updated readme

Philippe Lagadec
1 parent 68fb153d
Showing 3 changed files with 196 additions and 218 deletions
README.md
oletools/README.html
oletools/README.rst
@@ -3,16 +3,28 @@ python-oletools
 [python-oletools](http://www.decalage.info/python/oletools) is a package of python tools to analyze [Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format)](http://en.wikipedia.org/wiki/Compound_File_Binary_Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis and debugging. It is based on the [OleFileIO_PL](http://www.decalage.info/python/olefileio) parser. See [http://www.decalage.info/python/oletools](http://www.decalage.info/python/oletools) for more info.  
-**Quick links:** [Home page](http://www.decalage.info/python/oletools) - [Download](https://bitbucket.org/decalage/oletools/downloads) - [Documentation](https://bitbucket.org/decalage/oletools/wiki) - [Report issues](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - [Contact the author](http://decalage.info/contact) - [Repository](https://bitbucket.org/decalage/oletools) - [Updates on Twitter](https://twitter.com/decalage2)
+**Quick links:** [Home page](http://www.decalage.info/python/oletools) - [Download](https://bitbucket.org/decalage/oletools/downloads) - [Documentation](https://bitbucket.org/decalage/oletools/wiki) - [Report Issues/Suggestions/Questions](https://bitbucket.org/decalage/oletools/issues?status=new&status=open) - [Contact the Author](http://decalage.info/contact) - [Repository](https://bitbucket.org/decalage/oletools) - [Updates on Twitter](https://twitter.com/decalage2)
 Note: python-oletools is not related to OLETools published by BeCubed Software.
+News
+----
+
+- **2014-08-27 v0.06**: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki)
+- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes)
+- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj)
+- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF
+- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)
+- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf
+- see changelog in source code for more info.
+
+
 Tools in python-oletools:
 -------------------------
 - **[olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse)**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
   view and extract individual data streams.
-- **[oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)**: a tool to analyze OLE files to detect specific characteristics that could potentially indicate that the file is suspicious or malicious.
+- **[oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)**: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.
 - **[olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta)**: a tool to extract all standard properties (metadata) from OLE files.
 - **[oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes)**: a tool to extract creation and modification timestamps of all streams and storages.
 - **[olevba](https://bitbucket.org/decalage/oletools/wiki/olevba) (new)**: a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML).
@@ -22,17 +34,6 @@ Tools in python-oletools:
 - **[rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj)**: a tool and python module to extract embedded objects from RTF files.
 - and a few others (coming soon)
-News
-----
-
-- **2014-08-16 v0.06**: added [olevba](https://bitbucket.org/decalage/oletools/wiki/olevba), a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved [documentation](https://bitbucket.org/decalage/oletools/wiki)
-- 2013-07-24 v0.05: added new tools [olemeta](https://bitbucket.org/decalage/oletools/wiki/olemeta) and [oletimes](https://bitbucket.org/decalage/oletools/wiki/oletimes)
-- 2013-04-18 v0.04: fixed bug in rtfobj, added documentation for [rtfobj](https://bitbucket.org/decalage/oletools/wiki/rtfobj)
-- 2012-11-09 v0.03: Improved [pyxswf](https://bitbucket.org/decalage/oletools/wiki/pyxswf) to extract Flash objects from RTF
-- 2012-10-29 v0.02: Added [oleid](https://bitbucket.org/decalage/oletools/wiki/oleid)
-- 2012-10-09 v0.01: Initial version of [olebrowse](https://bitbucket.org/decalage/oletools/wiki/olebrowse) and pyxswf
-- see changelog in source code for more info.
-
 Download and Install:
 ---------------------
@@ -40,17 +41,22 @@ To use python-oletools from the command line as analysis tools, you may simply [
 If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to use "**pip install oletools**" or "**easy_install oletools**" to download and install in one go. Otherwise you may download/extract the zip archive and run "**setup.py install**". 
