Peter M. Groen / oletools

Commit 7d06d02f06bb98fee5e7df0f3bab1420ed8a6d8c

Authored by decalage2
1 parent 3764d73b

oleid: removed obsolete checks

Inline Side-by-side
Showing 2 changed files with 7 additions and 100 deletions
oletools/ftguess.py
  View file @7d06d02
@@ -473,6 +473,7 @@ class FType_Word97(FType_OLE_CLSID_Base): @@ -473,6 +473,7 @@ class FType_Word97(FType_OLE_CLSID_Base):
473 PUID = 'fmt/40' 473 PUID = 'fmt/40'
474 may_contain_vba = True 474 may_contain_vba = True
475 may_contain_ole = True 475 may_contain_ole = True
  476 + # TODO: if no CLSID, check stream 'WordDocument'
476 477
477 class FType_Word6(FType_OLE_CLSID_Base): 478 class FType_Word6(FType_OLE_CLSID_Base):
478 application = APP.MSWORD 479 application = APP.MSWORD
@@ -527,6 +528,7 @@ class FType_Excel97(FTYpe_Excel, FType_Generic_OLE): @@ -527,6 +528,7 @@ class FType_Excel97(FTYpe_Excel, FType_Generic_OLE):
527 longname = 'MS Excel 97-2003 Workbook or Template' 528 longname = 'MS Excel 97-2003 Workbook or Template'
528 CLSIDS = ('00020820-0000-0000-C000-000000000046',) 529 CLSIDS = ('00020820-0000-0000-C000-000000000046',)
529 extensions = ['xls', 'xlt', 'xla'] 530 extensions = ['xls', 'xlt', 'xla']
  531 + # TODO: if no CLSID, check stream 'Workbook' or 'Book' (maybe Excel 5)
530 532
531 class FType_Excel5(FTYpe_Excel, FType_Generic_OLE): 533 class FType_Excel5(FTYpe_Excel, FType_Generic_OLE):
532 filetype = FTYPE.EXCEL5 534 filetype = FTYPE.EXCEL5
@@ -557,6 +559,9 @@ class FType_Excel2007_XLSM (FTYpe_Excel2007): @@ -557,6 +559,9 @@ class FType_Excel2007_XLSM (FTYpe_Excel2007):
557 content_types = ('application/vnd.ms-excel.sheet.macroEnabled.12',) 559 content_types = ('application/vnd.ms-excel.sheet.macroEnabled.12',)
558 PUID = 'fmt/445' 560 PUID = 'fmt/445'
559 561
  562 +# TODO: for PPT, check for stream 'PowerPoint Document'
  563 +# TODO: for Visio, check for stream 'VisioDocument'
  564 +
560 clsid_ftypes = { 565 clsid_ftypes = {
561 # mapping from CLSID of root storage to FType classes: 566 # mapping from CLSID of root storage to FType classes:
562 # WORD 567 # WORD
oletools/oleid.py
  View file @7d06d02
@@ -294,10 +294,6 @@ class OleID(object): @@ -294,10 +294,6 @@ class OleID(object):
294 # TODO: add try/except around each check 294 # TODO: add try/except around each check
295 self.check_properties() 295 self.check_properties()
296 self.check_encrypted() 296 self.check_encrypted()
297 - # self.check_word()  
298 - # self.check_excel()  
299 - # self.check_powerpoint()  
300 - # self.check_visio()  
301 self.check_macros() 297 self.check_macros()
302 self.check_external_relationships() 298 self.check_external_relationships()
303 self.check_object_pool() 299 self.check_object_pool()
@@ -382,99 +378,6 @@ class OleID(object): @@ -382,99 +378,6 @@ class OleID(object):
382 ext_rels.risk = RISK.HIGH 378 ext_rels.risk = RISK.HIGH
383 return ext_rels 379 return ext_rels
384 380
385 - def check_word(self):  
386 - """  
387 - Check whether this file is a word document  
388 -  
389 - If this finds evidence of encryption, will correct/add encryption  
390 - indicator.  
391 -  
392 - :returns: 2 :py:class:`Indicator`s (for word and vba_macro) or None if  
393 - file was not opened  
394 - """  
395 - word = Indicator(  
396 - 'word', False, name='Word Document',  
397 - description='Contains a WordDocument stream, very likely to be a '  
398 - 'Microsoft Word Document.')  
399 - self.indicators.append(word)  
400 - macros = Indicator('vba_macros', False, name='VBA Macros', risk=RISK.MEDIUM)  
401 - self.indicators.append(macros)  
402 - if not self.ole:  
403 - return None, None  
404 - if self.ole.exists('WordDocument'):  
405 - word.value = True  
406 -  
407 - # check for VBA macros:  
408 - if self.ole.exists('Macros'):  
409 - macros.value = True  
410 - return word, macros  
411 -  
412 - def check_excel(self):  
413 - """  
414 - Check whether this file is an excel workbook.  
