Peter M. Groen / oletools

Browse Code »

Commit cda797574d2076115cc8547c9ccc74aa5664a991

Authored by Philippe Lagadec 2015-03-19 08:49:56 +0100

1 parent a4ffb743

changed line endings from CRLF to LF in all scripts to improve Linux/Unix compatibility

Inline Side-by-side

Showing 7 changed files with 961 additions and 961 deletions

oletools/ezhexviewer.py

View file @cda7975

1		-#!/usr/bin/env python
2		-"""
3		-ezhexviewer.py
4		-
5		-A simple hexadecimal viewer based on easygui. It should work on any platform
6		-with Python 2.x.
7		-
8		-Usage: ezhexviewer.py [file]
9		-
10		-Usage in a python application:
11		-
12		- import ezhexviewer
13		- ezhexviewer.hexview_file(filename)
14		- ezhexviewer.hexview_data(data)
15		-
16		-
17		-ezhexviewer project website: http://www.decalage.info/python/ezhexviewer
18		-
19		-ezhexviewer is copyright (c) 2012, Philippe Lagadec (http://www.decalage.info)
20		-All rights reserved.
21		-
22		-Redistribution and use in source and binary forms, with or without modification,
23		-are permitted provided that the following conditions are met:
24		-
25		- * Redistributions of source code must retain the above copyright notice, this
26		- list of conditions and the following disclaimer.
27		- * Redistributions in binary form must reproduce the above copyright notice,
28		- this list of conditions and the following disclaimer in the documentation
29		- and/or other materials provided with the distribution.
30		-
31		-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
32		-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
33		-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
34		-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
35		-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
36		-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37		-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
38		-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
39		-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
40		-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
41		-"""
42		-
43		-__version__ = '0.01'
44		-
45		-#------------------------------------------------------------------------------
46		-# CHANGELOG:
47		-# 2012-09-17 v0.01 PL: - first version
48		-# 2012-10-04 v0.02 PL: - added license
49		-
50		-#------------------------------------------------------------------------------
51		-# TODO:
52		-# + options to set title and msg
53		-
54		-
55		-from thirdparty.easygui import easygui
56		-import sys
57		-
58		-#------------------------------------------------------------------------------
59		-# The following code (hexdump3 only) is a modified version of the hex dumper
60		-# recipe published on ASPN by Sebastien Keim and Raymond Hattinger under the
61		-# PSF license. I added the startindex parameter.
62		-# see http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812
63		-# PSF license: http://docs.python.org/license.html
64		-# Copyright (c) 2001-2012 Python Software Foundation; All Rights Reserved
65		-
66		-FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
67		-
68		-def hexdump3(src, length=8, startindex=0):
69		- """
70		- Returns a hexadecimal dump of a binary string.
71		- length: number of bytes per row.
72		- startindex: index of 1st byte.
73		- """
74		- result=[]
75		- for i in xrange(0, len(src), length):
76		- s = src[i:i+length]
77		- hexa = ' '.join(["%02X"%ord(x) for x in s])
78		- printable = s.translate(FILTER)
79		- result.append("%08X %-s %s\n" % (i+startindex, length3, hexa, printable))
80		- return ''.join(result)
81		-
82		-# end of PSF-licensed code.
83		-#------------------------------------------------------------------------------
84		-
85		-
86		-def hexview_data (data, msg='', title='ezhexviewer', length=16, startindex=0):
87		- hex = hexdump3(data, length=length, startindex=startindex)
88		- easygui.codebox(msg=msg, title=title, text=hex)
89		-
90		-
91		-def hexview_file (filename, msg='', title='ezhexviewer', length=16, startindex=0):
92		- data = open(filename, 'rb').read()
93		- hexview_data(data, msg=msg, title=title, length=length, startindex=startindex)
94		-
95		-
96		-if __name__ == '__main__':
97		- try:
98		- filename = sys.argv[1]
99		- except:
100		- filename = easygui.fileopenbox()
101		- if filename:
102		- try:
103		- hexview_file(filename, msg='File: %s' % filename)
104		- except:
105		- easygui.exceptionbox(msg='Error:', title='ezhexviewer')
	1	+#!/usr/bin/env python
	2	+"""
	3	+ezhexviewer.py
	4	+
	5	+A simple hexadecimal viewer based on easygui. It should work on any platform
	6	+with Python 2.x.
	7	+
	8	+Usage: ezhexviewer.py [file]
	9	+
	10	+Usage in a python application:
	11	+
	12	+ import ezhexviewer
	13	+ ezhexviewer.hexview_file(filename)
	14	+ ezhexviewer.hexview_data(data)
	15	+
	16	+
	17	+ezhexviewer project website: http://www.decalage.info/python/ezhexviewer
	18	+
	19	+ezhexviewer is copyright (c) 2012-2015, Philippe Lagadec (http://www.decalage.info)
	20	+All rights reserved.
	21	+
	22	+Redistribution and use in source and binary forms, with or without modification,
	23	+are permitted provided that the following conditions are met:
	24	+
	25	+ * Redistributions of source code must retain the above copyright notice, this
	26	+ list of conditions and the following disclaimer.
	27	+ * Redistributions in binary form must reproduce the above copyright notice,
	28	+ this list of conditions and the following disclaimer in the documentation
	29	+ and/or other materials provided with the distribution.
	30	+
	31	+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	32	+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	33	+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	34	+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	35	+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	36	+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	37	+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	38	+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	39	+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	40	+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	41	+"""
	42	+
	43	+__version__ = '0.02'
	44	+
	45	+#------------------------------------------------------------------------------
	46	+# CHANGELOG:
	47	+# 2012-09-17 v0.01 PL: - first version
	48	+# 2012-10-04 v0.02 PL: - added license
	49	+
	50	+#------------------------------------------------------------------------------
	51	+# TODO:
	52	+# + options to set title and msg
	53	+
	54	+
	55	+from thirdparty.easygui import easygui
	56	+import sys
	57	+
	58	+#------------------------------------------------------------------------------
	59	+# The following code (hexdump3 only) is a modified version of the hex dumper
	60	+# recipe published on ASPN by Sebastien Keim and Raymond Hattinger under the
	61	+# PSF license. I added the startindex parameter.
	62	+# see http://aspn.activestate.com/ASPN/Cookbook/Python/Recipe/142812
	63	+# PSF license: http://docs.python.org/license.html
	64	+# Copyright (c) 2001-2012 Python Software Foundation; All Rights Reserved
	65	+
	66	+FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
	67	+
	68	+def hexdump3(src, length=8, startindex=0):
	69	+ """
	70	+ Returns a hexadecimal dump of a binary string.
	71	+ length: number of bytes per row.
	72	+ startindex: index of 1st byte.
	73	+ """
	74	+ result=[]
	75	+ for i in xrange(0, len(src), length):
	76	+ s = src[i:i+length]
	77	+ hexa = ' '.join(["%02X"%ord(x) for x in s])
	78	+ printable = s.translate(FILTER)
	79	+ result.append("%08X %-s %s\n" % (i+startindex, length3, hexa, printable))
	80	+ return ''.join(result)
	81	+
	82	+# end of PSF-licensed code.
	83	+#------------------------------------------------------------------------------
	84	+
	85	+
	86	+def hexview_data (data, msg='', title='ezhexviewer', length=16, startindex=0):
	87	+ hex = hexdump3(data, length=length, startindex=startindex)
	88	+ easygui.codebox(msg=msg, title=title, text=hex)
	89	+
	90	+
	91	+def hexview_file (filename, msg='', title='ezhexviewer', length=16, startindex=0):
	92	+ data = open(filename, 'rb').read()
	93	+ hexview_data(data, msg=msg, title=title, length=length, startindex=startindex)
	94	+
	95	+
	96	+if __name__ == '__main__':
	97	+ try:
	98	+ filename = sys.argv[1]
	99	+ except:
	100	+ filename = easygui.fileopenbox()
	101	+ if filename:
	102	+ try:
	103	+ hexview_file(filename, msg='File: %s' % filename)
	104	+ except:
	105	+ easygui.exceptionbox(msg='Error:', title='ezhexviewer')
...	...

