Commit 8dad74b9be24ebefb6002101749f2fa1a901fda5
1 parent
384f406b
rtfobj: log when \bin has no argument
Showing
2 changed files
with
6 additions
and
4 deletions
oletools/rtfobj.py
| @@ -73,12 +73,13 @@ http://www.decalage.info/python/oletools | @@ -73,12 +73,13 @@ http://www.decalage.info/python/oletools | ||
| 73 | # 2017-05-04 PL: - fixed issue #164 to handle linked OLE objects | 73 | # 2017-05-04 PL: - fixed issue #164 to handle linked OLE objects |
| 74 | # 2017-06-08 PL: - fixed issue/PR #143: bin object with negative length | 74 | # 2017-06-08 PL: - fixed issue/PR #143: bin object with negative length |
| 75 | # 2017-06-29 PL: - temporary fix for issue #178 | 75 | # 2017-06-29 PL: - temporary fix for issue #178 |
| 76 | -# 2017-07-14 v0.51.1 PL: - disabled logging of each control word (issue #184) | 76 | +# 2017-07-14 v0.52 PL: - disabled logging of each control word (issue #184) |
| 77 | # 2017-07-24 PL: - fixed call to RtfParser._end_of_file (issue #185) | 77 | # 2017-07-24 PL: - fixed call to RtfParser._end_of_file (issue #185) |
| 78 | # - ignore optional space after \bin (issue #185) | 78 | # - ignore optional space after \bin (issue #185) |
| 79 | # 2017-09-06 PL: - fixed issue #196: \pxe is not a destination | 79 | # 2017-09-06 PL: - fixed issue #196: \pxe is not a destination |
| 80 | +# 2018-02-01 JRM: - fixed issue #251: \bin without argument | ||
| 80 | 81 | ||
| 81 | -__version__ = '0.51.1dev4' | 82 | +__version__ = '0.52dev12' |
| 82 | 83 | ||
| 83 | # ------------------------------------------------------------------------------ | 84 | # ------------------------------------------------------------------------------ |
| 84 | # TODO: | 85 | # TODO: |
| @@ -511,12 +512,13 @@ class RtfParser(object): | @@ -511,12 +512,13 @@ class RtfParser(object): | ||
| 511 | 512 | ||
| 512 | def _bin(self, matchobject, param): | 513 | def _bin(self, matchobject, param): |
| 513 | if param is None: | 514 | if param is None: |
| 515 | + log.info('Detected anti-analysis trick: \\bin object without length at index %X' % self.index) | ||
| 514 | binlen = 0 | 516 | binlen = 0 |
| 515 | else: | 517 | else: |
| 516 | binlen = int(param) | 518 | binlen = int(param) |
| 517 | # handle negative length | 519 | # handle negative length |
| 518 | if binlen < 0: | 520 | if binlen < 0: |
| 519 | - log.warn('Detected anti-analysis trick: \bin object with negative length at index %X' % self.index) | 521 | + log.info('Detected anti-analysis trick: \bin object with negative length at index %X' % self.index) |
| 520 | # binlen = int(param.strip('-')) | 522 | # binlen = int(param.strip('-')) |
| 521 | # According to my tests, if the bin length is negative, | 523 | # According to my tests, if the bin length is negative, |
| 522 | # it should be treated as a null length: | 524 | # it should be treated as a null length: |
setup.py
| @@ -42,7 +42,7 @@ import os, fnmatch | @@ -42,7 +42,7 @@ import os, fnmatch | ||
| 42 | #--- METADATA ----------------------------------------------------------------- | 42 | #--- METADATA ----------------------------------------------------------------- |
| 43 | 43 | ||
| 44 | name = "oletools" | 44 | name = "oletools" |
| 45 | -version = '0.52dev11' | 45 | +version = '0.52dev12' |
| 46 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" | 46 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 47 | long_desc = open('oletools/README.rst').read() | 47 | long_desc = open('oletools/README.rst').read() |
| 48 | author = "Philippe Lagadec" | 48 | author = "Philippe Lagadec" |