updated doc for v0.55

decalage2
1 parent cd4b73d9
Showing 4 changed files with 69 additions and 39 deletions
oletools/README.html
oletools/README.rst
oletools/doc/Home.html
oletools/doc/Home.md
@@ -23,6 +23,25 @@
 <p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
 <h2 id="news">News</h2>
 <ul>
+<li><strong>2019-12-03 v0.55</strong>:
+<ul>
+<li>olevba:
+<ul>
+<li>added support for SLK files and XLM macro extraction from SLK</li>
+<li>VBA Stomping detection</li>
+<li>integrated pcodedmp to extract and disassemble P-code</li>
+<li>detection of suspicious keywords and IOCs in P-code</li>
+<li>new option --pcode to display P-code disassembly</li>
+<li>improved detection of auto execution triggers</li>
+</ul></li>
+<li>rtfobj: added URL carver for CVE-2017-0199</li>
+<li>better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR #365)</li>
+<li>tests:
+<ul>
+<li>test files can now be encrypted, to avoid antivirus alerts (PR #217, issue #215)</li>
+<li>tests that trigger antivirus alerts have been temporarily disabled (issue #215)</li>
+</ul></li>
+</ul></li>
 <li><strong>2019-05-22 v0.54.2</strong>:
 <ul>
 <li>bugfix release: fixed several issues related to encrypted documents and XLM/XLF Excel 4 macros</li>
@@ -56,14 +75,6 @@
 <li>oleid now detects encrypted OpenXML files</li>
 <li>fixed bugs in oleobj, rtfobj, oleid, olevba</li>
 </ul></li>
-<li>2018-02-18 v0.52:
-<ul>
-<li>New tool <a href="https://github.com/decalage2/oletools/wiki/msodde">msodde</a> to detect and extract DDE links from MS Office files, RTF and CSV;</li>
-<li>Fixed bugs in olevba, rtfobj and olefile, to better handle malformed/obfuscated files;</li>
-<li>Performance improvements in olevba and rtfobj;</li>
-<li>VBA form parsing in olevba;</li>
-<li>Office 2007+ support in oleobj.</li>
-</ul></li>
 </ul>
 <p>See the <a href="https://github.com/decalage2/oletools/wiki/Changelog">full changelog</a> for more information.</p>
 <h2 id="tools">Tools:</h2>
@@ -86,7 +97,7 @@
 <li><a href="https://github.com/decalage2/oletools/wiki/olemap">olemap</a>: to display a map of all the sectors in an OLE file.</li>
 </ul>
 <h2 id="projects-using-oletools">Projects using oletools:</h2>
-<p>oletools are used by a number of projects and online malware analysis services, including <a href="http://viper.li/">Viper</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
+<p>oletools are used by a number of projects and online malware analysis services, including <a href="https://github.com/IntegralDefense/ACE">ACE</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/sbidy/MacroMilter">MacroMilter</a>, <a href="https://mailcow.email/">mailcow</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://github.com/HeinleinSupport/olefy">olefy</a>, <a href="https://github.com/scVENUS/PeekabooAV">PeekabooAV</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://github.com/CIRCL/PyCIRCLean">PyCIRCLean</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://app.sndbox.com">SNDBOX</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://github.com/TheHive-Project/Cortex-Analyzers">TheHive/Cortex</a>, <a href="https://tsurugi-linux.org/">TSUGURI Linux</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="http://viper.li/">Viper</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
 <h2 id="download-and-install">Download and Install:</h2>
 <p>The recommended way to download and install/update the <strong>latest stable release</strong> of oletools is to use <a href="https://pip.pypa.io/en/stable/installing/">pip</a>:</p>
 <ul>
@@ -29,6 +29,27 @@ Software.
 News
 ----
  
+-  **2019-12-03 v0.55**:
+
+   -  olevba:
+
+      -  added support for SLK files and XLM macro extraction from SLK
+      -  VBA Stomping detection
+      -  integrated pcodedmp to extract and disassemble P-code
+      -  detection of suspicious keywords and IOCs in P-code
+      -  new option --pcode to display P-code disassembly
+      -  improved detection of auto execution triggers
+
+   -  rtfobj: added URL carver for CVE-2017-0199
+   -  better handling of unicode for systems with locale that does not
+      support UTF-8, e.g. LANG=C (PR #365)
+   -  tests:
+
+      -  test files can now be encrypted, to avoid antivirus alerts (PR
+         #217, issue #215)
+      -  tests that trigger antivirus alerts have been temporarily
+         disabled (issue #215)
+
 -  **2019-05-22 v0.54.2**:
  
    -  bugfix release: fixed several issues related to encrypted
@@ -79,17 +100,6 @@ News
    -  oleid now detects encrypted OpenXML files
    -  fixed bugs in oleobj, rtfobj, oleid, olevba
  