oletools/olebrowse.py

View file @cda7975

1		-#!/usr/bin/env python
2		-"""
3		-olebrowse.py
4		-
5		-A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
6		-view and extract individual data streams.
7		-
8		-Usage: olebrowse.py [file]
9		-
10		-olebrowse project website: http://www.decalage.info/python/olebrowse
11		-
12		-olebrowse is part of the python-oletools package:
13		-http://www.decalage.info/python/oletools
14		-
15		-olebrowse is copyright (c) 2012-2014, Philippe Lagadec (http://www.decalage.info)
16		-All rights reserved.
17		-
18		-Redistribution and use in source and binary forms, with or without modification,
19		-are permitted provided that the following conditions are met:
20		-
21		- * Redistributions of source code must retain the above copyright notice, this
22		- list of conditions and the following disclaimer.
23		- * Redistributions in binary form must reproduce the above copyright notice,
24		- this list of conditions and the following disclaimer in the documentation
25		- and/or other materials provided with the distribution.
26		-
27		-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
28		-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
29		-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
30		-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
31		-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
32		-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
33		-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
34		-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
35		-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
36		-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37		-"""
38		-
39		-__version__ = '0.02'
40		-
41		-#------------------------------------------------------------------------------
42		-# CHANGELOG:
43		-# 2012-09-17 v0.01 PL: - first version
44		-# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
45		-
46		-#------------------------------------------------------------------------------
47		-# TODO:
48		-# - menu option to open another file
49		-# - menu option to display properties
50		-# - menu option to run other oletools, external tools such as OfficeCat?
51		-# - for a stream, display info: size, path, etc
52		-# - stream info: magic, entropy, ... ?
53		-
54		-import optparse, sys, os
55		-from thirdparty.easygui import easygui
56		-import thirdparty.olefile as olefile
57		-import ezhexviewer
58		-
59		-ABOUT = '~ About olebrowse'
60		-QUIT = '~ Quit'
61		-
62		-
63		-def about ():
64		- """
65		- Display information about this tool
66		- """
67		- easygui.textbox(title='About olebrowse', text=__doc__)
68		-
69		-
70		-def browse_stream (ole, stream):
71		- """
72		- Browse a stream (hex view or save to file)
73		- """
74		- #print 'stream:', stream
75		- while True:
76		- msg ='Select an action for the stream "%s", or press Esc to exit' % repr(stream)
77		- actions = [
78		- 'Hex view',
79		-## 'Text view',
80		-## 'Repr view',
81		- 'Save stream to file',
82		- '~ Back to main menu',
83		- ]
84		- action = easygui.choicebox(msg, title='olebrowse', choices=actions)
85		- if action is None or 'Back' in action:
86		- break
87		- elif action.startswith('Hex'):
88		- data = ole.openstream(stream).getvalue()
89		- ezhexviewer.hexview_data(data, msg='Stream: %s' % stream, title='olebrowse')
90		-## elif action.startswith('Text'):
91		-## data = ole.openstream(stream).getvalue()
92		-## easygui.codebox(title='Text view - %s' % stream, text=data)
93		-## elif action.startswith('Repr'):
94		-## data = ole.openstream(stream).getvalue()
95		-## easygui.codebox(title='Repr view - %s' % stream, text=repr(data))
96		- elif action.startswith('Save'):
97		- data = ole.openstream(stream).getvalue()
98		- fname = easygui.filesavebox(default='stream.bin')
99		- if fname is not None:
100		- f = open(fname, 'wb')
101		- f.write(data)
102		- f.close()
103		- easygui.msgbox('stream saved to file %s' % fname)
104		-
105		-
106		-
107		-def main():
108		- """
109		- Main function
110		- """
111		- try:
112		- filename = sys.argv[1]
113		- except:
114		- filename = easygui.fileopenbox()
115		- try:
116		- ole = olefile.OleFileIO(filename)
117		- listdir = ole.listdir()
118		- streams = []
119		- for direntry in listdir:
120		- #print direntry
121		- streams.append('/'.join(direntry))
122		- streams.append(ABOUT)
123		- streams.append(QUIT)
124		- stream = True
125		- while stream is not None:
126		- msg ="Select a stream, or press Esc to exit"
127		- title = "olebrowse"
128		- stream = easygui.choicebox(msg, title, streams)
129		- if stream is None or stream == QUIT:
130		- break
131		- if stream == ABOUT:
132		- about()
133		- else:
134		- browse_stream(ole, stream)
135		- except:
136		- easygui.exceptionbox()
137		-
138		-
139		-
140		-
141		-if __name__ == '__main__':
142		- main()
	1	+#!/usr/bin/env python
	2	+"""
	3	+olebrowse.py
	4	+
	5	+A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to
	6	+view and extract individual data streams.
	7	+
	8	+Usage: olebrowse.py [file]
	9	+
	10	+olebrowse project website: http://www.decalage.info/python/olebrowse
	11	+
	12	+olebrowse is part of the python-oletools package:
	13	+http://www.decalage.info/python/oletools
	14	+
	15	+olebrowse is copyright (c) 2012-2015, Philippe Lagadec (http://www.decalage.info)
	16	+All rights reserved.
	17	+
	18	+Redistribution and use in source and binary forms, with or without modification,
	19	+are permitted provided that the following conditions are met:
	20	+
	21	+ * Redistributions of source code must retain the above copyright notice, this
	22	+ list of conditions and the following disclaimer.
	23	+ * Redistributions in binary form must reproduce the above copyright notice,
	24	+ this list of conditions and the following disclaimer in the documentation
	25	+ and/or other materials provided with the distribution.
	26	+
	27	+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	28	+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	29	+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	30	+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	31	+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	32	+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	33	+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	34	+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	35	+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	36	+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	37	+"""
	38	+
	39	+__version__ = '0.02'
	40	+
	41	+#------------------------------------------------------------------------------
	42	+# CHANGELOG:
	43	+# 2012-09-17 v0.01 PL: - first version
	44	+# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
	45	+
	46	+#------------------------------------------------------------------------------
	47	+# TODO:
	48	+# - menu option to open another file
	49	+# - menu option to display properties
	50	+# - menu option to run other oletools, external tools such as OfficeCat?
	51	+# - for a stream, display info: size, path, etc
	52	+# - stream info: magic, entropy, ... ?
	53	+
	54	+import optparse, sys, os
	55	+from thirdparty.easygui import easygui
	56	+import thirdparty.olefile as olefile
	57	+import ezhexviewer
	58	+
	59	+ABOUT = '~ About olebrowse'
	60	+QUIT = '~ Quit'
	61	+
	62	+
	63	+def about ():
	64	+ """
	65	+ Display information about this tool
	66	+ """
	67	+ easygui.textbox(title='About olebrowse', text=__doc__)
	68	+
	69	+
	70	+def browse_stream (ole, stream):
	71	+ """
	72	+ Browse a stream (hex view or save to file)
	73	+ """
	74	+ #print 'stream:', stream
	75	+ while True:
	76	+ msg ='Select an action for the stream "%s", or press Esc to exit' % repr(stream)
	77	+ actions = [
	78	+ 'Hex view',
	79	+## 'Text view',
	80	+## 'Repr view',
	81	+ 'Save stream to file',
	82	+ '~ Back to main menu',
	83	+ ]
	84	+ action = easygui.choicebox(msg, title='olebrowse', choices=actions)
	85	+ if action is None or 'Back' in action:
	86	+ break
	87	+ elif action.startswith('Hex'):
	88	+ data = ole.openstream(stream).getvalue()
	89	+ ezhexviewer.hexview_data(data, msg='Stream: %s' % stream, title='olebrowse')
	90	+## elif action.startswith('Text'):
	91	+## data = ole.openstream(stream).getvalue()
	92	+## easygui.codebox(title='Text view - %s' % stream, text=data)
	93	+## elif action.startswith('Repr'):
	94	+## data = ole.openstream(stream).getvalue()
	95	+## easygui.codebox(title='Repr view - %s' % stream, text=repr(data))
	96	+ elif action.startswith('Save'):
	97	+ data = ole.openstream(stream).getvalue()
	98	+ fname = easygui.filesavebox(default='stream.bin')
	99	+ if fname is not None:
	100	+ f = open(fname, 'wb')
	101	+ f.write(data)
	102	+ f.close()
	103	+ easygui.msgbox('stream saved to file %s' % fname)
	104	+
	105	+
	106	+
	107	+def main():
	108	+ """
	109	+ Main function
	110	+ """
	111	+ try:
	112	+ filename = sys.argv[1]
	113	+ except:
	114	+ filename = easygui.fileopenbox()
	115	+ try:
	116	+ ole = olefile.OleFileIO(filename)
	117	+ listdir = ole.listdir()
	118	+ streams = []
	119	+ for direntry in listdir:
	120	+ #print direntry
	121	+ streams.append('/'.join(direntry))
	122	+ streams.append(ABOUT)
	123	+ streams.append(QUIT)
	124	+ stream = True
	125	+ while stream is not None:
	126	+ msg ="Select a stream, or press Esc to exit"
	127	+ title = "olebrowse"
	128	+ stream = easygui.choicebox(msg, title, streams)
	129	+ if stream is None or stream == QUIT:
	130	+ break
	131	+ if stream == ABOUT:
	132	+ about()
	133	+ else:
	134	+ browse_stream(ole, stream)
	135	+ except:
	136	+ easygui.exceptionbox()
	137	+
	138	+
	139	+
	140	+
	141	+if __name__ == '__main__':
	142	+ main()
...	...

