diff --git a/oletools/mraptor.py b/oletools/mraptor.py index e0612f0..33ce374 100644 --- a/oletools/mraptor.py +++ b/oletools/mraptor.py @@ -58,7 +58,7 @@ http://www.decalage.info/python/oletools # 2016-12-21 v0.51 PL: - added more ActiveX macro triggers # 2017-03-08 PL: - fixed absolute imports # 2018-05-25 v0.53 PL: - added Word/PowerPoint 2007+ XML (aka Flat OPC) issue #283 -# 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro and ShellExecuteA +# 2019-04-04 v0.54 PL: - added ExecuteExcel4Macro, ShellExecuteA, XLM keywords __version__ = '0.54dev14' @@ -120,20 +120,21 @@ re_autoexec = re.compile(r'(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)' + r'|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload' + r'|NavigateComplete2|NavigateError|ProgressChange|PropertyChange' + r'|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove' + - r'|MouseEnter|MouseLeave|))\b') + r'|MouseEnter|MouseLeave))|Auto_Ope\b') +# TODO: "Auto_Ope" is temporarily here because of a bug in plugin_biff, which misses the last byte in "Auto_Open"... # MS-VBAL 5.4.5.1 Open Statement: RE_OPEN_WRITE = r'(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)' re_write = re.compile(r'(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|' - + r'VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|' + + r'VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|' + r'ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|' + RE_OPEN_WRITE) # MS-VBAL 5.2.3.5 External Procedure Declaration RE_DECLARE_LIB = r'(?:\bDeclare\b[^\n]+\bLib\b)' re_execute = re.compile(r'(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|' - + r'MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro)\b|' + RE_DECLARE_LIB) + + r'MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER)\b|' + RE_DECLARE_LIB) # === CLASSES =================================================================