Commit 879c3fb44448a0b7176ff317f6c8737837c39436
1 parent
82c4a54d
olevba: added keywords for Mac-specific macros (issue #130)
Showing
1 changed file
with
10 additions
and
1 deletions
oletools/olevba.py
| @@ -189,6 +189,7 @@ from __future__ import print_function | @@ -189,6 +189,7 @@ from __future__ import print_function | ||
| 189 | # 2016-10-25 PL: - fixed raise and print statements for Python 3 | 189 | # 2016-10-25 PL: - fixed raise and print statements for Python 3 |
| 190 | # 2016-11-03 v0.51 PL: - added EnumDateFormats and EnumSystemLanguageGroupsW | 190 | # 2016-11-03 v0.51 PL: - added EnumDateFormats and EnumSystemLanguageGroupsW |
| 191 | # 2017-02-07 PL: - temporary fix for issue #132 | 191 | # 2017-02-07 PL: - temporary fix for issue #132 |
| 192 | +# - added keywords for Mac-specific macros (issue #130) | ||
| 192 | 193 | ||
| 193 | __version__ = '0.51dev1' | 194 | __version__ = '0.51dev1' |
| 194 | 195 | ||
| @@ -526,6 +527,11 @@ SUSPICIOUS_KEYWORDS = { | @@ -526,6 +527,11 @@ SUSPICIOUS_KEYWORDS = { | ||
| 526 | 'May run an executable file or a system command': | 527 | 'May run an executable file or a system command': |
| 527 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', | 528 | ('Shell', 'vbNormal', 'vbNormalFocus', 'vbHide', 'vbMinimizedFocus', 'vbMaximizedFocus', 'vbNormalNoFocus', |
| 528 | 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute'), | 529 | 'vbMinimizedNoFocus', 'WScript.Shell', 'Run', 'ShellExecute'), |
| 530 | + # MacScript: see https://msdn.microsoft.com/en-us/library/office/gg264812.aspx | ||
| 531 | + 'May run an executable file or a system command on a Mac': | ||
| 532 | + ('MacScript',), | ||
| 533 | + 'May run an executable file or a system command on a Mac (if combined with libc.dylib)': | ||
| 534 | + ('system', 'popen', r'exec[lv][ep]?'), | ||
| 529 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx | 535 | #Shell: http://msdn.microsoft.com/en-us/library/office/gg278437%28v=office.15%29.aspx |
| 530 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 | 536 | #WScript.Shell+Run sample: http://pastebin.com/Z4TMyuq6 |
| 531 | 'May run PowerShell commands': | 537 | 'May run PowerShell commands': |
| @@ -556,8 +562,11 @@ SUSPICIOUS_KEYWORDS = { | @@ -556,8 +562,11 @@ SUSPICIOUS_KEYWORDS = { | ||
| 556 | 'May enumerate application windows (if combined with Shell.Application object)': | 562 | 'May enumerate application windows (if combined with Shell.Application object)': |
| 557 | ('Windows', 'FindWindow'), | 563 | ('Windows', 'FindWindow'), |
| 558 | 'May run code from a DLL': | 564 | 'May run code from a DLL': |
| 559 | - #TODO: regex to find declare+lib on same line | 565 | + #TODO: regex to find declare+lib on same line - see mraptor |
| 560 | ('Lib',), | 566 | ('Lib',), |
| 567 | + 'May run code from a library on a Mac': | ||
| 568 | + #TODO: regex to find declare+lib on same line - see mraptor | ||
| 569 | + ('libc.dylib', 'dylib'), | ||
| 561 | 'May inject code into another process': | 570 | 'May inject code into another process': |
| 562 | ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload | 571 | ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload |
| 563 | 'VirtualAllocEx', 'RtlMoveMemory', | 572 | 'VirtualAllocEx', 'RtlMoveMemory', |