oletools/oleid.py

View file @cda7975

1		-#!/usr/bin/env python
2		-"""
3		-oleid.py
4		-
5		-oleid is a script to analyze OLE files such as MS Office documents (e.g. Word,
6		-Excel), to detect specific characteristics that could potentially indicate that
7		-the file is suspicious or malicious, in terms of security (e.g. malware).
8		-For example it can detect VBA macros, embedded Flash objects, fragmentation.
9		-The results can be displayed or returned as XML for further processing.
10		-
11		-Usage: oleid.py <file>
12		-
13		-oleid project website: http://www.decalage.info/python/oleid
14		-
15		-oleid is part of the python-oletools package:
16		-http://www.decalage.info/python/oletools
17		-"""
18		-
19		-#=== LICENSE =================================================================
20		-
21		-# oleid is copyright (c) 2012-2014, Philippe Lagadec (http://www.decalage.info)
22		-# All rights reserved.
23		-#
24		-# Redistribution and use in source and binary forms, with or without modification,
25		-# are permitted provided that the following conditions are met:
26		-#
27		-# * Redistributions of source code must retain the above copyright notice, this
28		-# list of conditions and the following disclaimer.
29		-# * Redistributions in binary form must reproduce the above copyright notice,
30		-# this list of conditions and the following disclaimer in the documentation
31		-# and/or other materials provided with the distribution.
32		-#
33		-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
34		-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
35		-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
36		-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
37		-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
38		-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
39		-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
40		-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
41		-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
42		-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
43		-
44		-
45		-#------------------------------------------------------------------------------
46		-# CHANGELOG:
47		-# 2012-10-29 v0.01 PL: - first version
48		-# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
49		-# - improved usage display with -h
50		-# 2014-11-30 v0.03 PL: - improved output with prettytable
51		-
52		-__version__ = '0.03'
53		-
54		-
55		-#------------------------------------------------------------------------------
56		-# TODO:
57		-# + extract relevant metadata: codepage, author, application, timestamps, etc
58		-# - detect RTF and OpenXML
59		-# - fragmentation
60		-# - OLE package
61		-# - entropy
62		-# - detect PE header?
63		-# - detect NOPs?
64		-# - list type of each object in object pool?
65		-# - criticality for each indicator?: info, low, medium, high
66		-# - support wildcards with glob?
67		-# - verbose option
68		-# - csv, xml output
69		-
70		-
71		-#=== IMPORTS =================================================================
72		-
73		-import optparse, sys, os, re, zlib, struct
74		-import thirdparty.olefile as olefile
75		-from thirdparty.prettytable import prettytable
76		-
77		-
78		-#=== FUNCTIONS ===============================================================
79		-
80		-def detect_flash (data):
81		- """
82		- Detect Flash objects (SWF files) within a binary string of data
83		- return a list of (start_index, length, compressed) tuples, or [] if nothing
84		- found.
85		-
86		- Code inspired from xxxswf.py by Alexander Hanel (but significantly reworked)
87		- http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html
88		- """
89		- #TODO: report
90		- found = []
91		- for match in re.finditer('CWS\|FWS', data):
92		- start = match.start()
93		- if start+8 > len(data):
94		- # header size larger than remaining data, this is not a SWF
95		- continue
96		- #TODO: one struct.unpack should be simpler
97		- # Read Header
98		- header = data[start:start+3]
99		- # Read Version
100		- ver = struct.unpack('<b', data[start+3])[0]
101		- # Error check for version above 20
102		- #TODO: is this accurate? (check SWF specifications)
103		- if ver > 20:
104		- continue
105		- # Read SWF Size
106		- size = struct.unpack('<i', data[start+4:start+8])[0]
107		- if start+size > len(data) or size < 1024:
108		- # declared size larger than remaining data, this is not a SWF
109		- # or declared size too small for a usual SWF
110		- continue
111		- # Read SWF into buffer. If compressed read uncompressed size.
112		- swf = data[start:start+size]
113		- compressed = False
114		- if 'CWS' in header:
115		- compressed = True
116		- # compressed SWF: data after header (8 bytes) until the end is
117		- # compressed with zlib. Attempt to decompress it to check if it is
118		- # valid
119		- compressed_data = swf[8:]
120		- try:
121		- zlib.decompress(compressed_data)
122		- except:
123		- continue
124		- # else we don't check anything at this stage, we only assume it is a
125		- # valid SWF. So there might be false positives for uncompressed SWF.
126		- found.append((start, size, compressed))
127		- #print 'Found SWF start=%x, length=%d' % (start, size)
128		- return found
129		-
130		-
131		-#=== CLASSES =================================================================
132		-
133		-class Indicator (object):
134		-
135		- def __init__(self, _id, value=None, _type=bool, name=None, description=None):
136		- self.id = _id
137		- self.value = value
138		- self.type = _type
139		- self.name = name
140		- if name == None:
141		- self.name = _id
142		- self.description = description
143		-
144		-
145		-class OleID:
146		-
147		- def __init__(self, filename):
148		- self.filename = filename
149		- self.indicators = []
150		-
151		- def check(self):
152		- # check if it is actually an OLE file:
153		- oleformat = Indicator('ole_format', True, name='OLE format')
154		- self.indicators.append(oleformat)
155		- if not olefile.isOleFile(self.filename):
156		- oleformat.value = False
157		- return self.indicators
158		- # parse file:
159		- self.ole = olefile.OleFileIO(self.filename)
160		- # checks:
161		- self.check_properties()
162		- self.check_encrypted()
163		- self.check_word()
164		- self.check_excel()
165		- self.check_powerpoint()
166		- self.check_visio()
167		- self.check_ObjectPool()
168		- self.check_flash()
169		- self.ole.close()
170		- return self.indicators
171		-
172		- def check_properties (self):
173		- suminfo = Indicator('has_suminfo', False, name='Has SummaryInformation stream')
174		- self.indicators.append(suminfo)
175		- appname = Indicator('appname', 'unknown', _type=str, name='Application name')
176		- self.indicators.append(appname)
177		- self.suminfo = {}
178		- # check stream SummaryInformation
179		- if self.ole.exists("\x05SummaryInformation"):
180		- suminfo.value = True
181		- self.suminfo = self.ole.getproperties("\x05SummaryInformation")
182		- # check application name:
183		- appname.value = self.suminfo.get(0x12, 'unknown')
184		-
185		- def check_encrypted (self):
186		- # we keep the pointer to the indicator, can be modified by other checks:
187		- self.encrypted = Indicator('encrypted', False, name='Encrypted')
188		- self.indicators.append(self.encrypted)
189		- # check if bit 1 of security field = 1:
190		- # (this field may be missing for Powerpoint2000, for example)
191		- if 0x13 in self.suminfo:
192		- if self.suminfo[0x13] & 1:
193		- self.encrypted.value = True
194		-
195		- def check_word (self):
196		- word = Indicator('word', False, name='Word Document',
197		- description='Contains a WordDocument stream, very likely to be a Microsoft Word Document.')
198		- self.indicators.append(word)
199		- self.macros = Indicator('vba_macros', False, name='VBA Macros')
200		- self.indicators.append(self.macros)
201		- if self.ole.exists('WordDocument'):
202		- word.value = True
203		- # check for Word-specific encryption flag:
204		- s = self.ole.openstream(["WordDocument"])
205		- # pass header 10 bytes
206		- s.read(10)
207		- # read flag structure:
208		- temp16 = struct.unpack("H", s.read(2))[0]
209		- fEncrypted = (temp16 & 0x0100) >> 8
210		- if fEncrypted:
211		- self.encrypted.value = True
212		- s.close()
213		- # check for VBA macros:
214		- if self.ole.exists('Macros'):
215		- self.macros.value = True
216		-
217		- def check_excel (self):
218		- excel = Indicator('excel', False, name='Excel Workbook',
219		- description='Contains a Workbook or Book stream, very likely to be a Microsoft Excel Workbook.')
220		- self.indicators.append(excel)
221		- #self.macros = Indicator('vba_macros', False, name='VBA Macros')
222		- #self.indicators.append(self.macros)
223		- if self.ole.exists('Workbook') or self.ole.exists('Book'):
224		- excel.value = True
225		- # check for VBA macros:
226		- if self.ole.exists('_VBA_PROJECT_CUR'):
227		- self.macros.value = True
228		-
229		- def check_powerpoint (self):
230		- ppt = Indicator('ppt', False, name='PowerPoint Presentation',
231		- description='Contains a PowerPoint Document stream, very likely to be a Microsoft PowerPoint Presentation.')
232		- self.indicators.append(ppt)
233		- if self.ole.exists('PowerPoint Document'):
234		- ppt.value = True
235		-
236		- def check_visio (self):
237		- visio = Indicator('visio', False, name='Visio Drawing',
238		- description='Contains a VisioDocument stream, very likely to be a Microsoft Visio Drawing.')
239		- self.indicators.append(visio)
240		- if self.ole.exists('VisioDocument'):
241		- visio.value = True
242		-
243		- def check_ObjectPool (self):
244		- objpool = Indicator('ObjectPool', False, name='ObjectPool',
245		- description='Contains an ObjectPool stream, very likely to contain embedded OLE objects or files.')
246		- self.indicators.append(objpool)
247		- if self.ole.exists('ObjectPool'):
248		- objpool.value = True
249		-
250		-
251		- def check_flash (self):
252		- flash = Indicator('flash', 0, _type=int, name='Flash objects',
253		- description='Number of embedded Flash objects (SWF files) detected in OLE streams. Not 100% accurate, there may be false positives.')
254		- self.indicators.append(flash)
255		- for stream in self.ole.listdir():
256		- data = self.ole.openstream(stream).read()
257		- found = detect_flash(data)
258		- # just add to the count of Flash objects:
259		- flash.value += len(found)
260		- #print stream, found
261		-
262		-
263		-#=== MAIN =================================================================
264		-
265		-def main():
266		- usage = 'usage: %prog [options] <file>'
267		- parser = optparse.OptionParser(usage=__doc__ + '\n' + usage)
268		-## parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream')
269		-
270		- (options, args) = parser.parse_args()
271		-
272		- # Print help if no argurments are passed
273		- if len(args) == 0:
274		- parser.print_help()
275		- return
276		-
277		- for filename in args:
278		- print '\nFilename:', filename
279		- oleid = OleID(filename)
280		- indicators = oleid.check()
281		-
282		- #TODO: add description
283		- #TODO: highlight suspicious indicators
284		- t = prettytable.PrettyTable(['Indicator', 'Value'])
285		- t.align = 'l'
286		- t.max_width = 39
287		- #t.border = False
288		-
289		- for indicator in indicators:
290		- #print '%s: %s' % (indicator.name, indicator.value)
291		- t.add_row((indicator.name, indicator.value))
292		-
293		- print t
294		-
295		-if __name__ == '__main__':
