
| 452 | - presentation or not or None if file was not opened | |
| 453 | - """ | |
| 454 | - ppt = Indicator( | |
| 455 | - 'ppt', False, name='PowerPoint Presentation', | |
| 456 | - description='Contains a PowerPoint Document stream, very likely to ' | |
| 457 | - 'be a Microsoft PowerPoint Presentation.') | |
| 458 | - self.indicators.append(ppt) | |
| 459 | - if not self.ole: | |
| 460 | - return None | |
| 461 | - if self.ole.exists('PowerPoint Document'): | |
| 462 | - ppt.value = True | |
| 463 | - return ppt | |
| 464 | - | |
| 465 | - def check_visio(self): | |
| 466 | - """Check whether this file is a visio drawing""" | |
| 467 | - visio = Indicator( | |
| 468 | - 'visio', False, name='Visio Drawing', | |
| 469 | - description='Contains a VisioDocument stream, very likely to be a ' | |
| 470 | - 'Microsoft Visio Drawing.') | |
| 471 | - self.indicators.append(visio) | |
| 472 | - if not self.ole: | |
| 473 | - return None | |
| 474 | - if self.ole.exists('VisioDocument'): | |
| 475 | - visio.value = True | |
| 476 | - return visio | |
| 477 | - | |
| 478 | 381 | def check_object_pool(self): |
| 479 | 382 | """ |
| 480 | 383 | Check whether this file contains an ObjectPool stream. |
| ... | ... | @@ -484,10 +387,11 @@ class OleID(object): |
| 484 | 387 | :returns: :py:class:`Indicator` for ObjectPool stream or None if file |
| 485 | 388 | was not opened |
| 486 | 389 | """ |
| 390 | + # TODO: replace this by a call to oleobj | |
| 487 | 391 | objpool = Indicator( |
| 488 | 392 | 'ObjectPool', False, name='ObjectPool', |
| 489 | 393 | description='Contains an ObjectPool stream, very likely to contain ' |
| 490 | - 'embedded OLE objects or files.') | |
| 394 | + 'embedded OLE objects or files. Use oleobj to check it.') | |
| 491 | 395 | self.indicators.append(objpool) |
| 492 | 396 | if not self.ole: |
| 493 | 397 | return None |
| ... | ... | @@ -615,8 +519,6 @@ def main(): |
| 615 | 519 | oleid = OleID(filename) |
| 616 | 520 | indicators = oleid.check() |
| 617 | 521 | |
| 618 | - #TODO: add description | |
| 619 | - #TODO: highlight suspicious indicators | |
| 620 | 522 | table = tablestream.TableStream([20, 20, 10, 26], |
| 621 | 523 | header_row=['Indicator', 'Value', 'Risk', 'Description'], |
| 622 | 524 | style=tablestream.TableStyleSlimSep) | ... | ... |