-How to contribute:
-------------------
+Documentation:
+--------------
+
+The latest version of the documentation can be found [online](https://bitbucket.org/decalage/oletools/wiki), otherwise a copy is provided in the doc subfolder of the package.
+
+
+How to Suggest Improvements, Report Issues or Contribute:
+---------------------------------------------------------
-The code is available in [a Mercurial repository on bitbucket](https://bitbucket.org/decalage/oletools). You may use it to submit enhancements (using fork and pull requests) or to report any issue.
+This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.
-If you would like to help us improve this module, or simply provide feedback, you may also [contact the author](http://decalage.info/contact). 
+To suggest improvements, report a bug or any issue, please use the [issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the information and files to reproduce the problem. 
-How to suggest improvements or report bugs:
--------------------------------------------
+You may also [contact the author](http://decalage.info/contact) directly to provide feedback.
-To suggest improvements, report a bug or any issue, please use the [issue reporting page](https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open), providing all the information and files to reproduce the problem. You may also [contact the author](http://decalage.info/contact).
+The code is available in [a Mercurial repository on Bitbucket](https://bitbucket.org/decalage/oletools). You may use it to submit enhancements using forks and pull requests.
 License
 -------
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+  <meta http-equiv="Content-Style-Type" content="text/css" />
+  <meta name="generator" content="pandoc" />
+  <title></title>
+</head>
+<body>
+<h1 id="python-oletools">python-oletools</h1>
+<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format)</a>, such as Microsoft Office documents or Outlook messages, mainly for malware analysis and debugging. It is based on the <a href="http://www.decalage.info/python/olefileio">OleFileIO_PL</a> parser. See <a href="http://www.decalage.info/python/oletools">http://www.decalage.info/python/oletools</a> for more info.</p>
+<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://bitbucket.org/decalage/oletools/downloads">Download</a> - <a href="https://bitbucket.org/decalage/oletools/wiki">Documentation</a> - <a href="https://bitbucket.org/decalage/oletools/issues?status=new&amp;status=open">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://bitbucket.org/decalage/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
+<p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
+<h2 id="news">News</h2>
+<ul>
+<li><strong>2014-08-27 v0.06</strong>: added <a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a>, a new tool to extract VBA Macro source code from MS Office documents (97-2003 and 2007+). Improved <a href="https://bitbucket.org/decalage/oletools/wiki">documentation</a></li>
+<li>2013-07-24 v0.05: added new tools <a href="https://bitbucket.org/decalage/oletools/wiki/olemeta">olemeta</a> and <a href="https://bitbucket.org/decalage/oletools/wiki/oletimes">oletimes</a></li>
+<li>2013-04-18 v0.04: fixed bug in rtfobj, added documentation for <a href="https://bitbucket.org/decalage/oletools/wiki/rtfobj">rtfobj</a></li>
+<li>2012-11-09 v0.03: Improved <a href="https://bitbucket.org/decalage/oletools/wiki/pyxswf">pyxswf</a> to extract Flash objects from RTF</li>
+<li>2012-10-29 v0.02: Added <a href="https://bitbucket.org/decalage/oletools/wiki/oleid">oleid</a></li>
+<li>2012-10-09 v0.01: Initial version of <a href="https://bitbucket.org/decalage/oletools/wiki/olebrowse">olebrowse</a> and pyxswf</li>
+<li>see changelog in source code for more info.</li>
+</ul>
+<h2 id="tools-in-python-oletools">Tools in python-oletools:</h2>
+<ul>
+<li><strong><a href="https://bitbucket.org/decalage/oletools/wiki/olebrowse">olebrowse</a></strong>: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams.</li>
+<li><strong><a href="https://bitbucket.org/decalage/oletools/wiki/oleid">oleid</a></strong>: a tool to analyze OLE files to detect specific characteristics usually found in malicious files.</li>
+<li><strong><a href="https://bitbucket.org/decalage/oletools/wiki/olemeta">olemeta</a></strong>: a tool to extract all standard properties (metadata) from OLE files.</li>
