Commit b7cb5b22b37d339cf17c969a43f493845a30cd61
1 parent
95cf2434
updated olevba to use olefile
Showing
1 changed file
with
10 additions
and
9 deletions
oletools/olevba.py
| 1 | #!/usr/bin/env python | 1 | #!/usr/bin/env python |
| 2 | """ | 2 | """ |
| 3 | -olevba.py v0.03 2014-08-15 | 3 | +olevba.py |
| 4 | 4 | ||
| 5 | olevba is a script to parse OLE and OpenXML files such as MS Office documents | 5 | olevba is a script to parse OLE and OpenXML files such as MS Office documents |
| 6 | (e.g. Word, Excel), to extract VBA Macro code in clear text. | 6 | (e.g. Word, Excel), to extract VBA Macro code in clear text. |
| @@ -22,8 +22,6 @@ https://github.com/unixfreak0037/officeparser | @@ -22,8 +22,6 @@ https://github.com/unixfreak0037/officeparser | ||
| 22 | Usage: olevba.py <file> | 22 | Usage: olevba.py <file> |
| 23 | """ | 23 | """ |
| 24 | 24 | ||
| 25 | -__version__ = '0.03' | ||
| 26 | - | ||
| 27 | #=== LICENSE ================================================================== | 25 | #=== LICENSE ================================================================== |
| 28 | 26 | ||
| 29 | # olevba is copyright (c) 2014 Philippe Lagadec (http://www.decalage.info) | 27 | # olevba is copyright (c) 2014 Philippe Lagadec (http://www.decalage.info) |
| @@ -80,6 +78,9 @@ __version__ = '0.03' | @@ -80,6 +78,9 @@ __version__ = '0.03' | ||
| 80 | # 2014-08-15 PL: - fixed incorrect value check in PROJECTHELPFILEPATH Record | 78 | # 2014-08-15 PL: - fixed incorrect value check in PROJECTHELPFILEPATH Record |
| 81 | # 2014-08-15 v0.03 PL: - refactored extract_macros to support OpenXML formats | 79 | # 2014-08-15 v0.03 PL: - refactored extract_macros to support OpenXML formats |
| 82 | # and to find the VBA project root anywhere in the file | 80 | # and to find the VBA project root anywhere in the file |
| 81 | +# 2014-11-29 v0.04 PL: - use olefile instead of OleFileIO_PL | ||
| 82 | + | ||
| 83 | +__version__ = '0.04' | ||
| 83 | 84 | ||
| 84 | #------------------------------------------------------------------------------ | 85 | #------------------------------------------------------------------------------ |
| 85 | # TODO: | 86 | # TODO: |
| @@ -116,7 +117,7 @@ import cStringIO | @@ -116,7 +117,7 @@ import cStringIO | ||
| 116 | import math | 117 | import math |
| 117 | import zipfile | 118 | import zipfile |
| 118 | 119 | ||
| 119 | -from thirdparty.OleFileIO_PL import OleFileIO_PL | 120 | +import thirdparty.olefile as olefile |
| 120 | 121 | ||
| 121 | #--- CONSTANTS ---------------------------------------------------------------- | 122 | #--- CONSTANTS ---------------------------------------------------------------- |
| 122 | 123 | ||
| @@ -296,7 +297,7 @@ def extract_macros_ole(ole): | @@ -296,7 +297,7 @@ def extract_macros_ole(ole): | ||
| 296 | 297 | ||
| 297 | def check_vba_stream(ole, vba_root, stream_path): | 298 | def check_vba_stream(ole, vba_root, stream_path): |
| 298 | full_path = vba_root + stream_path | 299 | full_path = vba_root + stream_path |
| 299 | - if ole.exists(full_path) and ole.get_type(full_path) == OleFileIO_PL.STGTY_STREAM: | 300 | + if ole.exists(full_path) and ole.get_type(full_path) == olefile.STGTY_STREAM: |
| 300 | logging.debug('Found %s stream: %s' % (stream_path, full_path)) | 301 | logging.debug('Found %s stream: %s' % (stream_path, full_path)) |
| 301 | return full_path | 302 | return full_path |
| 302 | else: | 303 | else: |
| @@ -697,15 +698,15 @@ def _extract_vba (ole, vba_root, project_path, dir_path): | @@ -697,15 +698,15 @@ def _extract_vba (ole, vba_root, project_path, dir_path): | ||
| 697 | 698 | ||
| 698 | 699 | ||
| 699 | def extract_macros (filename): | 700 | def extract_macros (filename): |
| 700 | - if OleFileIO_PL.isOleFile(filename): | 701 | + if olefile.isOleFile(filename): |
| 701 | # This looks like an OLE file | 702 | # This looks like an OLE file |
| 702 | logging.info('Extracting VBA Macros from OLE file %s' % filename) | 703 | logging.info('Extracting VBA Macros from OLE file %s' % filename) |
| 703 | - ole = OleFileIO_PL.OleFileIO(filename) | 704 | + ole = olefile.OleFileIO(filename) |
| 704 | extract_macros_ole(ole) | 705 | extract_macros_ole(ole) |
| 705 | ole.close() | 706 | ole.close() |
| 706 | elif zipfile.is_zipfile(filename): | 707 | elif zipfile.is_zipfile(filename): |
| 707 | # This looks like a zip file, need to look for vbaProject.bin inside | 708 | # This looks like a zip file, need to look for vbaProject.bin inside |
| 708 | - #TODO: here we could even look for any OLE file inside the archive | 709 | + #TODO: here we should look for any OLE file inside the archive |
| 709 | #...because vbaProject.bin can be renamed: | 710 | #...because vbaProject.bin can be renamed: |
| 710 | # see http://www.decalage.info/files/JCV07_Lagadec_OpenDocument_OpenXML_v4_decalage.pdf#page=18 | 711 | # see http://www.decalage.info/files/JCV07_Lagadec_OpenDocument_OpenXML_v4_decalage.pdf#page=18 |
| 711 | logging.info('Opening ZIP/OpenXML file %s' % filename) | 712 | logging.info('Opening ZIP/OpenXML file %s' % filename) |
| @@ -716,7 +717,7 @@ def extract_macros (filename): | @@ -716,7 +717,7 @@ def extract_macros (filename): | ||
| 716 | vbadata = z.open(f).read() | 717 | vbadata = z.open(f).read() |
| 717 | vbafile = cStringIO.StringIO(vbadata) | 718 | vbafile = cStringIO.StringIO(vbadata) |
| 718 | try: | 719 | try: |
| 719 | - ole = OleFileIO_PL.OleFileIO(vbafile) | 720 | + ole = olefile.OleFileIO(vbafile) |
| 720 | except: | 721 | except: |
| 721 | logging.debug('%s is not a valid OLE file' % f) | 722 | logging.debug('%s is not a valid OLE file' % f) |
| 722 | continue | 723 | continue |