Commit ab6a1e759d2d961be8cb126ec46999badc1168a7
1 parent
45078276
olevba: fixed issue #149 for option --reveal (keep parentheses around VBA expressions)
Showing
2 changed files
with
11 additions
and
3 deletions
oletools/olevba.py
| ... | ... | @@ -191,7 +191,7 @@ from __future__ import print_function |
| 191 | 191 | # 2017-02-07 PL: - temporary fix for issue #132 |
| 192 | 192 | # - added keywords for Mac-specific macros (issue #130) |
| 193 | 193 | # 2017-03-08 PL: - fixed absolute imports |
| 194 | -# 2017-03-16 PL: - fixed issue #148 for option --reveal | |
| 194 | +# 2017-03-16 PL: - fixed issues #148 and #149 for option --reveal | |
| 195 | 195 | |
| 196 | 196 | __version__ = '0.51dev3' |
| 197 | 197 | |
| ... | ... | @@ -2841,13 +2841,21 @@ class VBA_Parser(object): |
| 2841 | 2841 | # normally now self.vba_code_all_modules contains source code from all modules |
| 2842 | 2842 | # Need to collapse long lines: |
| 2843 | 2843 | deobf_code = vba_collapse_long_lines(self.vba_code_all_modules) |
| 2844 | + deobf_code = filter_vba(deobf_code) | |
| 2844 | 2845 | for kw_type, decoded, encoded in analysis: |
| 2845 | 2846 | if kw_type == 'VBA string': |
| 2846 | 2847 | #print '%3d occurences: %r => %r' % (deobf_code.count(encoded), encoded, decoded) |
| 2847 | 2848 | # need to add double quotes around the decoded strings |
| 2848 | 2849 | # after escaping double-quotes as double-double-quotes for VBA: |
| 2849 | 2850 | decoded = decoded.replace('"', '""') |
| 2850 | - deobf_code = deobf_code.replace(encoded, '"%s"' % decoded) | |
| 2851 | + decoded = '"%s"' % decoded | |
| 2852 | + # if the encoded string is enclosed in parentheses, | |
| 2853 | + # keep them in the decoded version: | |
| 2854 | + if encoded.startswith('(') and encoded.endswith(')'): | |
| 2855 | + decoded = '(%s)' % decoded | |
| 2856 | + deobf_code = deobf_code.replace(encoded, decoded) | |
| 2857 | + # # TODO: there is a bug somewhere which creates double returns '\r\r' | |
| 2858 | + # deobf_code = deobf_code.replace('\r\r', '\r') | |
| 2851 | 2859 | return deobf_code |
| 2852 | 2860 | #TODO: repasser l'analyse plusieurs fois si des chaines hex ou base64 sont revelees |
| 2853 | 2861 | ... | ... |
setup.py
| ... | ... | @@ -41,7 +41,7 @@ import os, fnmatch |
| 41 | 41 | #--- METADATA ----------------------------------------------------------------- |
| 42 | 42 | |
| 43 | 43 | name = "oletools" |
| 44 | -version = '0.51dev2' | |
| 44 | +version = '0.51dev3' | |
| 45 | 45 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 46 | 46 | long_desc = open('oletools/README.rst').read() |
| 47 | 47 | author = "Philippe Lagadec" | ... | ... |