Commit ca75f0085104d01bddb283a53bd9c6af6affbf92
1 parent
f56062de
mraptor: added WriteProcessMemory, XLM keywords
Showing
1 changed file
with
5 additions
and
4 deletions
oletools/mraptor.py
| ... | ... | @@ -58,7 +58,7 @@ http://www.decalage.info/python/oletools |
| 58 | 58 | # 2016-12-21 v0.51 PL: - added more ActiveX macro triggers |
| 59 | 59 | # 2017-03-08 PL: - fixed absolute imports |
| 60 | 60 | # 2018-05-25 v0.53 PL: - added Word/PowerPoint 2007+ XML (aka Flat OPC) issue #283 |
| 61 | -# 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro and ShellExecuteA | |
| 61 | +# 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro, ShellExecuteA, XLM keywords | |
| 62 | 62 | |
| 63 | 63 | __version__ = '0.54dev14' |
| 64 | 64 | |
| ... | ... | @@ -120,20 +120,21 @@ re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' + |
| 120 | 120 | r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' + |
| 121 | 121 | r'|NavigateComplete2|NavigateError|ProgressChange|PropertyChange' + |
| 122 | 122 | r'|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove' + |
| 123 | - r'|MouseEnter|MouseLeave|))\b') | |
| 123 | + r'|MouseEnter|MouseLeave))|Auto_Ope\b') | |
| 124 | +# TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... | |
| 124 | 125 | |
| 125 | 126 | # MS-VBAL 5.4.5.1 Open Statement: |
| 126 | 127 | RE_OPEN_WRITE = r'(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)' |
| 127 | 128 | |
| 128 | 129 | re_write = re.compile(r'(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|' |
| 129 | - + r'VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|' | |
| 130 | + + r'VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|' | |
| 130 | 131 | + r'ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|' + RE_OPEN_WRITE) |
| 131 | 132 | |
| 132 | 133 | # MS-VBAL 5.2.3.5 External Procedure Declaration |
| 133 | 134 | RE_DECLARE_LIB = r'(?:\bDeclare\b[^\n]+\bLib\b)' |
| 134 | 135 | |
| 135 | 136 | re_execute = re.compile(r'(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|' |
| 136 | - + r'MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro)\b|' + RE_DECLARE_LIB) | |
| 137 | + + r'MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER)\b|' + RE_DECLARE_LIB) | |
| 137 | 138 | |
| 138 | 139 | |
| 139 | 140 | # === CLASSES ================================================================= | ... | ... |