296		- main()
	1	+#!/usr/bin/env python
	2	+"""
	3	+oleid.py
	4	+
	5	+oleid is a script to analyze OLE files such as MS Office documents (e.g. Word,
	6	+Excel), to detect specific characteristics that could potentially indicate that
	7	+the file is suspicious or malicious, in terms of security (e.g. malware).
	8	+For example it can detect VBA macros, embedded Flash objects, fragmentation.
	9	+The results can be displayed or returned as XML for further processing.
	10	+
	11	+Usage: oleid.py <file>
	12	+
	13	+oleid project website: http://www.decalage.info/python/oleid
	14	+
	15	+oleid is part of the python-oletools package:
	16	+http://www.decalage.info/python/oletools
	17	+"""
	18	+
	19	+#=== LICENSE =================================================================
	20	+
	21	+# oleid is copyright (c) 2012-2015, Philippe Lagadec (http://www.decalage.info)
	22	+# All rights reserved.
	23	+#
	24	+# Redistribution and use in source and binary forms, with or without modification,
	25	+# are permitted provided that the following conditions are met:
	26	+#
	27	+# * Redistributions of source code must retain the above copyright notice, this
	28	+# list of conditions and the following disclaimer.
	29	+# * Redistributions in binary form must reproduce the above copyright notice,
	30	+# this list of conditions and the following disclaimer in the documentation
	31	+# and/or other materials provided with the distribution.
	32	+#
	33	+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	34	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	35	+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	36	+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	37	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	38	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	39	+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	40	+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	41	+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	42	+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	43	+
	44	+
	45	+#------------------------------------------------------------------------------
	46	+# CHANGELOG:
	47	+# 2012-10-29 v0.01 PL: - first version
	48	+# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
	49	+# - improved usage display with -h
	50	+# 2014-11-30 v0.03 PL: - improved output with prettytable
	51	+
	52	+__version__ = '0.03'
	53	+
	54	+
	55	+#------------------------------------------------------------------------------
	56	+# TODO:
	57	+# + extract relevant metadata: codepage, author, application, timestamps, etc
	58	+# - detect RTF and OpenXML
	59	+# - fragmentation
	60	+# - OLE package
	61	+# - entropy
	62	+# - detect PE header?
	63	+# - detect NOPs?
	64	+# - list type of each object in object pool?
	65	+# - criticality for each indicator?: info, low, medium, high
	66	+# - support wildcards with glob?
	67	+# - verbose option
	68	+# - csv, xml output
	69	+
	70	+
	71	+#=== IMPORTS =================================================================
	72	+
	73	+import optparse, sys, os, re, zlib, struct
	74	+import thirdparty.olefile as olefile
	75	+from thirdparty.prettytable import prettytable
	76	+
	77	+
	78	+#=== FUNCTIONS ===============================================================
	79	+
	80	+def detect_flash (data):
	81	+ """
	82	+ Detect Flash objects (SWF files) within a binary string of data
	83	+ return a list of (start_index, length, compressed) tuples, or [] if nothing
	84	+ found.
	85	+
	86	+ Code inspired from xxxswf.py by Alexander Hanel (but significantly reworked)
	87	+ http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html
	88	+ """
	89	+ #TODO: report
	90	+ found = []
	91	+ for match in re.finditer('CWS\|FWS', data):
	92	+ start = match.start()
	93	+ if start+8 > len(data):
	94	+ # header size larger than remaining data, this is not a SWF
	95	+ continue
	96	+ #TODO: one struct.unpack should be simpler
	97	+ # Read Header
	98	+ header = data[start:start+3]
	99	+ # Read Version
	100	+ ver = struct.unpack('<b', data[start+3])[0]
	101	+ # Error check for version above 20
	102	+ #TODO: is this accurate? (check SWF specifications)
	103	+ if ver > 20:
	104	+ continue
	105	+ # Read SWF Size
	106	+ size = struct.unpack('<i', data[start+4:start+8])[0]
	107	+ if start+size > len(data) or size < 1024:
	108	+ # declared size larger than remaining data, this is not a SWF
	109	+ # or declared size too small for a usual SWF
	110	+ continue
	111	+ # Read SWF into buffer. If compressed read uncompressed size.
	112	+ swf = data[start:start+size]
	113	+ compressed = False
	114	+ if 'CWS' in header:
	115	+ compressed = True
	116	+ # compressed SWF: data after header (8 bytes) until the end is
	117	+ # compressed with zlib. Attempt to decompress it to check if it is
	118	+ # valid
	119	+ compressed_data = swf[8:]
	120	+ try:
	121	+ zlib.decompress(compressed_data)
	122	+ except:
	123	+ continue
	124	+ # else we don't check anything at this stage, we only assume it is a
	125	+ # valid SWF. So there might be false positives for uncompressed SWF.
	126	+ found.append((start, size, compressed))
	127	+ #print 'Found SWF start=%x, length=%d' % (start, size)
	128	+ return found
	129	+
	130	+
	131	+#=== CLASSES =================================================================
	132	+
	133	+class Indicator (object):
	134	+
	135	+ def __init__(self, _id, value=None, _type=bool, name=None, description=None):
	136	+ self.id = _id
	137	+ self.value = value
	138	+ self.type = _type
	139	+ self.name = name
	140	+ if name == None:
	141	+ self.name = _id
	142	+ self.description = description
	143	+
	144	+
	145	+class OleID:
	146	+
	147	+ def __init__(self, filename):
	148	+ self.filename = filename
	149	+ self.indicators = []
	150	+
	151	+ def check(self):
	152	+ # check if it is actually an OLE file:
	153	+ oleformat = Indicator('ole_format', True, name='OLE format')
	154	+ self.indicators.append(oleformat)
	155	+ if not olefile.isOleFile(self.filename):
	156	+ oleformat.value = False
	157	+ return self.indicators
	158	+ # parse file:
	159	+ self.ole = olefile.OleFileIO(self.filename)
	160	+ # checks:
	161	+ self.check_properties()
	162	+ self.check_encrypted()
	163	+ self.check_word()
	164	+ self.check_excel()
	165	+ self.check_powerpoint()
	166	+ self.check_visio()
	167	+ self.check_ObjectPool()
	168	+ self.check_flash()
	169	+ self.ole.close()
	170	+ return self.indicators
	171	+
	172	+ def check_properties (self):
	173	+ suminfo = Indicator('has_suminfo', False, name='Has SummaryInformation stream')
	174	+ self.indicators.append(suminfo)
	175	+ appname = Indicator('appname', 'unknown', _type=str, name='Application name')
	176	+ self.indicators.append(appname)
	177	+ self.suminfo = {}
	178	+ # check stream SummaryInformation
	179	+ if self.ole.exists("\x05SummaryInformation"):
	180	+ suminfo.value = True
	181	+ self.suminfo = self.ole.getproperties("\x05SummaryInformation")
	182	+ # check application name:
	183	+ appname.value = self.suminfo.get(0x12, 'unknown')
	184	+
	185	+ def check_encrypted (self):
	186	+ # we keep the pointer to the indicator, can be modified by other checks:
	187	+ self.encrypted = Indicator('encrypted', False, name='Encrypted')
	188	+ self.indicators.append(self.encrypted)
	189	+ # check if bit 1 of security field = 1:
	190	+ # (this field may be missing for Powerpoint2000, for example)
	191	+ if 0x13 in self.suminfo:
	192	+ if self.suminfo[0x13] & 1:
	193	+ self.encrypted.value = True
	194	+
	195	+ def check_word (self):
	196	+ word = Indicator('word', False, name='Word Document',
	197	+ description='Contains a WordDocument stream, very likely to be a Microsoft Word Document.')
	198	+ self.indicators.append(word)
	199	+ self.macros = Indicator('vba_macros', False, name='VBA Macros')
	200	+ self.indicators.append(self.macros)
	201	+ if self.ole.exists('WordDocument'):
	202	+ word.value = True
	203	+ # check for Word-specific encryption flag:
	204	+ s = self.ole.openstream(["WordDocument"])
	205	+ # pass header 10 bytes
	206	+ s.read(10)
	207	+ # read flag structure:
	208	+ temp16 = struct.unpack("H", s.read(2))[0]
	209	+ fEncrypted = (temp16 & 0x0100) >> 8
	210	+ if fEncrypted:
	211	+ self.encrypted.value = True
	212	+ s.close()
	213	+ # check for VBA macros:
	214	+ if self.ole.exists('Macros'):
	215	+ self.macros.value = True
	216	+
	217	+ def check_excel (self):
	218	+ excel = Indicator('excel', False, name='Excel Workbook',
	219	+ description='Contains a Workbook or Book stream, very likely to be a Microsoft Excel Workbook.')
	220	+ self.indicators.append(excel)
	221	+ #self.macros = Indicator('vba_macros', False, name='VBA Macros')
	222	+ #self.indicators.append(self.macros)
	223	+ if self.ole.exists('Workbook') or self.ole.exists('Book'):
	224	+ excel.value = True
	225	+ # check for VBA macros:
	226	+ if self.ole.exists('_VBA_PROJECT_CUR'):
	227	+ self.macros.value = True
	228	+
	229	+ def check_powerpoint (self):
	230	+ ppt = Indicator('ppt', False, name='PowerPoint Presentation',
	231	+ description='Contains a PowerPoint Document stream, very likely to be a Microsoft PowerPoint Presentation.')
	232	+ self.indicators.append(ppt)
	233	+ if self.ole.exists('PowerPoint Document'):
	234	+ ppt.value = True
	235	+
	236	+ def check_visio (self):
	237	+ visio = Indicator('visio', False, name='Visio Drawing',
	238	+ description='Contains a VisioDocument stream, very likely to be a Microsoft Visio Drawing.')
	239	+ self.indicators.append(visio)
	240	+ if self.ole.exists('VisioDocument'):
	241	+ visio.value = True
	242	+
	243	+ def check_ObjectPool (self):
	244	+ objpool = Indicator('ObjectPool', False, name='ObjectPool',
	245	+ description='Contains an ObjectPool stream, very likely to contain embedded OLE objects or files.')
	246	+ self.indicators.append(objpool)
	247	+ if self.ole.exists('ObjectPool'):
	248	+ objpool.value = True
	249	+
	250	+
	251	+ def check_flash (self):
	252	+ flash = Indicator('flash', 0, _type=int, name='Flash objects',
	253	+ description='Number of embedded Flash objects (SWF files) detected in OLE streams. Not 100% accurate, there may be false positives.')
	254	+ self.indicators.append(flash)
	255	+ for stream in self.ole.listdir():
	256	+ data = self.ole.openstream(stream).read()
	257	+ found = detect_flash(data)
	258	+ # just add to the count of Flash objects:
	259	+ flash.value += len(found)
	260	+ #print stream, found
	261	+
	262	+
	263	+#=== MAIN =================================================================
	264	+
	265	+def main():
	266	+ usage = 'usage: %prog [options] <file>'
	267	+ parser = optparse.OptionParser(usage=__doc__ + '\n' + usage)
	268	+## parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream')
	269	+
	270	+ (options, args) = parser.parse_args()
	271	+
	272	+ # Print help if no argurments are passed
	273	+ if len(args) == 0:
	274	+ parser.print_help()
	275	+ return
	276	+
	277	+ for filename in args:
	278	+ print '\nFilename:', filename
	279	+ oleid = OleID(filename)
	280	+ indicators = oleid.check()
	281	+
	282	+ #TODO: add description
	283	+ #TODO: highlight suspicious indicators
	284	+ t = prettytable.PrettyTable(['Indicator', 'Value'])
	285	+ t.align = 'l'
	286	+ t.max_width = 39
	287	+ #t.border = False
	288	+
	289	+ for indicator in indicators:
	290	+ #print '%s: %s' % (indicator.name, indicator.value)
	291	+ t.add_row((indicator.name, indicator.value))
	292	+
	293	+ print t
	294	+
	295	+if __name__ == '__main__':
	296	+ main()
...	...

