Commit a1fe3a30c404d35d5b7592c2effd6e6331deca6f
1 parent
602504a0
Updated license and readme
Showing
3 changed files
with
61 additions
and
12 deletions
README.md
| @@ -8,10 +8,11 @@ Tools in oletools: | @@ -8,10 +8,11 @@ Tools in oletools: | ||
| 8 | ----------------------------------- | 8 | ----------------------------------- |
| 9 | 9 | ||
| 10 | - **olebrowse**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to | 10 | - **olebrowse**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to |
| 11 | -view and extract individual data streams. | 11 | + view and extract individual data streams. |
| 12 | - **xxxswf2**: a script to detect, extract and analyze Flash objects (SWF) that may | 12 | - **xxxswf2**: a script to detect, extract and analyze Flash objects (SWF) that may |
| 13 | -be embedded in files such as MS Office documents (e.g. Word, Excel), | ||
| 14 | -which is especially useful for malware analysis. | 13 | + be embedded in files such as MS Office documents (e.g. Word, Excel), |
| 14 | + which is especially useful for malware analysis. | ||
| 15 | +- and a few others (coming soon) | ||
| 15 | 16 | ||
| 16 | News | 17 | News |
| 17 | ---- | 18 | ---- |
| @@ -38,16 +39,20 @@ olebrowse project website: [http://www.decalage.info/python/olebrowse](http://ww | @@ -38,16 +39,20 @@ olebrowse project website: [http://www.decalage.info/python/olebrowse](http://ww | ||
| 38 | xxxswf2: | 39 | xxxswf2: |
| 39 | -------- | 40 | -------- |
| 40 | 41 | ||
| 41 | -xxxswf2 is a script to detect, extract and analyze Flash objects (SWF) that may | 42 | +xxxswf2 is a script to detect, extract and analyze Flash objects (SWF files) that may |
| 42 | be embedded in files such as MS Office documents (e.g. Word, Excel), | 43 | be embedded in files such as MS Office documents (e.g. Word, Excel), |
| 43 | which is especially useful for malware analysis. | 44 | which is especially useful for malware analysis. |
| 45 | + | ||
| 44 | xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel on | 46 | xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel on |
| 45 | [http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html](http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html) | 47 | [http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html](http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html) |
| 48 | + | ||
| 46 | Compared to xxxswf, it can extract streams from MS Office documents by parsing | 49 | Compared to xxxswf, it can extract streams from MS Office documents by parsing |
| 47 | their OLE structure properly, which is necessary when streams are fragmented. | 50 | their OLE structure properly, which is necessary when streams are fragmented. |
| 48 | Stream fragmentation is a known obfuscation technique, as explained on | 51 | Stream fragmentation is a known obfuscation technique, as explained on |
| 49 | [http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/](http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/) | 52 | [http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/](http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/) |
| 50 | 53 | ||
| 54 | +For this, simply add the -o option to work on OLE streams rather than raw files. | ||
| 55 | + | ||
| 51 | Usage: xxxswf2.py [options] <file.bad> | 56 | Usage: xxxswf2.py [options] <file.bad> |
| 52 | 57 | ||
| 53 | Options: | 58 | Options: |
| @@ -68,6 +73,19 @@ Stream fragmentation is a known obfuscation technique, as explained on | @@ -68,6 +73,19 @@ Stream fragmentation is a known obfuscation technique, as explained on | ||
| 68 | contain SWFs. Must provide path in quotes | 73 | contain SWFs. Must provide path in quotes |
| 69 | -c, --compress Compresses the SWF using Zlib | 74 | -c, --compress Compresses the SWF using Zlib |
| 70 | 75 | ||
| 76 | +Example - detecting and extracting a SWF file from a Word document on Windows: | ||
| 77 | + | ||
| 78 | + C:\oletools>xxxswf2.py -o word_flash.doc | ||
| 79 | + OLE stream: 'Contents' | ||
| 80 | + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents | ||
| 81 | + [ADDR] SWF 1 at 0x8 - FWS Header | ||
| 82 | + | ||
| 83 | + C:\oletools>xxxswf2.py -xo word_flash.doc | ||
| 84 | + OLE stream: 'Contents' | ||
| 85 | + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents | ||
| 86 | + [ADDR] SWF 1 at 0x8 - FWS Header | ||
| 87 | + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf | ||
| 88 | + | ||
| 71 | xxxswf2 project website: [http://www.decalage.info/python/xxxswf2](http://www.decalage.info/python/xxxswf2) | 89 | xxxswf2 project website: [http://www.decalage.info/python/xxxswf2](http://www.decalage.info/python/xxxswf2) |
| 72 | 90 | ||
| 73 | 91 | ||
| @@ -86,7 +104,9 @@ To report a bug or any issue, please use the [issue reporting page](https://bitb | @@ -86,7 +104,9 @@ To report a bug or any issue, please use the [issue reporting page](https://bitb | ||
| 86 | License | 104 | License |
| 87 | ------- | 105 | ------- |
| 88 | 106 | ||
| 89 | -Copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) | 107 | +This license applies to the oletools package, apart from the thirdparty folder which contains third-party files published with their own license. |
| 108 | + | ||
| 109 | +The oletools package is copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) | ||
| 90 | All rights reserved. | 110 | All rights reserved. |
| 91 | 111 | ||
| 92 | Redistribution and use in source and binary forms, with or without modification, | 112 | Redistribution and use in source and binary forms, with or without modification, |
oletools/LICENSE.txt
| 1 | LICENSE for the oletools package: | 1 | LICENSE for the oletools package: |
