Peter M. Groen / oletools

Commit a1fe3a30c404d35d5b7592c2effd6e6331deca6f

Authored by Philippe Lagadec
1 parent 602504a0

Updated license and readme

Inline Side-by-side
Showing 3 changed files with 61 additions and 12 deletions
README.md
  View file @a1fe3a3
... ... @@ -8,10 +8,11 @@ Tools in oletools:
8 8 -----------------------------------
9 9  
10 10 - **olebrowse**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
11   -view and extract individual data streams.
  11 + view and extract individual data streams.
12 12 - **xxxswf2**: a script to detect, extract and analyze Flash objects (SWF) that may
13   -be embedded in files such as MS Office documents (e.g. Word, Excel),
14   -which is especially useful for malware analysis.
  13 + be embedded in files such as MS Office documents (e.g. Word, Excel),
  14 + which is especially useful for malware analysis.
  15 +- and a few others (coming soon)
15 16  
16 17 News
17 18 ----
... ... @@ -38,16 +39,20 @@ olebrowse project website: [http://www.decalage.info/python/olebrowse](http://ww
38 39 xxxswf2:
39 40 --------
40 41  
41   -xxxswf2 is a script to detect, extract and analyze Flash objects (SWF) that may
  42 +xxxswf2 is a script to detect, extract and analyze Flash objects (SWF files) that may
42 43 be embedded in files such as MS Office documents (e.g. Word, Excel),
43 44 which is especially useful for malware analysis.
  45 +
44 46 xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel on
45 47 [http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html](http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html)
  48 +
46 49 Compared to xxxswf, it can extract streams from MS Office documents by parsing
47 50 their OLE structure properly, which is necessary when streams are fragmented.
48 51 Stream fragmentation is a known obfuscation technique, as explained on
49 52 [http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/](http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/)
50 53  
  54 +For this, simply add the -o option to work on OLE streams rather than raw files.
  55 +
51 56 Usage: xxxswf2.py [options] <file.bad>
52 57  
53 58 Options:
... ... @@ -68,6 +73,19 @@ Stream fragmentation is a known obfuscation technique, as explained on
68 73 contain SWFs. Must provide path in quotes
69 74 -c, --compress Compresses the SWF using Zlib
70 75  
  76 +Example - detecting and extracting a SWF file from a Word document on Windows:
  77 +
  78 + C:\oletools>xxxswf2.py -o word_flash.doc
  79 + OLE stream: 'Contents'
  80 + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  81 + [ADDR] SWF 1 at 0x8 - FWS Header
  82 +
  83 + C:\oletools>xxxswf2.py -xo word_flash.doc
  84 + OLE stream: 'Contents'
  85 + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  86 + [ADDR] SWF 1 at 0x8 - FWS Header
  87 + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
  88 +
71 89 xxxswf2 project website: [http://www.decalage.info/python/xxxswf2](http://www.decalage.info/python/xxxswf2)
72 90  
73 91  
... ... @@ -86,7 +104,9 @@ To report a bug or any issue, please use the [issue reporting page](https://bitb
86 104 License
87 105 -------
88 106  
89   -Copyright (c) 2012, Philippe Lagadec (http://www.decalage.info)
  107 +This license applies to the oletools package, apart from the thirdparty folder which contains third-party files published with their own license.
  108 +
  109 +The oletools package is copyright (c) 2012, Philippe Lagadec (http://www.decalage.info)
90 110 All rights reserved.
91 111  
92 112 Redistribution and use in source and binary forms, with or without modification,
... ...
oletools/LICENSE.txt
  View file @a1fe3a3
1 1 LICENSE for the oletools package:
2 2  
  3 +This license applies to the oletools package, apart from the thirdparty folder
  4 +which contains third-party files published with their own license.
3 5  
4   -Copyright (c) 2012, Philippe Lagadec (http://www.decalage.info)
  6 +The oletools package is copyright (c) 2012, Philippe Lagadec (http://www.decalage.info)
5 7 All rights reserved.
6 8  
7 9 Redistribution and use in source and binary forms, with or without modification,
... ...
oletools/README.txt
  View file @a1fe3a3
... ... @@ -19,6 +19,7 @@ Tools in oletools:
19 19 - **xxxswf2**: a script to detect, extract and analyze Flash objects
20 20 (SWF) that may be embedded in files such as MS Office documents (e.g.
21 21 Word, Excel), which is especially useful for malware analysis.
  22 +- and a few others (coming soon)
22 23  
23 24 News
24 25 ----
... ... @@ -48,17 +49,23 @@ olebrowse project website:
48 49 xxxswf2:
49 50 --------
50 51  
51   -xxxswf2 is a script to detect, extract and analyze Flash objects (SWF)
52   -that may be embedded in files such as MS Office documents (e.g. Word,
53   -Excel), which is especially useful for malware analysis. xxxswf2 is an
54   -improved version of xxxswf.py published by Alexander Hanel on
  52 +xxxswf2 is a script to detect, extract and analyze Flash objects (SWF
  53 +files) that may be embedded in files such as MS Office documents (e.g.
  54 +Word, Excel), which is especially useful for malware analysis.
  55 +
  56 +xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel
  57 +on
55 58 `http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html <http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html>`_
  59 +
56 60 Compared to xxxswf, it can extract streams from MS Office documents by
57 61 parsing their OLE structure properly, which is necessary when streams
58 62 are fragmented. Stream fragmentation is a known obfuscation technique,
59 63 as explained on
60 64 `http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/ <http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/>`_
61 65  
  66 +For this, simply add the -o option to work on OLE streams rather than
  67 +raw files.
  68 +
62 69 ::
63 70  
64 71 Usage: xxxswf2.py [options] <file.bad>
... ... @@ -81,6 +88,22 @@ as explained on
81 88 contain SWFs. Must provide path in quotes
82 89 -c, --compress Compresses the SWF using Zlib
83 90  
  91 +Example - detecting and extracting a SWF file from a Word document on
  92 +Windows:
  93 +
  94 +::
  95 +
  96 + C:\oletools>xxxswf2.py -o word_flash.doc
  97 + OLE stream: 'Contents'
  98 + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  99 + [ADDR] SWF 1 at 0x8 - FWS Header
  100 +
  101 + C:\oletools>xxxswf2.py -xo word_flash.doc
  102 + OLE stream: 'Contents'
  103 + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
  104 + [ADDR] SWF 1 at 0x8 - FWS Header
  105 + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
  106 +
84 107 xxxswf2 project website:
85 108 `http://www.decalage.info/python/xxxswf2 <http://www.decalage.info/python/xxxswf2>`_
86 109  
... ... @@ -105,8 +128,12 @@ problem.
105 128 License
106 129 -------
107 130  
108   -Copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) All
109   -rights reserved.
  131 +This license applies to the oletools package, apart from the thirdparty
  132 +folder which contains third-party files published with their own
  133 +license.
  134 +
  135 +The oletools package is copyright (c) 2012, Philippe Lagadec
  136 +(http://www.decalage.info) All rights reserved.
110 137  
111 138 Redistribution and use in source and binary forms, with or without
112 139 modification, are permitted provided that the following conditions are
... ...