oletools/olemeta.py

View file @cda7975

1		-#!/usr/bin/env python
2		-"""
3		-olemeta.py
4		-
5		-olemeta is a script to parse OLE files such as MS Office documents (e.g. Word,
6		-Excel), to extract all standard properties present in the OLE file.
7		-
8		-Usage: olemeta.py <file>
9		-
10		-olemeta project website: http://www.decalage.info/python/olemeta
11		-
12		-olemeta is part of the python-oletools package:
13		-http://www.decalage.info/python/oletools
14		-"""
15		-
16		-#=== LICENSE =================================================================
17		-
18		-# olemeta is copyright (c) 2013-2014, Philippe Lagadec (http://www.decalage.info)
19		-# All rights reserved.
20		-#
21		-# Redistribution and use in source and binary forms, with or without modification,
22		-# are permitted provided that the following conditions are met:
23		-#
24		-# * Redistributions of source code must retain the above copyright notice, this
25		-# list of conditions and the following disclaimer.
26		-# * Redistributions in binary form must reproduce the above copyright notice,
27		-# this list of conditions and the following disclaimer in the documentation
28		-# and/or other materials provided with the distribution.
29		-#
30		-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
31		-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
32		-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
33		-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
34		-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
35		-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
36		-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
37		-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
38		-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
39		-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40		-
41		-#------------------------------------------------------------------------------
42		-# CHANGELOG:
43		-# 2013-07-24 v0.01 PL: - first version
44		-# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
45		-# - improved usage display
46		-
47		-__version__ = '0.02'
48		-
49		-#------------------------------------------------------------------------------
50		-# TODO:
51		-# + optparse
52		-# + nicer output: table with fixed columns, datetime, etc
53		-# + CSV output
54		-# + option to only show available properties (by default)
55		-
56		-#=== IMPORTS =================================================================
57		-
58		-import sys
59		-import thirdparty.olefile as olefile
60		-
61		-
62		-#=== MAIN =================================================================
63		-
64		-try:
65		- ole = olefile.OleFileIO(sys.argv[1])
66		-except IndexError:
67		- sys.exit(__doc__)
68		-
69		-# parse and display metadata:
70		-meta = ole.get_metadata()
71		-meta.dump()
72		-
73		-ole.close()
	1	+#!/usr/bin/env python
	2	+"""
	3	+olemeta.py
	4	+
	5	+olemeta is a script to parse OLE files such as MS Office documents (e.g. Word,
	6	+Excel), to extract all standard properties present in the OLE file.
	7	+
	8	+Usage: olemeta.py <file>
	9	+
	10	+olemeta project website: http://www.decalage.info/python/olemeta
	11	+
	12	+olemeta is part of the python-oletools package:
	13	+http://www.decalage.info/python/oletools
	14	+"""
	15	+
	16	+#=== LICENSE =================================================================
	17	+
	18	+# olemeta is copyright (c) 2013-2015, Philippe Lagadec (http://www.decalage.info)
	19	+# All rights reserved.
	20	+#
	21	+# Redistribution and use in source and binary forms, with or without modification,
	22	+# are permitted provided that the following conditions are met:
	23	+#
	24	+# * Redistributions of source code must retain the above copyright notice, this
	25	+# list of conditions and the following disclaimer.
	26	+# * Redistributions in binary form must reproduce the above copyright notice,
	27	+# this list of conditions and the following disclaimer in the documentation
	28	+# and/or other materials provided with the distribution.
	29	+#
	30	+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	31	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	32	+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	33	+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	34	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	35	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	36	+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	37	+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	38	+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	39	+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	40	+
	41	+#------------------------------------------------------------------------------
	42	+# CHANGELOG:
	43	+# 2013-07-24 v0.01 PL: - first version
	44	+# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
	45	+# - improved usage display
	46	+
	47	+__version__ = '0.02'
	48	+
	49	+#------------------------------------------------------------------------------
	50	+# TODO:
	51	+# + optparse
	52	+# + nicer output: table with fixed columns, datetime, etc
	53	+# + CSV output
	54	+# + option to only show available properties (by default)
	55	+
	56	+#=== IMPORTS =================================================================
	57	+
	58	+import sys
	59	+import thirdparty.olefile as olefile
	60	+
	61	+
	62	+#=== MAIN =================================================================
	63	+
	64	+try:
	65	+ ole = olefile.OleFileIO(sys.argv[1])
	66	+except IndexError:
	67	+ sys.exit(__doc__)
	68	+
	69	+# parse and display metadata:
	70	+meta = ole.get_metadata()
	71	+meta.dump()
	72	+
	73	+ole.close()
...	...