+<li><strong><a href="https://bitbucket.org/decalage/oletools/wiki/oletimes">oletimes</a></strong>: a tool to extract creation and modification timestamps of all streams and storages.</li>
+<li><strong><a href="https://bitbucket.org/decalage/oletools/wiki/olevba">olevba</a> (new)</strong>: a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML).</li>
+<li><strong><a href="https://bitbucket.org/decalage/oletools/wiki/pyxswf">pyxswf</a></strong>: a tool to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel) and RTF, which is especially useful for malware analysis.</li>
+<li><strong><a href="https://bitbucket.org/decalage/oletools/wiki/rtfobj">rtfobj</a></strong>: a tool and python module to extract embedded objects from RTF files.</li>
+<li>and a few others (coming soon)</li>
+</ul>
+<h2 id="download-and-install">Download and Install:</h2>
+<p>To use python-oletools from the command line as analysis tools, you may simply <a href="https://bitbucket.org/decalage/oletools/downloads">download the zip archive</a> and extract the files in the directory of your choice.</p>
+<p>If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to use &quot;<strong>pip install oletools</strong>&quot; or &quot;<strong>easy_install oletools</strong>&quot; to download and install in one go. Otherwise you may download/extract the zip archive and run &quot;<strong>setup.py install</strong>&quot;.</p>
+<h2 id="documentation">Documentation:</h2>
+<p>The latest version of the documentation can be found <a href="https://bitbucket.org/decalage/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
+<h2 id="how-to-suggest-improvements-report-issues-or-contribute">How to Suggest Improvements, Report Issues or Contribute:</h2>
+<p>This is a personal open-source project, developed on my spare time. Any contribution, suggestion, feedback or bug report is welcome.</p>
+<p>To suggest improvements, report a bug or any issue, please use the <a href="https://bitbucket.org/decalage/olefileio_pl/issues?status=new&amp;status=open">issue reporting page</a>, providing all the information and files to reproduce the problem.</p>
+<p>You may also <a href="http://decalage.info/contact">contact the author</a> directly to provide feedback.</p>
+<p>The code is available in <a href="https://bitbucket.org/decalage/oletools">a Mercurial repository on Bitbucket</a>. You may use it to submit enhancements using forks and pull requests.</p>
+<h2 id="license">License</h2>
+<p>This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.</p>
+<p>The python-oletools package is copyright (c) 2012-2014 Philippe Lagadec (http://www.decalage.info)</p>
+<p>All rights reserved.</p>
+<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
+<ul>
+<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
+<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
+</ul>
+<p>THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS &quot;AS IS&quot; AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</p>
+<hr />
+<p>olevba contains modified source code from the officeparser project, published under the following MIT License (MIT):</p>
+<p>officeparser is copyright (c) 2014 John William Davison</p>
+<p>Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the &quot;Software&quot;), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:</p>
+<p>The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.</p>
+<p>THE SOFTWARE IS PROVIDED &quot;AS IS&quot;, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.</p>
+</body>
+</html>
@@ -12,222 +12,104 @@ malware analysis and debugging. It is based on the
 `http://www.decalage.info/python/oletools <http://www.decalage.info/python/oletools>`_
 for more info.
+**Quick links:** `Home page <http://www.decalage.info/python/oletools>`_
+- `Download <https://bitbucket.org/decalage/oletools/downloads>`_ -
+`Documentation <https://bitbucket.org/decalage/oletools/wiki>`_ -
+`Report
+Issues/Suggestions/Questions <https://bitbucket.org/decalage/oletools/issues?status=new&status=open>`_
+- `Contact the Author <http://decalage.info/contact>`_ -
+`Repository <https://bitbucket.org/decalage/oletools>`_ - `Updates on
+Twitter <https://twitter.com/decalage2>`_
+
 Note: python-oletools is not related to OLETools published by BeCubed
 Software.
-Tools in python-oletools:
--------------------------
-
--  **olebrowse**: A simple GUI to browse OLE files (e.g. MS Word, Excel,
-   Powerpoint documents), to view and extract individual data streams.