415 -  
416 - If this finds macros, will add/correct macro indicator.  
417 -  
418 - see also: :py:func:`xls_parser.is_xls`  
419 -  
420 - :returns: :py:class:`Indicator` for excel or (None, None) if file was  
421 - not opened  
422 - """  
423 - excel = Indicator(  
424 - 'excel', False, name='Excel Workbook',  
425 - description='Contains a Workbook or Book stream, very likely to be '  
426 - 'a Microsoft Excel Workbook.')  
427 - self.indicators.append(excel)  
428 - if not self.ole:  
429 - return None  
430 - #self.macros = Indicator('vba_macros', False, name='VBA Macros')  
431 - #self.indicators.append(self.macros)  
432 - if self.ole.exists('Workbook') or self.ole.exists('Book'):  
433 - excel.value = True  
434 - # check for VBA macros:  
435 - if self.ole.exists('_VBA_PROJECT_CUR'):  
436 - # correct macro indicator if present or add one  
437 - macro_ind = self.get_indicator('vba_macros')  
438 - if macro_ind:  
439 - macro_ind.value = True  
440 - else:  
441 - macros = Indicator('vba_macros', True, name='VBA Macros')  
442 - self.indicators.append(macros)  
443 - return excel  
444 -  
445 - def check_powerpoint(self):  
446 - """  
447 - Check whether this file is a powerpoint presentation  
448 -  
449 - see also: :py:func:`ppt_record_parser.is_ppt`  
450 -  
451 - :returns: :py:class:`Indicator` for whether this is a powerpoint  
452 - presentation or not or None if file was not opened  
453 - """  
454 - ppt = Indicator(  
455 - 'ppt', False, name='PowerPoint Presentation',  
456 - description='Contains a PowerPoint Document stream, very likely to '  
457 - 'be a Microsoft PowerPoint Presentation.')  
458 - self.indicators.append(ppt)  
459 - if not self.ole:  
460 - return None  
461 - if self.ole.exists('PowerPoint Document'):  
462 - ppt.value = True  
463 - return ppt  
464 -  
465 - def check_visio(self):  
466 - """Check whether this file is a visio drawing"""  
467 - visio = Indicator(  
468 - 'visio', False, name='Visio Drawing',  
469 - description='Contains a VisioDocument stream, very likely to be a '  
470 - 'Microsoft Visio Drawing.')  
471 - self.indicators.append(visio)  
472 - if not self.ole:  
473 - return None  
474 - if self.ole.exists('VisioDocument'):  
475 - visio.value = True  
476 - return visio  
477 -  
478 def check_object_pool(self): 381 def check_object_pool(self):
479 """ 382 """
480 Check whether this file contains an ObjectPool stream. 383 Check whether this file contains an ObjectPool stream.
@@ -484,10 +387,11 @@ class OleID(object): @@ -484,10 +387,11 @@ class OleID(object):
484 :returns: :py:class:`Indicator` for ObjectPool stream or None if file 387 :returns: :py:class:`Indicator` for ObjectPool stream or None if file
485 was not opened 388 was not opened
486 """ 389 """
  390 + # TODO: replace this by a call to oleobj
487 objpool = Indicator( 391 objpool = Indicator(
488 'ObjectPool', False, name='ObjectPool', 392 'ObjectPool', False, name='ObjectPool',
489 description='Contains an ObjectPool stream, very likely to contain ' 393 description='Contains an ObjectPool stream, very likely to contain '
490 - 'embedded OLE objects or files.') 394 + 'embedded OLE objects or files. Use oleobj to check it.')
491 self.indicators.append(objpool) 395 self.indicators.append(objpool)
492 if not self.ole: 396 if not self.ole:
493 return None 397 return None
@@ -615,8 +519,6 @@ def main(): @@ -615,8 +519,6 @@ def main():
615 oleid = OleID(filename) 519 oleid = OleID(filename)
616 indicators = oleid.check() 520 indicators = oleid.check()
617 521
618 - #TODO: add description  
619 - #TODO: highlight suspicious indicators  
620 table = tablestream.TableStream([20, 20, 10, 26], 522 table = tablestream.TableStream([20, 20, 10, 26],
621 header_row=['Indicator', 'Value', 'Risk', 'Description'], 523 header_row=['Indicator', 'Value', 'Risk', 'Description'],
622 style=tablestream.TableStyleSlimSep) 524 style=tablestream.TableStyleSlimSep)