oletools/oletimes.py

View file @cda7975

1		-#!/usr/bin/env python
2		-"""
3		-oletimes.py
4		-
5		-oletimes is a script to parse OLE files such as MS Office documents (e.g. Word,
6		-Excel), to extract creation and modification times of all streams and storages
7		-in the OLE file.
8		-
9		-Usage: oletimes.py <file>
10		-
11		-oletimes project website: http://www.decalage.info/python/oletimes
12		-
13		-oletimes is part of the python-oletools package:
14		-http://www.decalage.info/python/oletools
15		-"""
16		-
17		-#=== LICENSE =================================================================
18		-
19		-# oletimes is copyright (c) 2013-2014, Philippe Lagadec (http://www.decalage.info)
20		-# All rights reserved.
21		-#
22		-# Redistribution and use in source and binary forms, with or without modification,
23		-# are permitted provided that the following conditions are met:
24		-#
25		-# * Redistributions of source code must retain the above copyright notice, this
26		-# list of conditions and the following disclaimer.
27		-# * Redistributions in binary form must reproduce the above copyright notice,
28		-# this list of conditions and the following disclaimer in the documentation
29		-# and/or other materials provided with the distribution.
30		-#
31		-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
32		-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
33		-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
34		-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
35		-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
36		-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
37		-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
38		-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
39		-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
40		-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
41		-
42		-
43		-#------------------------------------------------------------------------------
44		-# CHANGELOG:
45		-# 2013-07-24 v0.01 PL: - first version
46		-# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
47		-# - improved usage display
48		-# 2014-11-30 v0.03 PL: - improved output with prettytable
49		-
50		-__version__ = '0.03'
51		-
52		-#------------------------------------------------------------------------------
53		-# TODO:
54		-# + optparse
55		-# + nicer output: table with fixed columns, datetime, etc
56		-# + CSV output
57		-# + option to only show available timestamps (by default?)
58		-
59		-#=== IMPORTS =================================================================
60		-
61		-import sys, datetime
62		-import thirdparty.olefile as olefile
63		-from thirdparty.prettytable import prettytable
64		-
65		-
66		-#=== MAIN =================================================================
67		-
68		-try:
69		- ole = olefile.OleFileIO(sys.argv[1])
70		-except IndexError:
71		- sys.exit(__doc__)
72		-
73		-def dt2str (dt):
74		- """
75		- Convert a datetime object to a string for display, without microseconds
76		-
77		- :param dt: datetime.datetime object, or None
78		- :return: str, or None
79		- """
80		- if dt is None:
81		- return None
82		- dt = dt.replace(microsecond = 0)
83		- return str(dt)
84		-
85		-t = prettytable.PrettyTable(['Stream/Storage name', 'Modification Time', 'Creation Time'])
86		-t.align = 'l'
87		-t.max_width = 26
88		-#t.border = False
89		-
90		-#print'- Root mtime=%s ctime=%s' % (ole.root.getmtime(), ole.root.getctime())
91		-t.add_row(('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime())))
92		-
93		-for obj in ole.listdir(streams=True, storages=True):
94		- #print '- %s: mtime=%s ctime=%s' % (repr('/'.join(obj)), ole.getmtime(obj), ole.getctime(obj))
95		- t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)), dt2str(ole.getctime(obj))))
96		-
97		-print t
98		-
99		-ole.close()
	1	+#!/usr/bin/env python
	2	+"""
	3	+oletimes.py
	4	+
	5	+oletimes is a script to parse OLE files such as MS Office documents (e.g. Word,
	6	+Excel), to extract creation and modification times of all streams and storages
	7	+in the OLE file.
	8	+
	9	+Usage: oletimes.py <file>
	10	+
	11	+oletimes project website: http://www.decalage.info/python/oletimes
	12	+
	13	+oletimes is part of the python-oletools package:
	14	+http://www.decalage.info/python/oletools
	15	+"""
	16	+
	17	+#=== LICENSE =================================================================
	18	+
	19	+# oletimes is copyright (c) 2013-2015, Philippe Lagadec (http://www.decalage.info)
	20	+# All rights reserved.
	21	+#
	22	+# Redistribution and use in source and binary forms, with or without modification,
	23	+# are permitted provided that the following conditions are met:
	24	+#
	25	+# * Redistributions of source code must retain the above copyright notice, this
	26	+# list of conditions and the following disclaimer.
	27	+# * Redistributions in binary form must reproduce the above copyright notice,
	28	+# this list of conditions and the following disclaimer in the documentation
	29	+# and/or other materials provided with the distribution.
	30	+#
	31	+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	32	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	33	+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	34	+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	35	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	36	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	37	+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	38	+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	39	+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	40	+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	41	+
	42	+
	43	+#------------------------------------------------------------------------------
	44	+# CHANGELOG:
	45	+# 2013-07-24 v0.01 PL: - first version
	46	+# 2014-11-29 v0.02 PL: - use olefile instead of OleFileIO_PL
	47	+# - improved usage display
	48	+# 2014-11-30 v0.03 PL: - improved output with prettytable
	49	+
	50	+__version__ = '0.03'
	51	+
	52	+#------------------------------------------------------------------------------
	53	+# TODO:
	54	+# + optparse
	55	+# + nicer output: table with fixed columns, datetime, etc
	56	+# + CSV output
	57	+# + option to only show available timestamps (by default?)
	58	+
	59	+#=== IMPORTS =================================================================
	60	+
	61	+import sys, datetime
	62	+import thirdparty.olefile as olefile
	63	+from thirdparty.prettytable import prettytable
	64	+
	65	+
	66	+#=== MAIN =================================================================
	67	+
	68	+try:
	69	+ ole = olefile.OleFileIO(sys.argv[1])
	70	+except IndexError:
	71	+ sys.exit(__doc__)
	72	+
	73	+def dt2str (dt):
	74	+ """
	75	+ Convert a datetime object to a string for display, without microseconds
	76	+
	77	+ :param dt: datetime.datetime object, or None
	78	+ :return: str, or None
	79	+ """
	80	+ if dt is None:
	81	+ return None
	82	+ dt = dt.replace(microsecond = 0)
	83	+ return str(dt)
	84	+
	85	+t = prettytable.PrettyTable(['Stream/Storage name', 'Modification Time', 'Creation Time'])
	86	+t.align = 'l'
	87	+t.max_width = 26
	88	+#t.border = False
	89	+
	90	+#print'- Root mtime=%s ctime=%s' % (ole.root.getmtime(), ole.root.getctime())
	91	+t.add_row(('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime())))
	92	+
	93	+for obj in ole.listdir(streams=True, storages=True):
	94	+ #print '- %s: mtime=%s ctime=%s' % (repr('/'.join(obj)), ole.getmtime(obj), ole.getctime(obj))
	95	+ t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)), dt2str(ole.getctime(obj))))
	96	+
	97	+print t
	98	+
	99	+ole.close()
...	...

