Commit aaa7c73f179784e9d0f0a30e606efa99b8eeaefe
1 parent
cbbb5d20
olevba: added Hex function decoding to VBA Parser
Showing
1 changed file
with
24 additions
and
1 deletions
oletools/olevba.py
| ... | ... | @@ -143,6 +143,7 @@ https://github.com/unixfreak0037/officeparser |
| 143 | 143 | # 2015-06-21 v0.32 PL: - always display decoded strings which are printable |
| 144 | 144 | # - fix VBA_Scanner.scan to return raw strings, not repr() |
| 145 | 145 | # 2015-07-09 v0.33 PL: - removed usage of sys.stderr which causes issues |
| 146 | +# 2015-07-12 PL: - added Hex function decoding to VBA Parser | |
| 146 | 147 | |
| 147 | 148 | __version__ = '0.33' |
| 148 | 149 | |
| ... | ... | @@ -544,6 +545,28 @@ environ = Suppress(CaselessKeyword('Environ') + '(') + vba_expr_str + Suppress(' |
| 544 | 545 | environ.setParseAction(lambda t: VbaExpressionString('%%%s%%' % t[0])) |
| 545 | 546 | |
| 546 | 547 | |
| 548 | +# --- IDENTIFIER ------------------------------------------------------------- | |
| 549 | + | |
| 550 | +#TODO: see MS-VBAL 3.3.5 page 33 | |
| 551 | +# 3.3.5 Identifier Tokens | |
| 552 | +# Latin-identifier = first-Latin-identifier-character *subsequent-Latin-identifier-character | |
| 553 | +# first-Latin-identifier-character = (%x0041-005A / %x0061-007A) ; A-Z / a-z | |
| 554 | +# subsequent-Latin-identifier-character = first-Latin-identifier-character / DIGIT / %x5F ; underscore | |
| 555 | +latin_identifier = Word(initChars=alphas, bodyChars=alphanums + '_') | |
| 556 | + | |
| 557 | +# --- HEX FUNCTION ----------------------------------------------------------- | |
| 558 | + | |
| 559 | +# match any custom function name with a hex string as argument: | |
| 560 | + | |
| 561 | +# quoted string of at least two hexadecimal numbers of two digits: | |
| 562 | +quoted_hex_string = Suppress('"') + Combine(Word(hexnums, exact=2) * (2, None)) + Suppress('"') | |
| 563 | +quoted_hex_string.setParseAction(lambda t: str(t[0])) | |
| 564 | + | |
| 565 | +hex_function_call = Suppress(latin_identifier) + Suppress('(') + \ | |
| 566 | + quoted_hex_string('hex_string') + Suppress(')') | |
| 567 | +hex_function_call.setParseAction(lambda t: binascii.a2b_hex(t.hex_string)) | |
| 568 | + | |
| 569 | + | |
| 547 | 570 | # ---STRING EXPRESSION ------------------------------------------------------- |
| 548 | 571 | |
| 549 | 572 | def concat_strings_list(tokens): |
| ... | ... | @@ -556,7 +579,7 @@ def concat_strings_list(tokens): |
| 556 | 579 | return VbaExpressionString(''.join(strings)) |
| 557 | 580 | |
| 558 | 581 | |
| 559 | -vba_expr_str_item = (vba_chr | strReverse | environ | quoted_string) | |
| 582 | +vba_expr_str_item = (vba_chr | strReverse | environ | quoted_string | hex_function_call) | |
| 560 | 583 | |
| 561 | 584 | vba_expr_str <<= infixNotation(vba_expr_str_item, |
| 562 | 585 | [ | ... | ... |