Commit cf11d960c685190978e0a695332dbf1585d1e215
1 parent
9f16427f
olevba: added suspicious keywords suggested by Davy Douhine - fixed issue #9
Showing
1 changed file
with
5 additions
and
1 deletions
oletools/olevba.py
| @@ -136,7 +136,8 @@ https://github.com/unixfreak0037/officeparser | @@ -136,7 +136,8 @@ https://github.com/unixfreak0037/officeparser | ||
| 136 | # various data offsets (issue #12) | 136 | # various data offsets (issue #12) |
| 137 | # - improved detection of MSO files, avoiding incorrect | 137 | # - improved detection of MSO files, avoiding incorrect |
| 138 | # parsing errors (issue #7) | 138 | # parsing errors (issue #7) |
| 139 | -# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit | 139 | +# 2015-05-29 v0.30 PL: - added suspicious keywords suggested by @ozhermit, |
| 140 | +# Davy Douhine (issue #9) | ||
| 140 | 141 | ||
| 141 | __version__ = '0.30' | 142 | __version__ = '0.30' |
| 142 | 143 | ||
| @@ -304,6 +305,9 @@ SUSPICIOUS_KEYWORDS = { | @@ -304,6 +305,9 @@ SUSPICIOUS_KEYWORDS = { | ||
| 304 | 'May run code from a DLL': | 305 | 'May run code from a DLL': |
| 305 | #TODO: regex to find declare+lib on same line | 306 | #TODO: regex to find declare+lib on same line |
| 306 | ('Lib',), | 307 | ('Lib',), |
| 308 | + 'May inject code into another process': | ||
| 309 | + ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload | ||
| 310 | + ), | ||
| 307 | 'May download files from the Internet': | 311 | 'May download files from the Internet': |
| 308 | #TODO: regex to find urlmon+URLDownloadToFileA on same line | 312 | #TODO: regex to find urlmon+URLDownloadToFileA on same line |
| 309 | ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP', | 313 | ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP', |