oletools/pyxswf.py

View file @cda7975

1		-#!/usr/bin/env python
2		-"""
3		-pyxswf.py
4		-
5		-pyxswf is a script to detect, extract and analyze Flash objects (SWF) that may
6		-be embedded in files such as MS Office documents (e.g. Word, Excel),
7		-which is especially useful for malware analysis.
8		-
9		-pyxswf is an extension to xxxswf.py published by Alexander Hanel on
10		-http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html
11		-Compared to xxxswf, it can extract streams from MS Office documents by parsing
12		-their OLE structure properly (-o option), which is necessary when streams are
13		-fragmented.
14		-Stream fragmentation is a known obfuscation technique, as explained on
15		-http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/
16		-
17		-It can also extract Flash objects from RTF documents, by parsing embedded
18		-objects encoded in hexadecimal format (-f option).
19		-
20		-pyxswf project website: http://www.decalage.info/python/pyxswf
21		-
22		-pyxswf is part of the python-oletools package:
23		-http://www.decalage.info/python/oletools
24		-"""
25		-
26		-#=== LICENSE =================================================================
27		-
28		-# pyxswf is copyright (c) 2012-2014, Philippe Lagadec (http://www.decalage.info)
29		-# All rights reserved.
30		-#
31		-# Redistribution and use in source and binary forms, with or without modification,
32		-# are permitted provided that the following conditions are met:
33		-#
34		-# * Redistributions of source code must retain the above copyright notice, this
35		-# list of conditions and the following disclaimer.
36		-# * Redistributions in binary form must reproduce the above copyright notice,
37		-# this list of conditions and the following disclaimer in the documentation
38		-# and/or other materials provided with the distribution.
39		-#
40		-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
41		-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
42		-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
43		-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
44		-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45		-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
46		-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
47		-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
48		-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
49		-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
50		-
51		-#------------------------------------------------------------------------------
52		-# CHANGELOG:
53		-# 2012-09-17 v0.01 PL: - first version
54		-# 2012-11-09 v0.02 PL: - added RTF embedded objects extraction
55		-# 2014-11-29 v0.03 PL: - use olefile instead of OleFileIO_PL
56		-# - improved usage display with -h
57		-
58		-__version__ = '0.03'
59		-
60		-#------------------------------------------------------------------------------
61		-# TODO:
62		-# + add support for LZMA-compressed flash files (ZWS header)
63		-# references: http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html
64		-# http://code.metager.de/source/xref/adobe/flash/crossbridge/tools/swf-info.py
65		-# http://room32.dyndns.org/forums/showthread.php?766-SWFCompression
66		-# sample code: http://room32.dyndns.org/SWFCompression.py
67		-# - check if file is OLE
68		-# - support -r
69		-
70		-
71		-#=== IMPORTS =================================================================
72		-
73		-import optparse, sys, os, rtfobj, StringIO
74		-from thirdparty.xxxswf import xxxswf
75		-import thirdparty.olefile as olefile
76		-
77		-
78		-#=== MAIN =================================================================
79		-
80		-def main():
81		- # Scenarios:
82		- # Scan file for SWF(s)
83		- # Scan file for SWF(s) and extract them
84		- # Scan file for SWF(s) and scan them with Yara
85		- # Scan file for SWF(s), extract them and scan with Yara
86		- # Scan directory recursively for files that contain SWF(s)
87		- # Scan directory recursively for files that contain SWF(s) and extract them
88		-
89		- usage = 'usage: %prog [options] <file.bad>'
90		- parser = optparse.OptionParser(usage=__doc__ + '\n' + usage)
91		- parser.add_option('-x', '--extract', action='store_true', dest='extract', help='Extracts the embedded SWF(s), names it MD5HASH.swf & saves it in the working dir. No addition args needed')
92		- parser.add_option('-y', '--yara', action='store_true', dest='yara', help='Scans the SWF(s) with yara. If the SWF(s) is compressed it will be deflated. No addition args needed')
93		- parser.add_option('-s', '--md5scan', action='store_true', dest='md5scan', help='Scans the SWF(s) for MD5 signatures. Please see func checkMD5 to define hashes. No addition args needed')
94		- parser.add_option('-H', '--header', action='store_true', dest='header', help='Displays the SWFs file header. No addition args needed')
95		- parser.add_option('-d', '--decompress', action='store_true', dest='decompress', help='Deflates compressed SWFS(s)')
96		- parser.add_option('-r', '--recdir', dest='PATH', type='string', help='Will recursively scan a directory for files that contain SWFs. Must provide path in quotes')
97		- parser.add_option('-c', '--compress', action='store_true', dest='compress', help='Compresses the SWF using Zlib')
98		-
99		- parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream')
100		- parser.add_option('-f', '--rtf', action='store_true', dest='rtf', help='Parse an RTF file to look for SWF in each embedded object')
101		-
102		-
103		- (options, args) = parser.parse_args()
104		-
105		- # Print help if no arguments are passed
106		- if len(args) == 0:
107		- parser.print_help()
108		- return
109		-
110		- # OLE MODE:
111		- if options.ole:
112		- for filename in args:
113		- ole = olefile.OleFileIO(filename)
114		- for direntry in ole.direntries:
115		- if direntry is not None and direntry.entry_type == olefile.STGTY_STREAM:
116		- f = ole._open(direntry.isectStart, direntry.size)
117		- # check if data contains the SWF magic: FWS or CWS
118		- data = f.getvalue()
119		- if 'FWS' in data or 'CWS' in data:
120		- print 'OLE stream: %s' % repr(direntry.name)
121		- # call xxxswf to scan or extract Flash files:
122		- xxxswf.disneyland(f, direntry.name, options)
123		- f.close()
124		- ole.close()
125		-
126		- # RTF MODE:
127		- elif options.rtf:
128		- for filename in args:
129		- for index, data in rtfobj.rtf_iter_objects(filename):
130		- if 'FWS' in data or 'CWS' in data:
131		- print 'RTF embedded object size %d at index %08X' % (len(data), index)
132		- f = StringIO.StringIO(data)
133		- name = 'RTF_embedded_object_%08X' % index
134		- # call xxxswf to scan or extract Flash files:
135		- xxxswf.disneyland(f, name, options)
136		-
137		- else:
138		- xxxswf.main()
139		-
140		-if __name__ == '__main__':
141		- main()
	1	+#!/usr/bin/env python
	2	+"""
	3	+pyxswf.py
	4	+
	5	+pyxswf is a script to detect, extract and analyze Flash objects (SWF) that may
	6	+be embedded in files such as MS Office documents (e.g. Word, Excel),
	7	+which is especially useful for malware analysis.
	8	+
	9	+pyxswf is an extension to xxxswf.py published by Alexander Hanel on
	10	+http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html
	11	+Compared to xxxswf, it can extract streams from MS Office documents by parsing
	12	+their OLE structure properly (-o option), which is necessary when streams are
	13	+fragmented.
	14	+Stream fragmentation is a known obfuscation technique, as explained on
	15	+http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/
	16	+
	17	+It can also extract Flash objects from RTF documents, by parsing embedded
	18	+objects encoded in hexadecimal format (-f option).
	19	+
	20	+pyxswf project website: http://www.decalage.info/python/pyxswf
	21	+
	22	+pyxswf is part of the python-oletools package:
	23	+http://www.decalage.info/python/oletools
	24	+"""
	25	+
	26	+#=== LICENSE =================================================================
	27	+
	28	+# pyxswf is copyright (c) 2012-2015, Philippe Lagadec (http://www.decalage.info)
	29	+# All rights reserved.
	30	+#
	31	+# Redistribution and use in source and binary forms, with or without modification,
	32	+# are permitted provided that the following conditions are met:
	33	+#
	34	+# * Redistributions of source code must retain the above copyright notice, this
	35	+# list of conditions and the following disclaimer.
	36	+# * Redistributions in binary form must reproduce the above copyright notice,
	37	+# this list of conditions and the following disclaimer in the documentation
	38	+# and/or other materials provided with the distribution.
	39	+#
	40	+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	41	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	42	+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	43	+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	44	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	45	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	46	+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	47	+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	48	+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	49	+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	50	+
	51	+#------------------------------------------------------------------------------
	52	+# CHANGELOG:
	53	+# 2012-09-17 v0.01 PL: - first version
	54	+# 2012-11-09 v0.02 PL: - added RTF embedded objects extraction
	55	+# 2014-11-29 v0.03 PL: - use olefile instead of OleFileIO_PL
	56	+# - improved usage display with -h
	57	+
	58	+__version__ = '0.03'
	59	+
	60	+#------------------------------------------------------------------------------
	61	+# TODO:
	62	+# + add support for LZMA-compressed flash files (ZWS header)
	63	+# references: http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html
	64	+# http://code.metager.de/source/xref/adobe/flash/crossbridge/tools/swf-info.py
	65	+# http://room32.dyndns.org/forums/showthread.php?766-SWFCompression
	66	+# sample code: http://room32.dyndns.org/SWFCompression.py
	67	+# - check if file is OLE
	68	+# - support -r
	69	+
	70	+
	71	+#=== IMPORTS =================================================================
	72	+
	73	+import optparse, sys, os, rtfobj, StringIO
	74	+from thirdparty.xxxswf import xxxswf
	75	+import thirdparty.olefile as olefile
	76	+
	77	+
	78	+#=== MAIN =================================================================
	79	+
	80	+def main():
	81	+ # Scenarios:
	82	+ # Scan file for SWF(s)
	83	+ # Scan file for SWF(s) and extract them
	84	+ # Scan file for SWF(s) and scan them with Yara
	85	+ # Scan file for SWF(s), extract them and scan with Yara
	86	+ # Scan directory recursively for files that contain SWF(s)
	87	+ # Scan directory recursively for files that contain SWF(s) and extract them
	88	+
	89	+ usage = 'usage: %prog [options] <file.bad>'
	90	+ parser = optparse.OptionParser(usage=__doc__ + '\n' + usage)
	91	+ parser.add_option('-x', '--extract', action='store_true', dest='extract', help='Extracts the embedded SWF(s), names it MD5HASH.swf & saves it in the working dir. No addition args needed')
	92	+ parser.add_option('-y', '--yara', action='store_true', dest='yara', help='Scans the SWF(s) with yara. If the SWF(s) is compressed it will be deflated. No addition args needed')
	93	+ parser.add_option('-s', '--md5scan', action='store_true', dest='md5scan', help='Scans the SWF(s) for MD5 signatures. Please see func checkMD5 to define hashes. No addition args needed')
	94	+ parser.add_option('-H', '--header', action='store_true', dest='header', help='Displays the SWFs file header. No addition args needed')
	95	+ parser.add_option('-d', '--decompress', action='store_true', dest='decompress', help='Deflates compressed SWFS(s)')
	96	+ parser.add_option('-r', '--recdir', dest='PATH', type='string', help='Will recursively scan a directory for files that contain SWFs. Must provide path in quotes')
	97	+ parser.add_option('-c', '--compress', action='store_true', dest='compress', help='Compresses the SWF using Zlib')
	98	+
	99	+ parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream')
	100	+ parser.add_option('-f', '--rtf', action='store_true', dest='rtf', help='Parse an RTF file to look for SWF in each embedded object')
	101	+
	102	+
	103	+ (options, args) = parser.parse_args()
	104	+
	105	+ # Print help if no arguments are passed
	106	+ if len(args) == 0:
	107	+ parser.print_help()
	108	+ return
	109	+
	110	+ # OLE MODE:
	111	+ if options.ole:
	112	+ for filename in args:
	113	+ ole = olefile.OleFileIO(filename)
	114	+ for direntry in ole.direntries:
	115	+ if direntry is not None and direntry.entry_type == olefile.STGTY_STREAM:
	116	+ f = ole._open(direntry.isectStart, direntry.size)
	117	+ # check if data contains the SWF magic: FWS or CWS
	118	+ data = f.getvalue()
	119	+ if 'FWS' in data or 'CWS' in data:
	120	+ print 'OLE stream: %s' % repr(direntry.name)
	121	+ # call xxxswf to scan or extract Flash files:
	122	+ xxxswf.disneyland(f, direntry.name, options)
	123	+ f.close()
	124	+ ole.close()
	125	+
	126	+ # RTF MODE:
	127	+ elif options.rtf:
	128	+ for filename in args:
	129	+ for index, data in rtfobj.rtf_iter_objects(filename):
	130	+ if 'FWS' in data or 'CWS' in data:
	131	+ print 'RTF embedded object size %d at index %08X' % (len(data), index)
	132	+ f = StringIO.StringIO(data)
	133	+ name = 'RTF_embedded_object_%08X' % index
	134	+ # call xxxswf to scan or extract Flash files:
	135	+ xxxswf.disneyland(f, name, options)
	136	+
	137	+ else:
	138	+ xxxswf.main()
	139	+
	140	+if __name__ == '__main__':
	141	+ main()
...	...

