Commit b933bc98eea3aedced9baeaa17e616178c301a75
1 parent
a136731b
olevba: improved auto-executable macros detection with regex
Showing
1 changed file
with
7 additions
and
4 deletions
oletools/olevba.py
| ... | ... | @@ -746,13 +746,16 @@ def detect_autoexec(vba_code): |
| 746 | 746 | :param vba_code: str, VBA source code |
| 747 | 747 | :return: list of str tuples (keyword, description) |
| 748 | 748 | """ |
| 749 | - #TODO: use regex to find keywords with word boundaries | |
| 749 | + #TODO: merge code with detect_suspicious | |
| 750 | 750 | # case-insensitive search |
| 751 | - vba_code = vba_code.lower() | |
| 751 | + #vba_code = vba_code.lower() | |
| 752 | 752 | results = [] |
| 753 | 753 | for description, keywords in AUTOEXEC_KEYWORDS.items(): |
| 754 | 754 | for keyword in keywords: |
| 755 | - if keyword.lower() in vba_code: | |
| 755 | + #TODO: if keyword is already a compiled regex, use it as-is | |
| 756 | + # search using regex to detect word boundaries: | |
| 757 | + if re.search(r'(?i)\b'+keyword+r'\b', vba_code): | |
| 758 | + #if keyword.lower() in vba_code: | |
| 756 | 759 | results.append((keyword, description)) |
| 757 | 760 | return results |
| 758 | 761 | |
| ... | ... | @@ -765,12 +768,12 @@ def detect_suspicious(vba_code): |
| 765 | 768 | :param vba_code: str, VBA source code |
| 766 | 769 | :return: list of str tuples (keyword, description) |
| 767 | 770 | """ |
| 768 | - #TODO: use regex to find keywords with word boundaries | |
| 769 | 771 | # case-insensitive search |
| 770 | 772 | #vba_code = vba_code.lower() |
| 771 | 773 | results = [] |
| 772 | 774 | for description, keywords in SUSPICIOUS_KEYWORDS.items(): |
| 773 | 775 | for keyword in keywords: |
| 776 | + # search using regex to detect word boundaries: | |
| 774 | 777 | if re.search(r'(?i)\b'+keyword+r'\b', vba_code): |
| 775 | 778 | #if keyword.lower() in vba_code: |
| 776 | 779 | results.append((keyword, description)) | ... | ... |