Commit 866ab3393878df01c2e15cdfdd2b2371aa894808
1 parent
497b6664
olevba: added logging for references found in the VBA project (first step towards #386)
Showing
1 changed file
with
9 additions
and
1 deletions
oletools/olevba.py
| ... | ... | @@ -261,7 +261,7 @@ import binascii |
| 261 | 261 | import base64 |
| 262 | 262 | import zlib |
| 263 | 263 | import email # for MHTML parsing |
| 264 | -import string # for printable | |
| 264 | +import string # for printable | |
| 265 | 265 | import json # for json output mode (argument --json) |
| 266 | 266 | |
| 267 | 267 | # import lxml or ElementTree for XML parsing: |
| ... | ... | @@ -1746,6 +1746,7 @@ class VBA_Project(object): |
| 1746 | 1746 | reference_id = check |
| 1747 | 1747 | reference_sizeof_name = struct.unpack("<L", dir_stream.read(4))[0] |
| 1748 | 1748 | reference_name = dir_stream.read(reference_sizeof_name) |
| 1749 | + log.debug('REFERENCE name: %s' % unicode2str(self.decode_bytes(reference_name))) | |
| 1749 | 1750 | reference_reserved = struct.unpack("<H", dir_stream.read(2))[0] |
| 1750 | 1751 | # According to [MS-OVBA] 2.3.4.2.2.2 REFERENCENAME Record: |
| 1751 | 1752 | # "Reserved (2 bytes): MUST be 0x003E. MUST be ignored." |
| ... | ... | @@ -1776,6 +1777,7 @@ class VBA_Project(object): |
| 1776 | 1777 | referenceoriginal_id = check |
| 1777 | 1778 | referenceoriginal_sizeof_libidoriginal = struct.unpack("<L", dir_stream.read(4))[0] |
| 1778 | 1779 | referenceoriginal_libidoriginal = dir_stream.read(referenceoriginal_sizeof_libidoriginal) |
| 1780 | + log.debug('REFERENCE original lib id: %s' % unicode2str(self.decode_bytes(referenceoriginal_libidoriginal))) | |
| 1779 | 1781 | unused = referenceoriginal_id |
| 1780 | 1782 | unused = referenceoriginal_libidoriginal |
| 1781 | 1783 | continue |
| ... | ... | @@ -1787,6 +1789,7 @@ class VBA_Project(object): |
| 1787 | 1789 | referencecontrol_sizetwiddled = struct.unpack("<L", dir_stream.read(4))[0] # ignore |
| 1788 | 1790 | referencecontrol_sizeof_libidtwiddled = struct.unpack("<L", dir_stream.read(4))[0] |
| 1789 | 1791 | referencecontrol_libidtwiddled = dir_stream.read(referencecontrol_sizeof_libidtwiddled) |
| 1792 | + log.debug('REFERENCE control twiddled lib id: %s' % unicode2str(self.decode_bytes(referencecontrol_libidtwiddled))) | |
| 1790 | 1793 | referencecontrol_reserved1 = struct.unpack("<L", dir_stream.read(4))[0] # ignore |
| 1791 | 1794 | self.check_value('REFERENCECONTROL_Reserved1', 0x0000, referencecontrol_reserved1) |
| 1792 | 1795 | referencecontrol_reserved2 = struct.unpack("<H", dir_stream.read(2))[0] # ignore |
| ... | ... | @@ -1801,6 +1804,8 @@ class VBA_Project(object): |
| 1801 | 1804 | referencecontrol_namerecordextended_sizeof_name = struct.unpack("<L", dir_stream.read(4))[0] |
| 1802 | 1805 | referencecontrol_namerecordextended_name = dir_stream.read( |
| 1803 | 1806 | referencecontrol_namerecordextended_sizeof_name) |
| 1807 | + log.debug('REFERENCE control name record extended: %s' % unicode2str( | |
| 1808 | + self.decode_bytes(referencecontrol_namerecordextended_name))) | |
| 1804 | 1809 | referencecontrol_namerecordextended_reserved = struct.unpack("<H", dir_stream.read(2))[0] |
| 1805 | 1810 | if referencecontrol_namerecordextended_reserved == 0x003E: |
| 1806 | 1811 | referencecontrol_namerecordextended_sizeof_name_unicode = struct.unpack("<L", dir_stream.read(4))[0] |
| ... | ... | @@ -1838,6 +1843,7 @@ class VBA_Project(object): |
| 1838 | 1843 | referenceregistered_size = struct.unpack("<L", dir_stream.read(4))[0] |
| 1839 | 1844 | referenceregistered_sizeof_libid = struct.unpack("<L", dir_stream.read(4))[0] |
| 1840 | 1845 | referenceregistered_libid = dir_stream.read(referenceregistered_sizeof_libid) |
| 1846 | + log.debug('REFERENCE registered lib id: %s' % unicode2str(self.decode_bytes(referenceregistered_libid))) | |
| 1841 | 1847 | referenceregistered_reserved1 = struct.unpack("<L", dir_stream.read(4))[0] |
| 1842 | 1848 | self.check_value('REFERENCEREGISTERED_Reserved1', 0x0000, referenceregistered_reserved1) |
| 1843 | 1849 | referenceregistered_reserved2 = struct.unpack("<H", dir_stream.read(2))[0] |
| ... | ... | @@ -1854,8 +1860,10 @@ class VBA_Project(object): |
| 1854 | 1860 | referenceproject_size = struct.unpack("<L", dir_stream.read(4))[0] |
| 1855 | 1861 | referenceproject_sizeof_libidabsolute = struct.unpack("<L", dir_stream.read(4))[0] |
| 1856 | 1862 | referenceproject_libidabsolute = dir_stream.read(referenceproject_sizeof_libidabsolute) |
| 1863 | + log.debug('REFERENCE project lib id absolute: %s' % unicode2str(self.decode_bytes(referenceproject_libidabsolute))) | |
| 1857 | 1864 | referenceproject_sizeof_libidrelative = struct.unpack("<L", dir_stream.read(4))[0] |
| 1858 | 1865 | referenceproject_libidrelative = dir_stream.read(referenceproject_sizeof_libidrelative) |
| 1866 | + log.debug('REFERENCE project lib id relative: %s' % unicode2str(self.decode_bytes(referenceproject_libidrelative))) | |
| 1859 | 1867 | referenceproject_majorversion = struct.unpack("<L", dir_stream.read(4))[0] |
| 1860 | 1868 | referenceproject_minorversion = struct.unpack("<H", dir_stream.read(2))[0] |
| 1861 | 1869 | unused = referenceproject_id | ... | ... |