From 7d06d02f06bb98fee5e7df0f3bab1420ed8a6d8c Mon Sep 17 00:00:00 2001 From: decalage2 Date: Sun, 23 May 2021 18:06:50 +0200 Subject: [PATCH] oleid: removed obsolete checks --- oletools/ftguess.py | 5 +++++ oletools/oleid.py | 102 ++---------------------------------------------------------------------------------------------------- 2 files changed, 7 insertions(+), 100 deletions(-) diff --git a/oletools/ftguess.py b/oletools/ftguess.py index c6772d5..28dc8d9 100644 --- a/oletools/ftguess.py +++ b/oletools/ftguess.py @@ -473,6 +473,7 @@ class FType_Word97(FType_OLE_CLSID_Base): PUID = 'fmt/40' may_contain_vba = True may_contain_ole = True + # TODO: if no CLSID, check stream 'WordDocument' class FType_Word6(FType_OLE_CLSID_Base): application = APP.MSWORD @@ -527,6 +528,7 @@ class FType_Excel97(FTYpe_Excel, FType_Generic_OLE): longname = 'MS Excel 97-2003 Workbook or Template' CLSIDS = ('00020820-0000-0000-C000-000000000046',) extensions = ['xls', 'xlt', 'xla'] + # TODO: if no CLSID, check stream 'Workbook' or 'Book' (maybe Excel 5) class FType_Excel5(FTYpe_Excel, FType_Generic_OLE): filetype = FTYPE.EXCEL5 @@ -557,6 +559,9 @@ class FType_Excel2007_XLSM (FTYpe_Excel2007): content_types = ('application/vnd.ms-excel.sheet.macroEnabled.12',) PUID = 'fmt/445' +# TODO: for PPT, check for stream 'PowerPoint Document' +# TODO: for Visio, check for stream 'VisioDocument' + clsid_ftypes = { # mapping from CLSID of root storage to FType classes: # WORD diff --git a/oletools/oleid.py b/oletools/oleid.py index 12b0dfb..c5971c0 100644 --- a/oletools/oleid.py +++ b/oletools/oleid.py @@ -294,10 +294,6 @@ class OleID(object): # TODO: add try/except around each check self.check_properties() self.check_encrypted() - # self.check_word() - # self.check_excel() - # self.check_powerpoint() - # self.check_visio() self.check_macros() self.check_external_relationships() self.check_object_pool() @@ -382,99 +378,6 @@ class OleID(object): ext_rels.risk = RISK.HIGH return ext_rels - def check_word(self): - """ - Check whether this file is a word document - - If this finds evidence of encryption, will correct/add encryption - indicator. - - :returns: 2 :py:class:`Indicator`s (for word and vba_macro) or None if - file was not opened - """ - word = Indicator( - 'word', False, name='Word Document', - description='Contains a WordDocument stream, very likely to be a ' - 'Microsoft Word Document.') - self.indicators.append(word) - macros = Indicator('vba_macros', False, name='VBA Macros', risk=RISK.MEDIUM) - self.indicators.append(macros) - if not self.ole: - return None, None - if self.ole.exists('WordDocument'): - word.value = True - - # check for VBA macros: - if self.ole.exists('Macros'): - macros.value = True - return word, macros - - def check_excel(self): - """ - Check whether this file is an excel workbook. - - If this finds macros, will add/correct macro indicator. - - see also: :py:func:`xls_parser.is_xls` - - :returns: :py:class:`Indicator` for excel or (None, None) if file was - not opened - """ - excel = Indicator( - 'excel', False, name='Excel Workbook', - description='Contains a Workbook or Book stream, very likely to be ' - 'a Microsoft Excel Workbook.') - self.indicators.append(excel) - if not self.ole: - return None - #self.macros = Indicator('vba_macros', False, name='VBA Macros') - #self.indicators.append(self.macros) - if self.ole.exists('Workbook') or self.ole.exists('Book'): - excel.value = True - # check for VBA macros: - if self.ole.exists('_VBA_PROJECT_CUR'): - # correct macro indicator if present or add one - macro_ind = self.get_indicator('vba_macros') - if macro_ind: - macro_ind.value = True - else: - macros = Indicator('vba_macros', True, name='VBA Macros') - self.indicators.append(macros) - return excel - - def check_powerpoint(self): - """ - Check whether this file is a powerpoint presentation - - see also: :py:func:`ppt_record_parser.is_ppt` - - :returns: :py:class:`Indicator` for whether this is a powerpoint - presentation or not or None if file was not opened - """ - ppt = Indicator( - 'ppt', False, name='PowerPoint Presentation', - description='Contains a PowerPoint Document stream, very likely to ' - 'be a Microsoft PowerPoint Presentation.') - self.indicators.append(ppt) - if not self.ole: - return None - if self.ole.exists('PowerPoint Document'): - ppt.value = True - return ppt - - def check_visio(self): - """Check whether this file is a visio drawing""" - visio = Indicator( - 'visio', False, name='Visio Drawing', - description='Contains a VisioDocument stream, very likely to be a ' - 'Microsoft Visio Drawing.') - self.indicators.append(visio) - if not self.ole: - return None - if self.ole.exists('VisioDocument'): - visio.value = True - return visio - def check_object_pool(self): """ Check whether this file contains an ObjectPool stream. @@ -484,10 +387,11 @@ class OleID(object): :returns: :py:class:`Indicator` for ObjectPool stream or None if file was not opened """ + # TODO: replace this by a call to oleobj objpool = Indicator( 'ObjectPool', False, name='ObjectPool', description='Contains an ObjectPool stream, very likely to contain ' - 'embedded OLE objects or files.') + 'embedded OLE objects or files. Use oleobj to check it.') self.indicators.append(objpool) if not self.ole: return None @@ -615,8 +519,6 @@ def main(): oleid = OleID(filename) indicators = oleid.check() - #TODO: add description - #TODO: highlight suspicious indicators table = tablestream.TableStream([20, 20, 10, 26], header_row=['Indicator', 'Value', 'Risk', 'Description'], style=tablestream.TableStyleSlimSep) -- libgit2 0.21.4