Commit cf11d960c685190978e0a695332dbf1585d1e215
1 parent
9f16427f
olevba: added suspicious keywords suggested by Davy Douhine - fixed issue #9
Showing
1 changed file
with
5 additions
and
1 deletions
oletools/olevba.py
| ... | ... | @@ -136,7 +136,8 @@ https://github.com/unixfreak0037/officeparser |
| 136 | 136 | # various data offsets (issue #12) |
| 137 | 137 | # - improved detection of MSO files, avoiding incorrect |
| 138 | 138 | # parsing errors (issue #7) |
| 139 | -# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit | |
| 139 | +# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit, | |
| 140 | +# Davy Douhine (issue #9) | |
| 140 | 141 | |
| 141 | 142 | __version__ = '0.30' |
| 142 | 143 | |
| ... | ... | @@ -304,6 +305,9 @@ SUSPICIOUS_KEYWORDS = { |
| 304 | 305 | 'May run code from a DLL': |
| 305 | 306 | #TODO: regex to find declare+lib on same line |
| 306 | 307 | ('Lib',), |
| 308 | + 'May inject code into another process': | |
| 309 | + ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload | |
| 310 | + ), | |
| 307 | 311 | 'May download files from the Internet': |
| 308 | 312 | #TODO: regex to find urlmon+URLDownloadToFileA on same line |
| 309 | 313 | ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP', | ... | ... |