Commit cdbcd1016d425068afd0119bac57cdfc1b4e0717
1 parent
7d530ddb
olevba: improved VBA_Scanner and scan_vba API
Showing
1 changed file
with
9 additions
and
8 deletions
oletools/olevba.py
| ... | ... | @@ -1031,15 +1031,15 @@ class VBA_Scanner (object): |
| 1031 | 1031 | self.code_dridex = '' |
| 1032 | 1032 | |
| 1033 | 1033 | |
| 1034 | - def scan(self, include_hex_strings=False): | |
| 1034 | + def scan(self, include_decoded_strings=False): | |
| 1035 | 1035 | """ |
| 1036 | 1036 | Analyze the provided VBA code to detect suspicious keywords, |
| 1037 | 1037 | auto-executable macros, IOC patterns, obfuscation patterns |
| 1038 | 1038 | such as hex-encoded strings. |
| 1039 | 1039 | |
| 1040 | - :param include_hex_strings: bool, if True hex-encoded strings will be included with their decoded content. | |
| 1040 | + :param include_decoded_strings: bool, if True, all encoded strings will be included with their decoded content. | |
| 1041 | 1041 | :return: list of tuples (type, keyword, description) |
| 1042 | - (type = 'AutoExec', 'Suspicious', 'IOC' or 'Hex String') | |
| 1042 | + (type = 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String') | |
| 1043 | 1043 | """ |
| 1044 | 1044 | # First, detect and extract hex-encoded strings: |
| 1045 | 1045 | self.hex_strings = detect_hex_strings(self.code) |
| ... | ... | @@ -1098,7 +1098,7 @@ class VBA_Scanner (object): |
| 1098 | 1098 | results.append(('Suspicious', keyword, description)) |
| 1099 | 1099 | for pattern_type, value in self.iocs: |
| 1100 | 1100 | results.append(('IOC', value, pattern_type)) |
| 1101 | - if include_hex_strings: | |
| 1101 | + if include_decoded_strings: | |
| 1102 | 1102 | for encoded, decoded in self.hex_strings: |
| 1103 | 1103 | results.append(('Hex String', repr(decoded), encoded)) |
| 1104 | 1104 | for encoded, decoded in self.base64_strings: |
| ... | ... | @@ -1123,18 +1123,19 @@ class VBA_Scanner (object): |
| 1123 | 1123 | |
| 1124 | 1124 | |
| 1125 | 1125 | |
| 1126 | -def scan_vba(vba_code, include_hex_strings): | |
| 1126 | +def scan_vba(vba_code, include_decoded_strings): | |
| 1127 | 1127 | """ |
| 1128 | 1128 | Analyze the provided VBA code to detect suspicious keywords, |
| 1129 | 1129 | auto-executable macros, IOC patterns, obfuscation patterns |
| 1130 | 1130 | such as hex-encoded strings. |
| 1131 | + (shortcut for VBA_Scanner(vba_code).scan()) | |
| 1131 | 1132 | |
| 1132 | 1133 | :param vba_code: str, VBA source code to be analyzed |
| 1133 | - :param include_hex_strings: bool, if True hex-encoded strings will be included with their decoded content. | |
| 1134 | + :param include_decoded_strings: bool, if True all encoded strings will be included with their decoded content. | |
| 1134 | 1135 | :return: list of tuples (type, keyword, description) |
| 1135 | - (type = 'AutoExec', 'Suspicious', 'IOC' or 'Hex String') | |
| 1136 | + (type = 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String') | |
| 1136 | 1137 | """ |
| 1137 | - return VBA_Scanner(vba_code).scan(include_hex_strings) | |
| 1138 | + return VBA_Scanner(vba_code).scan(include_decoded_strings) | |
| 1138 | 1139 | |
| 1139 | 1140 | |
| 1140 | 1141 | #=== CLASSES ================================================================= | ... | ... |