Commit 9d8c85f6891cfe4b607703af4e415ea654c09794
1 parent
de2cff36
olevba: fixed some issues with VBA stomping detection
Showing
1 changed file
with
15 additions
and
1 deletions
oletools/olevba.py
| ... | ... | @@ -3512,13 +3512,27 @@ class VBA_Parser(object): |
| 3512 | 3512 | if mnemonic in ('ArgsCall', 'ArgsLd', 'St', 'Ld', 'MemSt', 'Label'): |
| 3513 | 3513 | # add 1st argument: |
| 3514 | 3514 | name = args.split(None, 1)[0] |
| 3515 | - keywords.add(name) | |
| 3515 | + # sometimes pcodedmp reports names like "id_FFFF", which are not | |
| 3516 | + # directly present in the VBA source code | |
| 3517 | + # (for example "Me" in VBA appears as id_FFFF in P-code) | |
| 3518 | + if not name.startswith('id_'): | |
| 3519 | + keywords.add(name) | |
| 3516 | 3520 | if mnemonic == 'LitStr': |
| 3517 | 3521 | # re_string = re.compile(r'\"([^\"]|\"\")*\"') |
| 3518 | 3522 | # for match in re_string.finditer(line): |
| 3519 | 3523 | # print('\t' + match.group()) |
| 3520 | 3524 | # the string is the 2nd argument: |
| 3521 | 3525 | s = args.split(None, 1)[1] |
| 3526 | + # tricky issue: when a string contains double quotes inside, | |
| 3527 | + # pcodedmp returns a single ", whereas in the VBA source code | |
| 3528 | + # it is always a double "". | |
| 3529 | + # We have to remove the " around the strings, then double the remaining ", | |
| 3530 | + # and put back the " around: | |
| 3531 | + if len(s)>=2: | |
| 3532 | + assert(s[0]=='"' and s[-1]=='"') | |
| 3533 | + s = s[1:-1] | |
| 3534 | + s = s.replace('"', '""') | |
| 3535 | + s = '"' + s + '"' | |
| 3522 | 3536 | keywords.add(s) |
| 3523 | 3537 | log.debug('Keywords extracted from P-code: ' + repr(sorted(keywords))) |
| 3524 | 3538 | self.vba_stomping_detected = False | ... | ... |