--  2018-02-18 v0.52:
-
-   -  New tool
-      `msodde <https://github.com/decalage2/oletools/wiki/msodde>`__ to
-      detect and extract DDE links from MS Office files, RTF and CSV;
-   -  Fixed bugs in olevba, rtfobj and olefile, to better handle
-      malformed/obfuscated files;
-   -  Performance improvements in olevba and rtfobj;
-   -  VBA form parsing in olevba;
-   -  Office 2007+ support in oleobj.
-
 See the `full
 changelog <https://github.com/decalage2/oletools/wiki/Changelog>`__ for
 more information.
@@ -141,29 +151,38 @@ Projects using oletools:
 ------------------------
  
 oletools are used by a number of projects and online malware analysis
-services, including `Viper <http://viper.li/>`__,
-`REMnux <https://remnux.org/>`__,
-`FLARE-VM <https://github.com/fireeye/flare-vm>`__,
+services, including `ACE <https://github.com/IntegralDefense/ACE>`__,
+`Anlyz.io <https://sandbox.anlyz.io/>`__,
+`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__,
+`CAPE <https://github.com/ctxis/CAPE>`__, `Cuckoo
+Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
+`DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__,
+`Deepviz <https://sandbox.deepviz.com/>`__,
+`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__,
 `FAME <https://certsocietegenerale.github.io/fame/>`__,
+`FLARE-VM <https://github.com/fireeye/flare-vm>`__,
 `Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__, `Joe
-Sandbox <https://www.document-analyzer.net/>`__,
-`Deepviz <https://sandbox.deepviz.com/>`__, `Laika
-BOSS <https://github.com/lmco/laikaboss>`__, `Cuckoo
-Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
-`Anlyz.io <https://sandbox.anlyz.io/>`__,
-`ViperMonkey <https://github.com/decalage2/ViperMonkey>`__,
+Sandbox <https://www.document-analyzer.net/>`__, `Laika
+BOSS <https://github.com/lmco/laikaboss>`__,
+`MacroMilter <https://github.com/sbidy/MacroMilter>`__,
+`mailcow <https://mailcow.email/>`__,
+`malshare.io <https://malshare.io>`__,
+`malware-repo <https://github.com/Tigzy/malware-repo>`__, `Malware
+Repository Framework (MRF) <https://www.adlice.com/download/mrf/>`__,
+`olefy <https://github.com/HeinleinSupport/olefy>`__,
+`PeekabooAV <https://github.com/scVENUS/PeekabooAV>`__,
 `pcodedmp <https://github.com/bontchev/pcodedmp>`__,
-`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__,
+`PyCIRCLean <https://github.com/CIRCL/PyCIRCLean>`__,
+`REMnux <https://remnux.org/>`__,
 `Snake <https://github.com/countercept/snake>`__,
-`DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__,
-`CAPE <https://github.com/ctxis/CAPE>`__,
-`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__,
-`malshare.io <https://malshare.io>`__, `Malware Repository Framework
-(MRF) <https://www.adlice.com/download/mrf/>`__,
-`malware-repo <https://github.com/Tigzy/malware-repo>`__,
-`Vba2Graph <https://github.com/MalwareCantFly/Vba2Graph>`__,
+`SNDBOX <https://app.sndbox.com>`__,
 `Strelka <https://github.com/target/strelka>`__,
 `stoQ <https://stoq.punchcyber.com/>`__,
+`TheHive/Cortex <https://github.com/TheHive-Project/Cortex-Analyzers>`__,
+`TSUGURI Linux <https://tsurugi-linux.org/>`__,
+`Vba2Graph <https://github.com/MalwareCantFly/Vba2Graph>`__,
+`Viper <http://viper.li/>`__,
+`ViperMonkey <https://github.com/decalage2/ViperMonkey>`__,
 `YOMI <https://yomi.yoroi.company>`__, and probably
 `VirusTotal <https://www.virustotal.com>`__. And quite a few `other
 projects on
@@ -16,7 +16,7 @@
   <![endif]-->
 </head>
 <body>
-<h1 id="python-oletools-v0.54-documentation">python-oletools v0.54 documentation</h1>
+<h1 id="python-oletools-v0.55-documentation">python-oletools v0.55 documentation</h1>
 <p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://github.com/decalage2/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
 <p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools" class="uri">http://www.decalage.info/python/oletools</a> for more info.</p>
 <p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://github.com/decalage2/oletools/wiki/Install">Download/Install</a> - <a href="https://github.com/decalage2/oletools/wiki">Documentation</a> - <a href="https://github.com/decalage2/oletools/issues">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://github.com/decalage2/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
-python-oletools v0.54 documentation
+python-oletools v0.55 documentation
 ===================================
  
 This is the home page of the documentation for python-oletools. The latest version can be found