Peter M. Groen / oletools

Commit ab6a1e759d2d961be8cb126ec46999badc1168a7

Authored by decalage2
1 parent 45078276

olevba: fixed issue #149 for option --reveal (keep parentheses around VBA expressions)

Inline Side-by-side
Showing 2 changed files with 11 additions and 3 deletions
oletools/olevba.py
  View file @ab6a1e7
@@ -191,7 +191,7 @@ from __future__ import print_function @@ -191,7 +191,7 @@ from __future__ import print_function
191 # 2017-02-07 PL: - temporary fix for issue #132 191 # 2017-02-07 PL: - temporary fix for issue #132
192 # - added keywords for Mac-specific macros (issue #130) 192 # - added keywords for Mac-specific macros (issue #130)
193 # 2017-03-08 PL: - fixed absolute imports 193 # 2017-03-08 PL: - fixed absolute imports
194 -# 2017-03-16 PL: - fixed issue #148 for option --reveal 194 +# 2017-03-16 PL: - fixed issues #148 and #149 for option --reveal
195 195
196 __version__ = '0.51dev3' 196 __version__ = '0.51dev3'
197 197
@@ -2841,13 +2841,21 @@ class VBA_Parser(object): @@ -2841,13 +2841,21 @@ class VBA_Parser(object):
2841 # normally now self.vba_code_all_modules contains source code from all modules 2841 # normally now self.vba_code_all_modules contains source code from all modules
2842 # Need to collapse long lines: 2842 # Need to collapse long lines:
2843 deobf_code = vba_collapse_long_lines(self.vba_code_all_modules) 2843 deobf_code = vba_collapse_long_lines(self.vba_code_all_modules)
  2844 + deobf_code = filter_vba(deobf_code)
2844 for kw_type, decoded, encoded in analysis: 2845 for kw_type, decoded, encoded in analysis:
2845 if kw_type == 'VBA string': 2846 if kw_type == 'VBA string':
2846 #print '%3d occurences: %r => %r' % (deobf_code.count(encoded), encoded, decoded) 2847 #print '%3d occurences: %r => %r' % (deobf_code.count(encoded), encoded, decoded)
2847 # need to add double quotes around the decoded strings 2848 # need to add double quotes around the decoded strings
2848 # after escaping double-quotes as double-double-quotes for VBA: 2849 # after escaping double-quotes as double-double-quotes for VBA:
2849 decoded = decoded.replace('"', '""') 2850 decoded = decoded.replace('"', '""')
2850 - deobf_code = deobf_code.replace(encoded, '"%s"' % decoded) 2851 + decoded = '"%s"' % decoded
  2852 + # if the encoded string is enclosed in parentheses,
  2853 + # keep them in the decoded version:
  2854 + if encoded.startswith('(') and encoded.endswith(')'):
  2855 + decoded = '(%s)' % decoded
  2856 + deobf_code = deobf_code.replace(encoded, decoded)
  2857 + # # TODO: there is a bug somewhere which creates double returns '\r\r'
  2858 + # deobf_code = deobf_code.replace('\r\r', '\r')
2851 return deobf_code 2859 return deobf_code
2852 #TODO: repasser l'analyse plusieurs fois si des chaines hex ou base64 sont revelees 2860 #TODO: repasser l'analyse plusieurs fois si des chaines hex ou base64 sont revelees
2853 2861
setup.py
  View file @ab6a1e7
@@ -41,7 +41,7 @@ import os, fnmatch @@ -41,7 +41,7 @@ import os, fnmatch
41 #--- METADATA ----------------------------------------------------------------- 41 #--- METADATA -----------------------------------------------------------------
42 42
43 name = "oletools" 43 name = "oletools"
44 -version = '0.51dev2' 44 +version = '0.51dev3'
45 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" 45 desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
46 long_desc = open('oletools/README.rst').read() 46 long_desc = open('oletools/README.rst').read()
47 author = "Philippe Lagadec" 47 author = "Philippe Lagadec"