Peter M. Groen / oletools

Commit cdbcd1016d425068afd0119bac57cdfc1b4e0717

Authored by Philippe Lagadec
1 parent 7d530ddb

olevba: improved VBA_Scanner and scan_vba API

Inline Side-by-side
Showing 1 changed file with 9 additions and 8 deletions
oletools/olevba.py
  View file @cdbcd10
@@ -1031,15 +1031,15 @@ class VBA_Scanner (object): @@ -1031,15 +1031,15 @@ class VBA_Scanner (object):
1031 self.code_dridex = '' 1031 self.code_dridex = ''
1032 1032
1033 1033
1034 - def scan(self, include_hex_strings=False): 1034 + def scan(self, include_decoded_strings=False):
1035 """ 1035 """
1036 Analyze the provided VBA code to detect suspicious keywords, 1036 Analyze the provided VBA code to detect suspicious keywords,
1037 auto-executable macros, IOC patterns, obfuscation patterns 1037 auto-executable macros, IOC patterns, obfuscation patterns
1038 such as hex-encoded strings. 1038 such as hex-encoded strings.
1039 1039
1040 - :param include_hex_strings: bool, if True hex-encoded strings will be included with their decoded content. 1040 + :param include_decoded_strings: bool, if True, all encoded strings will be included with their decoded content.
1041 :return: list of tuples (type, keyword, description) 1041 :return: list of tuples (type, keyword, description)
1042 - (type = 'AutoExec', 'Suspicious', 'IOC' or 'Hex String') 1042 + (type = 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String')
1043 """ 1043 """
1044 # First, detect and extract hex-encoded strings: 1044 # First, detect and extract hex-encoded strings:
1045 self.hex_strings = detect_hex_strings(self.code) 1045 self.hex_strings = detect_hex_strings(self.code)
@@ -1098,7 +1098,7 @@ class VBA_Scanner (object): @@ -1098,7 +1098,7 @@ class VBA_Scanner (object):
1098 results.append(('Suspicious', keyword, description)) 1098 results.append(('Suspicious', keyword, description))
1099 for pattern_type, value in self.iocs: 1099 for pattern_type, value in self.iocs:
1100 results.append(('IOC', value, pattern_type)) 1100 results.append(('IOC', value, pattern_type))
1101 - if include_hex_strings: 1101 + if include_decoded_strings:
1102 for encoded, decoded in self.hex_strings: 1102 for encoded, decoded in self.hex_strings:
1103 results.append(('Hex String', repr(decoded), encoded)) 1103 results.append(('Hex String', repr(decoded), encoded))
1104 for encoded, decoded in self.base64_strings: 1104 for encoded, decoded in self.base64_strings:
@@ -1123,18 +1123,19 @@ class VBA_Scanner (object): @@ -1123,18 +1123,19 @@ class VBA_Scanner (object):
1123 1123
1124 1124
1125 1125
1126 -def scan_vba(vba_code, include_hex_strings): 1126 +def scan_vba(vba_code, include_decoded_strings):
1127 """ 1127 """
1128 Analyze the provided VBA code to detect suspicious keywords, 1128 Analyze the provided VBA code to detect suspicious keywords,
1129 auto-executable macros, IOC patterns, obfuscation patterns 1129 auto-executable macros, IOC patterns, obfuscation patterns
1130 such as hex-encoded strings. 1130 such as hex-encoded strings.
  1131 + (shortcut for VBA_Scanner(vba_code).scan())
1131 1132
1132 :param vba_code: str, VBA source code to be analyzed 1133 :param vba_code: str, VBA source code to be analyzed
1133 - :param include_hex_strings: bool, if True hex-encoded strings will be included with their decoded content. 1134 + :param include_decoded_strings: bool, if True all encoded strings will be included with their decoded content.
1134 :return: list of tuples (type, keyword, description) 1135 :return: list of tuples (type, keyword, description)
1135 - (type = 'AutoExec', 'Suspicious', 'IOC' or 'Hex String') 1136 + (type = 'AutoExec', 'Suspicious', 'IOC', 'Hex String', 'Base64 String' or 'Dridex String')
1136 """ 1137 """
1137 - return VBA_Scanner(vba_code).scan(include_hex_strings) 1138 + return VBA_Scanner(vba_code).scan(include_decoded_strings)
1138 1139
1139 1140
1140 #=== CLASSES ================================================================= 1141 #=== CLASSES =================================================================