--  **oleid**: a tool to analyze OLE files to detect specific
-   characteristics that could potentially indicate that the file is
-   suspicious or malicious.
--  **olemeta**: a tool to extract all standard properties (metadata)
-   from OLE files.
--  **oletimes**: a tool to extract creation and modification timestamps
-   of all streams and storages.
--  **pyxswf**: a tool to detect, extract and analyze Flash objects (SWF)
-   that may be embedded in files such as MS Office documents (e.g. Word,
-   Excel) and RTF, which is especially useful for malware analysis.
--  **rtfobj**: a tool and python module to extract embedded objects from
-   RTF files.
--  and a few others (coming soon)
-
 News
 ----
--  2013-07-24 v0.05: added new tools olemeta and oletimes
--  2013-04-18 v0.04: fixed bug in rtfobj, added documentation for rtfobj
--  2012-11-09 v0.03: Improved pyxswf to extract Flash objects from RTF
--  2012-10-29 v0.02: Added oleid
--  2012-10-09 v0.01: Initial version of olebrowse and pyxswf
+-  **2014-08-27 v0.06**: added
+   `olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`_, a
+   new tool to extract VBA Macro source code from MS Office documents
+   (97-2003 and 2007+). Improved
+   `documentation <https://bitbucket.org/decalage/oletools/wiki>`_
+-  2013-07-24 v0.05: added new tools
+   `olemeta <https://bitbucket.org/decalage/oletools/wiki/olemeta>`_ and
+   `oletimes <https://bitbucket.org/decalage/oletools/wiki/oletimes>`_
+-  2013-04-18 v0.04: fixed bug in rtfobj, added documentation for
+   `rtfobj <https://bitbucket.org/decalage/oletools/wiki/rtfobj>`_
+-  2012-11-09 v0.03: Improved
+   `pyxswf <https://bitbucket.org/decalage/oletools/wiki/pyxswf>`_ to
+   extract Flash objects from RTF
+-  2012-10-29 v0.02: Added
+   `oleid <https://bitbucket.org/decalage/oletools/wiki/oleid>`_
+-  2012-10-09 v0.01: Initial version of
+   `olebrowse <https://bitbucket.org/decalage/oletools/wiki/olebrowse>`_
+   and pyxswf
 -  see changelog in source code for more info.
-Download:
----------
-
-The archive is available on `the project
-page <https://bitbucket.org/decalage/oletools/downloads>`_.
-
-olebrowse:
-----------
-
-A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint
-documents), to view and extract individual data streams.
-
-::
-
-    Usage: olebrowse.py [file]
-
-If you provide a file it will be opened, else a dialog will allow you to
-browse folders to open a file. Then if it is a valid OLE file, the list
-of data streams will be displayed. You can select a stream, and then
-either view its content in a builtin hexadecimal viewer, or save it to a
-file for further analysis.
-
-For screenshots and other info, see
-`http://www.decalage.info/python/olebrowse <http://www.decalage.info/python/olebrowse>`_
-
-oleid:
-------
-
-oleid is a script to analyze OLE files such as MS Office documents (e.g.
-Word, Excel), to detect specific characteristics that could potentially
-indicate that the file is suspicious or malicious, in terms of security
-(e.g. malware). For example it can detect VBA macros, embedded Flash
-objects, fragmentation.
-
-::
-
-    Usage: oleid.py <file>
-
-Example - analyzing a Word document containing a Flash object and VBA
-macros:
-
-::
-
-    C:\oletools>oleid.py word_flash_vba.doc
-    Filename: word_flash_vba.doc
-    OLE format: True
-    Has SummaryInformation stream: True
-    Application name: Microsoft Office Word
-    Encrypted: False
-    Word Document: True
-    VBA Macros: True
-    Excel Workbook: False
-    PowerPoint Presentation: False
-    Visio Drawing: False
-    ObjectPool: True
-    Flash objects: 1
-
-oleid project website:
-`http://www.decalage.info/python/oleid <http://www.decalage.info/python/oleid>`_
-
-pyxswf:
--------
-
-pyxswf is a script to detect, extract and analyze Flash objects (SWF
-files) that may be embedded in files such as MS Office documents (e.g.