oletools/rtfobj.py

View file @cda7975

1		-#!/usr/bin/env python
2		-"""
3		-rtfobj.py - Philippe Lagadec 2013-04-02
4		-
5		-rtfobj is a Python module to extract embedded objects from RTF files, such as
6		-OLE ojects. It can be used as a Python library or a command-line tool.
7		-
8		-Usage: rtfobj.py <file.rtf>
9		-
10		-rtfobj project website: http://www.decalage.info/python/rtfobj
11		-
12		-rtfobj is part of the python-oletools package:
13		-http://www.decalage.info/python/oletools
14		-"""
15		-
16		-#=== LICENSE =================================================================
17		-
18		-# rtfobj is copyright (c) 2012-2014, Philippe Lagadec (http://www.decalage.info)
19		-# All rights reserved.
20		-#
21		-# Redistribution and use in source and binary forms, with or without modification,
22		-# are permitted provided that the following conditions are met:
23		-#
24		-# * Redistributions of source code must retain the above copyright notice, this
25		-# list of conditions and the following disclaimer.
26		-# * Redistributions in binary form must reproduce the above copyright notice,
27		-# this list of conditions and the following disclaimer in the documentation
28		-# and/or other materials provided with the distribution.
29		-#
30		-# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
31		-# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
32		-# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
33		-# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
34		-# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
35		-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
36		-# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
37		-# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
38		-# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
39		-# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
40		-
41		-
42		-#------------------------------------------------------------------------------
43		-# CHANGELOG:
44		-# 2012-11-09 v0.01 PL: - first version
45		-# 2013-04-02 v0.02 PL: - fixed bug in main
46		-
47		-__version__ = '0.02'
48		-
49		-#------------------------------------------------------------------------------
50		-# TODO:
51		-# - improve regex pattern for better performance?
52		-# - allow semicolon within hex, as found in this sample:
53		-# http://contagiodump.blogspot.nl/2011/10/sep-28-cve-2010-3333-manuscript-with.html
54		-
55		-#=== IMPORTS =================================================================
56		-
57		-import re, sys, string, binascii
58		-
59		-
60		-#=== CONSTANTS=================================================================
61		-
62		-# REGEX pattern to extract embedded OLE objects in hexadecimal format:
63		-# alphanum digit: [0-9A-Fa-f]
64		-# hex char = two alphanum digits: [0-9A-Fa-f]{2}
65		-# several hex chars, at least 4: (?:[0-9A-Fa-f]{2}){4,}
66		-# at least 4 hex chars, followed by whitespace or CR/LF: (?:[0-9A-Fa-f]{2}){4,}\s*
67		-PATTERN = r'(?:(?:[0-9A-Fa-f]{2})+\s)(?:[0-9A-Fa-f]{2}){4,}'
68		-# improved pattern, allowing semicolons within hex:
69		-#PATTERN = r'(?:(?:[0-9A-Fa-f]{2})+\s)(?:[0-9A-Fa-f]{2}){4,}'
70		-
71		-# a dummy translation table for str.translate, which does not change anythying:
72		-TRANSTABLE_NOCHANGE = string.maketrans('', '')
73		-
74		-
75		-#=== FUNCTIONS =================================================================
76		-
77		-def rtf_iter_objects (filename, min_size=32):
78		- """
79		- Open a RTF file, extract each embedded object encoded in hexadecimal of
80		- size > min_size, yield the index of the object in the RTF file and its data
81		- in binary format.
82		- This is an iterator.
83		- """
84		- data = open(filename, 'rb').read()
85		- for m in re.finditer(PATTERN, data):
86		- found = m.group(0)
87		- # remove all whitespace and line feeds:
88		- #NOTE: with Python 2.6+, we could use None instead of TRANSTABLE_NOCHANGE
89		- found = found.translate(TRANSTABLE_NOCHANGE, ' \t\r\n\f\v')
90		- found = binascii.unhexlify(found)
91		- #print repr(found)
92		- if len(found)>min_size:
93		- yield m.start(), found
94		-
95		-
96		-#=== MAIN =================================================================
97		-
98		-if __name__ == '__main__':
99		- if len(sys.argv)<2:
100		- sys.exit(__doc__)
101		- for index, data in rtf_iter_objects(sys.argv[1]):
102		- print 'found object size %d at index %08X' % (len(data), index)
103		- fname = 'object_%08X.bin' % index
104		- print 'saving to file %s' % fname
105		- open(fname, 'wb').write(data)
	1	+#!/usr/bin/env python
	2	+"""
	3	+rtfobj.py - Philippe Lagadec 2013-04-02
	4	+
	5	+rtfobj is a Python module to extract embedded objects from RTF files, such as
	6	+OLE ojects. It can be used as a Python library or a command-line tool.
	7	+
	8	+Usage: rtfobj.py <file.rtf>
	9	+
	10	+rtfobj project website: http://www.decalage.info/python/rtfobj
	11	+
	12	+rtfobj is part of the python-oletools package:
	13	+http://www.decalage.info/python/oletools
	14	+"""
	15	+
	16	+#=== LICENSE =================================================================
	17	+
	18	+# rtfobj is copyright (c) 2012-2015, Philippe Lagadec (http://www.decalage.info)
	19	+# All rights reserved.
	20	+#
	21	+# Redistribution and use in source and binary forms, with or without modification,
	22	+# are permitted provided that the following conditions are met:
	23	+#
	24	+# * Redistributions of source code must retain the above copyright notice, this
	25	+# list of conditions and the following disclaimer.
	26	+# * Redistributions in binary form must reproduce the above copyright notice,
	27	+# this list of conditions and the following disclaimer in the documentation
	28	+# and/or other materials provided with the distribution.
	29	+#
	30	+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
	31	+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
	32	+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
	33	+# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
	34	+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	35	+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
	36	+# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
	37	+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
	38	+# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
	39	+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
	40	+
	41	+
	42	+#------------------------------------------------------------------------------
	43	+# CHANGELOG:
	44	+# 2012-11-09 v0.01 PL: - first version
	45	+# 2013-04-02 v0.02 PL: - fixed bug in main
	46	+
	47	+__version__ = '0.02'
	48	+
	49	+#------------------------------------------------------------------------------
	50	+# TODO:
	51	+# - improve regex pattern for better performance?
	52	+# - allow semicolon within hex, as found in this sample:
	53	+# http://contagiodump.blogspot.nl/2011/10/sep-28-cve-2010-3333-manuscript-with.html
	54	+
	55	+#=== IMPORTS =================================================================
	56	+
	57	+import re, sys, string, binascii
	58	+
	59	+
	60	+#=== CONSTANTS=================================================================
	61	+
	62	+# REGEX pattern to extract embedded OLE objects in hexadecimal format:
	63	+# alphanum digit: [0-9A-Fa-f]
	64	+# hex char = two alphanum digits: [0-9A-Fa-f]{2}
	65	+# several hex chars, at least 4: (?:[0-9A-Fa-f]{2}){4,}
	66	+# at least 4 hex chars, followed by whitespace or CR/LF: (?:[0-9A-Fa-f]{2}){4,}\s*
	67	+PATTERN = r'(?:(?:[0-9A-Fa-f]{2})+\s)(?:[0-9A-Fa-f]{2}){4,}'
	68	+# improved pattern, allowing semicolons within hex:
	69	+#PATTERN = r'(?:(?:[0-9A-Fa-f]{2})+\s)(?:[0-9A-Fa-f]{2}){4,}'
	70	+
	71	+# a dummy translation table for str.translate, which does not change anythying:
	72	+TRANSTABLE_NOCHANGE = string.maketrans('', '')
	73	+
	74	+
	75	+#=== FUNCTIONS =================================================================
	76	+
	77	+def rtf_iter_objects (filename, min_size=32):
	78	+ """
	79	+ Open a RTF file, extract each embedded object encoded in hexadecimal of
	80	+ size > min_size, yield the index of the object in the RTF file and its data
	81	+ in binary format.
	82	+ This is an iterator.
	83	+ """
	84	+ data = open(filename, 'rb').read()
	85	+ for m in re.finditer(PATTERN, data):
	86	+ found = m.group(0)
	87	+ # remove all whitespace and line feeds:
	88	+ #NOTE: with Python 2.6+, we could use None instead of TRANSTABLE_NOCHANGE
	89	+ found = found.translate(TRANSTABLE_NOCHANGE, ' \t\r\n\f\v')
	90	+ found = binascii.unhexlify(found)
	91	+ #print repr(found)
	92	+ if len(found)>min_size:
	93	+ yield m.start(), found
	94	+
	95	+
	96	+#=== MAIN =================================================================
	97	+
	98	+if __name__ == '__main__':
	99	+ if len(sys.argv)<2:
	100	+ sys.exit(__doc__)
	101	+ for index, data in rtf_iter_objects(sys.argv[1]):
	102	+ print 'found object size %d at index %08X' % (len(data), index)
	103	+ fname = 'object_%08X.bin' % index
	104	+ print 'saving to file %s' % fname
	105	+ open(fname, 'wb').write(data)
...	...