From cf11d960c685190978e0a695332dbf1585d1e215 Mon Sep 17 00:00:00 2001
From: Philippe Lagadec <decalage2@users.noreply.github.com>
Date: Fri, 29 May 2015 22:33:40 +0200
Subject: [PATCH] olevba: added suspicious keywords suggested by Davy Douhine - fixed issue #9

---
 oletools/olevba.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/oletools/olevba.py b/oletools/olevba.py
index 950241d..ab80a95 100755
--- a/oletools/olevba.py
+++ b/oletools/olevba.py
@@ -136,7 +136,8 @@ https://github.com/unixfreak0037/officeparser
 #                        various data offsets (issue #12)
 #                      - improved detection of MSO files, avoiding incorrect
 #                        parsing errors (issue #7)
-# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit
+# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit,
+#                        Davy Douhine (issue #9)
 
 __version__ = '0.30'
 
@@ -304,6 +305,9 @@ SUSPICIOUS_KEYWORDS = {
     'May run code from a DLL':
     #TODO: regex to find declare+lib on same line
         ('Lib',),
+    'May inject code into another process':
+        ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload
+        ),
     'May download files from the Internet':
     #TODO: regex to find urlmon+URLDownloadToFileA on same line
         ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP',
--
libgit2 0.21.4