| 2 | 2 | ||
| 3 | +This license applies to the oletools package, apart from the thirdparty folder | ||
| 4 | +which contains third-party files published with their own license. | ||
| 3 | 5 | ||
| 4 | -Copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) | 6 | +The oletools package is copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) |
| 5 | All rights reserved. | 7 | All rights reserved. |
| 6 | 8 | ||
| 7 | Redistribution and use in source and binary forms, with or without modification, | 9 | Redistribution and use in source and binary forms, with or without modification, |
oletools/README.txt
| @@ -19,6 +19,7 @@ Tools in oletools: | @@ -19,6 +19,7 @@ Tools in oletools: | ||
| 19 | - **xxxswf2**: a script to detect, extract and analyze Flash objects | 19 | - **xxxswf2**: a script to detect, extract and analyze Flash objects |
| 20 | (SWF) that may be embedded in files such as MS Office documents (e.g. | 20 | (SWF) that may be embedded in files such as MS Office documents (e.g. |
| 21 | Word, Excel), which is especially useful for malware analysis. | 21 | Word, Excel), which is especially useful for malware analysis. |
| 22 | +- and a few others (coming soon) | ||
| 22 | 23 | ||
| 23 | News | 24 | News |
| 24 | ---- | 25 | ---- |
| @@ -48,17 +49,23 @@ olebrowse project website: | @@ -48,17 +49,23 @@ olebrowse project website: | ||
| 48 | xxxswf2: | 49 | xxxswf2: |
| 49 | -------- | 50 | -------- |
| 50 | 51 | ||
| 51 | -xxxswf2 is a script to detect, extract and analyze Flash objects (SWF) | ||
| 52 | -that may be embedded in files such as MS Office documents (e.g. Word, | ||
| 53 | -Excel), which is especially useful for malware analysis. xxxswf2 is an | ||
| 54 | -improved version of xxxswf.py published by Alexander Hanel on | 52 | +xxxswf2 is a script to detect, extract and analyze Flash objects (SWF |
| 53 | +files) that may be embedded in files such as MS Office documents (e.g. | ||
| 54 | +Word, Excel), which is especially useful for malware analysis. | ||
| 55 | + | ||
| 56 | +xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel | ||
| 57 | +on | ||
| 55 | `http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html <http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html>`_ | 58 | `http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html <http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html>`_ |
| 59 | + | ||
| 56 | Compared to xxxswf, it can extract streams from MS Office documents by | 60 | Compared to xxxswf, it can extract streams from MS Office documents by |
| 57 | parsing their OLE structure properly, which is necessary when streams | 61 | parsing their OLE structure properly, which is necessary when streams |
| 58 | are fragmented. Stream fragmentation is a known obfuscation technique, | 62 | are fragmented. Stream fragmentation is a known obfuscation technique, |
| 59 | as explained on | 63 | as explained on |
| 60 | `http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/ <http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/>`_ | 64 | `http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/ <http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/>`_ |
| 61 | 65 | ||
| 66 | +For this, simply add the -o option to work on OLE streams rather than | ||
| 67 | +raw files. | ||
| 68 | + | ||
| 62 | :: | 69 | :: |
| 63 | 70 | ||
| 64 | Usage: xxxswf2.py [options] <file.bad> | 71 | Usage: xxxswf2.py [options] <file.bad> |
| @@ -81,6 +88,22 @@ as explained on | @@ -81,6 +88,22 @@ as explained on | ||
| 81 | contain SWFs. Must provide path in quotes | 88 | contain SWFs. Must provide path in quotes |
| 82 | -c, --compress Compresses the SWF using Zlib | 89 | -c, --compress Compresses the SWF using Zlib |
| 83 | 90 | ||
| 91 | +Example - detecting and extracting a SWF file from a Word document on | ||
| 92 | +Windows: | ||
| 93 | + | ||
| 94 | +:: | ||
| 95 | + | ||
| 96 | + C:\oletools>xxxswf2.py -o word_flash.doc | ||
| 97 | + OLE stream: 'Contents' | ||
| 98 | + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents | ||
| 99 | + [ADDR] SWF 1 at 0x8 - FWS Header | ||
| 100 | + | ||
| 101 | + C:\oletools>xxxswf2.py -xo word_flash.doc | ||
| 102 | + OLE stream: 'Contents' | ||
| 103 | + [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents | ||
| 104 | + [ADDR] SWF 1 at 0x8 - FWS Header | ||
| 105 | + [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf | ||
| 106 | + | ||
| 84 | xxxswf2 project website: | 107 | xxxswf2 project website: |
| 85 | `http://www.decalage.info/python/xxxswf2 <http://www.decalage.info/python/xxxswf2>`_ | 108 | `http://www.decalage.info/python/xxxswf2 <http://www.decalage.info/python/xxxswf2>`_ |
| 86 | 109 | ||
| @@ -105,8 +128,12 @@ problem. | @@ -105,8 +128,12 @@ problem. | ||
| 105 | License | 128 | License |
| 106 | ------- | 129 | ------- |
| 107 | 130 | ||
| 108 | -Copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) All | ||
| 109 | -rights reserved. | 131 | +This license applies to the oletools package, apart from the thirdparty |
| 132 | +folder which contains third-party files published with their own | ||
| 133 | +license. | ||
| 134 | + | ||
| 135 | +The oletools package is copyright (c) 2012, Philippe Lagadec | ||
| 136 | +(http://www.decalage.info) All rights reserved. | ||
| 110 | 137 | ||
| 111 | Redistribution and use in source and binary forms, with or without | 138 | Redistribution and use in source and binary forms, with or without |
| 112 | modification, are permitted provided that the following conditions are | 139 | modification, are permitted provided that the following conditions are |