-Word, Excel), which is especially useful for malware analysis.
-
-pyxswf is an extension to
-`xxxswf.py <http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html>`_
-published by Alexander Hanel.
-
-Compared to xxxswf, it can extract streams from MS Office documents by
-parsing their OLE structure properly, which is necessary when streams
-are fragmented. Stream fragmentation is a known obfuscation technique,
-as explained on
-`http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/ <http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/>`_
-
-It can also extract Flash objects from RTF documents, by parsing
-embedded objects encoded in hexadecimal format (-f option).
-
-For this, simply add the -o option to work on OLE streams rather than
-raw files, or the -f option to work on RTF files.
-
-::
-
-    Usage: pyxswf.py [options] <file.bad>
-
-    Options:
-      -o, --ole             Parse an OLE file (e.g. Word, Excel) to look for SWF
-                            in each stream
-      -f, --rtf             Parse an RTF file to look for SWF in each embedded
-                            object
-      -x, --extract         Extracts the embedded SWF(s), names it MD5HASH.swf &
-                            saves it in the working dir. No addition args needed
-      -h, --help            show this help message and exit
-      -y, --yara            Scans the SWF(s) with yara. If the SWF(s) is
-                            compressed it will be deflated. No addition args
-                            needed
-      -s, --md5scan         Scans the SWF(s) for MD5 signatures. Please see func
-                            checkMD5 to define hashes. No addition args needed
-      -H, --header          Displays the SWFs file header. No addition args needed
-      -d, --decompress      Deflates compressed SWFS(s)
-      -r PATH, --recdir=PATH
-                            Will recursively scan a directory for files that
-                            contain SWFs. Must provide path in quotes
-      -c, --compress        Compresses the SWF using Zlib
-
-Example 1 - detecting and extracting a SWF file from a Word document on
-Windows:
-
-::
-
-    C:\oletools>pyxswf.py -o word_flash.doc
-    OLE stream: 'Contents'
-    [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-            [ADDR] SWF 1 at 0x8  - FWS Header
-
-    C:\oletools>pyxswf.py -xo word_flash.doc
-    OLE stream: 'Contents'
-    [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents
-            [ADDR] SWF 1 at 0x8  - FWS Header
-                    [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
-
-Example 2 - detecting and extracting a SWF file from a RTF document on
-Windows:
-
-::
-
-    C:\oletools>pyxswf.py -xf "rtf_flash.rtf"
-    RTF embedded object size 1498557 at index 000036DD
-    [SUMMARY] 1 SWF(s) in MD5:46a110548007e04f4043785ac4184558:RTF_embedded_object_0
-    00036DD
-            [ADDR] SWF 1 at 0xc40  - FWS Header
-                    [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf
-
-For more info, see
-`http://www.decalage.info/python/pyxswf <http://www.decalage.info/python/pyxswf>`_
+Tools in python-oletools:
+-------------------------
-rtfobj
-------
+-  **`olebrowse <https://bitbucket.org/decalage/oletools/wiki/olebrowse>`_**:
+   A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint
+   documents), to view and extract individual data streams.
+-  **`oleid <https://bitbucket.org/decalage/oletools/wiki/oleid>`_**: a
+   tool to analyze OLE files to detect specific characteristics usually
+   found in malicious files.
+-  **`olemeta <https://bitbucket.org/decalage/oletools/wiki/olemeta>`_**:
+   a tool to extract all standard properties (metadata) from OLE files.
+-  **`oletimes <https://bitbucket.org/decalage/oletools/wiki/oletimes>`_**:
+   a tool to extract creation and modification timestamps of all streams
+   and storages.
+-  **`olevba <https://bitbucket.org/decalage/oletools/wiki/olevba>`_
+   (new)**: a tool to extract VBA Macro source code from MS Office
+   documents (OLE and OpenXML).
