Commit afeead80c7efab197c82f40461c4e7c014fd2478
1 parent
4f51278f
olevba: added a workaround in detect_vba_stomping to fix #489
Showing
1 changed file
with
3 additions
and
0 deletions
oletools/olevba.py
| @@ -3557,6 +3557,9 @@ class VBA_Parser(object): | @@ -3557,6 +3557,9 @@ class VBA_Parser(object): | ||
| 3557 | # funcdefn = args.strip('()') | 3557 | # funcdefn = args.strip('()') |
| 3558 | # keywords.add(funcdefn) | 3558 | # keywords.add(funcdefn) |
| 3559 | if mnemonic in ('ArgsCall', 'ArgsLd', 'St', 'Ld', 'MemSt', 'Label'): | 3559 | if mnemonic in ('ArgsCall', 'ArgsLd', 'St', 'Ld', 'MemSt', 'Label'): |
| 3560 | + # sometimes ArgsCall is followed by "(Call)", if so we remove it (issue #489) | ||
| 3561 | + if args.startswith('(Call) '): | ||
| 3562 | + args = args[7:] | ||
| 3560 | # add 1st argument: | 3563 | # add 1st argument: |
| 3561 | name = args.split(None, 1)[0] | 3564 | name = args.split(None, 1)[0] |
| 3562 | # sometimes pcodedmp reports names like "id_FFFF", which are not | 3565 | # sometimes pcodedmp reports names like "id_FFFF", which are not |