Peter M. Groen / oletools

Commit a42f5500823187d9583b645fb053bac3f9909591

Authored by Matteo Lodi
1 parent dcce7d95

adjust CALL and REGISTER command detections to avoid false positives

Inline Side-by-side
Showing 1 changed file with 10 additions and 6 deletions
oletools/olevba.py
  View file @a42f550
@@ -634,7 +634,7 @@ AUTOEXEC_KEYWORDS = { @@ -634,7 +634,7 @@ AUTOEXEC_KEYWORDS = {
634 'Runs when the Excel Workbook is closed': 634 'Runs when the Excel Workbook is closed':
635 ('Auto_Close', 'Workbook_Close'), 635 ('Auto_Close', 'Workbook_Close'),
636 #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/ 636 #Worksheet_Calculate to Autoexec: see http://www.certego.net/en/news/advanced-vba-macros/
637 - 'May runs when an Excel WorkSheet is open': 637 + 'May run when an Excel WorkSheet is opened':
638 ('Worksheet_Calculate',), 638 ('Worksheet_Calculate',),
639 } 639 }
640 640
@@ -713,10 +713,8 @@ SUSPICIOUS_KEYWORDS = { @@ -713,10 +713,8 @@ SUSPICIOUS_KEYWORDS = {
713 'invoke-command', 'scriptblock', 'Invoke-Expression', 'AuthorizationManager'), 713 'invoke-command', 'scriptblock', 'Invoke-Expression', 'AuthorizationManager'),
714 'May run an executable file or a system command using PowerShell': 714 'May run an executable file or a system command using PowerShell':
715 ('Start-Process',), 715 ('Start-Process',),
716 - 'May run an executable file or a system command using Excel 4 Macros (XLM/XLF)':  
717 - ('EXEC',),  
718 'May call a DLL using Excel 4 Macros (XLM/XLF)': 716 'May call a DLL using Excel 4 Macros (XLM/XLF)':
719 - ('REGISTER', 'CALL'), 717 + ('CALL',),
720 'May hide the application': 718 'May hide the application':
721 ('Application.Visible', 'ShowWindow', 'SW_HIDE'), 719 ('Application.Visible', 'ShowWindow', 'SW_HIDE'),
722 'May create a directory': 720 'May create a directory':
@@ -745,8 +743,6 @@ SUSPICIOUS_KEYWORDS = { @@ -745,8 +743,6 @@ SUSPICIOUS_KEYWORDS = {
745 'May run code from a library on a Mac': 743 'May run code from a library on a Mac':
746 #TODO: regex to find declare+lib on same line - see mraptor 744 #TODO: regex to find declare+lib on same line - see mraptor
747 ('libc.dylib', 'dylib'), 745 ('libc.dylib', 'dylib'),
748 - 'May run code from a DLL using Excel 4 Macros (XLM/XLF)':  
749 - ('REGISTER',),  
750 'May inject code into another process': 746 'May inject code into another process':
751 ('CreateThread', 'CreateUserThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload 747 ('CreateThread', 'CreateUserThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload
752 'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory', 748 'VirtualAllocEx', 'RtlMoveMemory', 'WriteProcessMemory',
@@ -829,6 +825,14 @@ SUSPICIOUS_KEYWORDS_REGEX = { @@ -829,6 +825,14 @@ SUSPICIOUS_KEYWORDS_REGEX = {
829 ), 825 ),
830 'May run an executable file or a system command on a Mac (if combined with libc.dylib)': 826 'May run an executable file or a system command on a Mac (if combined with libc.dylib)':
831 ('system', 'popen', r'exec[lv][ep]?'), 827 ('system', 'popen', r'exec[lv][ep]?'),
  828 + 'May run an executable file or a system command using Excel 4 Macros (XLM/XLF)':
  829 + (r'(?<!Could contain following functions: )EXEC',),
  830 + 'Could contain a function that allows to run an executable file or a system command using Excel 4 Macros (XLM/XLF)':
  831 + (r'Could contain following functions: EXEC',),
  832 + 'May call a DLL using Excel 4 Macros (XLM/XLF)':
  833 + (r'(?<!Could contain following functions: )REGISTER',),
  834 + 'Could contain a function that allows to call a DLL using Excel 4 Macros (XLM/XLF)':
  835 + (r'Could contain following functions: REGISTER',),
832 } 836 }
833 837
834 # Suspicious Keywords to be searched for directly as strings, without regex 838 # Suspicious Keywords to be searched for directly as strings, without regex