+-  **`pyxswf <https://bitbucket.org/decalage/oletools/wiki/pyxswf>`_**:
+   a tool to detect, extract and analyze Flash objects (SWF) that may be
+   embedded in files such as MS Office documents (e.g. Word, Excel) and
+   RTF, which is especially useful for malware analysis.
+-  **`rtfobj <https://bitbucket.org/decalage/oletools/wiki/rtfobj>`_**:
+   a tool and python module to extract embedded objects from RTF files.
+-  and a few others (coming soon)
-rtfobj is a Python module to extract embedded objects from RTF files,
-such as OLE ojects. It can be used as a Python library or a command-line
-tool.
+Download and Install:
+---------------------
-::
+To use python-oletools from the command line as analysis tools, you may
+simply `download the zip
+archive <https://bitbucket.org/decalage/oletools/downloads>`_ and
+extract the files in the directory of your choice.
-    Usage: rtfobj.py <file.rtf>
+If you plan to use python-oletools with other Python applications or
+your own scripts, then the simplest solution is to use "**pip install
+oletools**\ " or "**easy\_install oletools**\ " to download and install
+in one go. Otherwise you may download/extract the zip archive and run
+"**setup.py install**\ ".
-It extracts and decodes all the data blocks encoded as hexadecimal in
-the RTF document, and saves them as files named "object\_xxxx.bin", xxxx
-being the location of the object in the RTF file.
+Documentation:
+--------------
-Usage as python module: rtf\_iter\_objects(filename) is an iterator
-which yields a tuple (index, object) providing the index of each
-hexadecimal stream in the RTF file, and the corresponding decoded
-object. Example:
+The latest version of the documentation can be found
+`online <https://bitbucket.org/decalage/oletools/wiki>`_, otherwise a
+copy is provided in the doc subfolder of the package.
-::
+How to Suggest Improvements, Report Issues or Contribute:
+---------------------------------------------------------
-    import rtfobj    
-    for index, data in rtfobj.rtf_iter_objects("myfile.rtf"):
-        print 'found object size %d at index %08X' % (len(data), index)
+This is a personal open-source project, developed on my spare time. Any
+contribution, suggestion, feedback or bug report is welcome.
-For more info, see
-`http://www.decalage.info/python/rtfobj <http://www.decalage.info/python/rtfobj>`_
+To suggest improvements, report a bug or any issue, please use the
+`issue reporting
+page <https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open>`_,
+providing all the information and files to reproduce the problem.
-How to contribute:
-------------------
+You may also `contact the author <http://decalage.info/contact>`_
+directly to provide feedback.
 The code is available in `a Mercurial repository on
-bitbucket <https://bitbucket.org/decalage/oletools>`_. You may use it to
-submit enhancements or to report any issue.
-
-If you would like to help us improve this module, or simply provide
-feedback, you may also send an e-mail to decalage(at)laposte.net.
-
-How to report bugs:
--------------------
-
-To report a bug or any issue, please use the `issue reporting
-page <https://bitbucket.org/decalage/olefileio_pl/issues?status=new&status=open>`_,
-or send an e-mail with all the information and files to reproduce the
-problem.
+Bitbucket <https://bitbucket.org/decalage/oletools>`_. You may use it to
+submit enhancements using forks and pull requests.
 License
 -------
@@ -236,8 +118,10 @@ This license applies to the python-oletools package, apart from the
 thirdparty folder which contains third-party files published with their
 own license.
-The python-oletools package is copyright (c) 2012-2013, Philippe Lagadec
-(http://www.decalage.info) All rights reserved.
+The python-oletools package is copyright (c) 2012-2014 Philippe Lagadec
+(http://www.decalage.info)
+
+All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
@@ -260,3 +144,29 @@ PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+--------------
+
+olevba contains modified source code from the officeparser project,
+published under the following MIT License (MIT):
+
+officeparser is copyright (c) 2014 John William Davison
+
+Permission is hereby granted, free of charge, to any person obtaining a
+copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
+OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.