Commit d17b08f3595ccaefdbcd37ffb584a6303b5680b3
1 parent
694cdd02
olevba: added autoexec keywords for MS Publisher (.pub) - issues #84, #85
Showing
1 changed file
with
11 additions
and
1 deletions
oletools/olevba.py
| @@ -12,6 +12,7 @@ Supported formats: | @@ -12,6 +12,7 @@ Supported formats: | ||
| 12 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) | 12 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) |
| 13 | - Word 2003 XML (.xml) | 13 | - Word 2003 XML (.xml) |
| 14 | - Word/Excel Single File Web Page / MHTML (.mht) | 14 | - Word/Excel Single File Web Page / MHTML (.mht) |
| 15 | +- Publisher (.pub) | ||
| 15 | 16 | ||
| 16 | Author: Philippe Lagadec - http://www.decalage.info | 17 | Author: Philippe Lagadec - http://www.decalage.info |
| 17 | License: BSD, see source code or documentation | 18 | License: BSD, see source code or documentation |
| @@ -180,6 +181,7 @@ https://github.com/unixfreak0037/officeparser | @@ -180,6 +181,7 @@ https://github.com/unixfreak0037/officeparser | ||
| 180 | # 2016-07-29 CH: - fixed several bugs including #73 (Mac Roman encoding) | 181 | # 2016-07-29 CH: - fixed several bugs including #73 (Mac Roman encoding) |
| 181 | # 2016-08-31 PL: - added autoexec keyword InkPicture_Painted | 182 | # 2016-08-31 PL: - added autoexec keyword InkPicture_Painted |
| 182 | # - detect_autoexec now returns the exact keyword found | 183 | # - detect_autoexec now returns the exact keyword found |
| 184 | +# 2016-09-05 PL: - added autoexec keywords for MS Publisher (.pub) | ||
| 183 | 185 | ||
| 184 | __version__ = '0.50' | 186 | __version__ = '0.50' |
| 185 | 187 | ||
| @@ -439,7 +441,7 @@ ATTR_NAME = NS_W + 'name' | @@ -439,7 +441,7 @@ ATTR_NAME = NS_W + 'name' | ||
| 439 | AUTOEXEC_KEYWORDS = { | 441 | AUTOEXEC_KEYWORDS = { |
| 440 | # MS Word: | 442 | # MS Word: |
| 441 | 'Runs when the Word document is opened': | 443 | 'Runs when the Word document is opened': |
| 442 | - ('AutoExec', 'AutoOpen', 'Document_Open', 'DocumentOpen'), | 444 | + ('AutoExec', 'AutoOpen', 'DocumentOpen'), |
| 443 | 'Runs when the Word document is closed': | 445 | 'Runs when the Word document is closed': |
| 444 | ('AutoExit', 'AutoClose', 'Document_Close', 'DocumentBeforeClose'), | 446 | ('AutoExit', 'AutoClose', 'Document_Close', 'DocumentBeforeClose'), |
| 445 | 'Runs when the Word document is modified': | 447 | 'Runs when the Word document is modified': |
| @@ -447,11 +449,19 @@ AUTOEXEC_KEYWORDS = { | @@ -447,11 +449,19 @@ AUTOEXEC_KEYWORDS = { | ||
| 447 | 'Runs when a new Word document is created': | 449 | 'Runs when a new Word document is created': |
| 448 | ('AutoNew', 'Document_New', 'NewDocument'), | 450 | ('AutoNew', 'Document_New', 'NewDocument'), |
| 449 | 451 | ||
| 452 | + # MS Word and Publisher: | ||
| 453 | + 'Runs when the Word or Publisher document is opened': | ||
| 454 | + ('Document_Open',), | ||
| 455 | + 'Runs when the Publisher document is closed': | ||
| 456 | + ('Document_BeforeClose',), | ||
| 457 | + | ||
| 450 | # MS Excel: | 458 | # MS Excel: |
| 451 | 'Runs when the Excel Workbook is opened': | 459 | 'Runs when the Excel Workbook is opened': |
| 452 | ('Auto_Open', 'Workbook_Open', 'Workbook_Activate'), | 460 | ('Auto_Open', 'Workbook_Open', 'Workbook_Activate'), |
| 453 | 'Runs when the Excel Workbook is closed': | 461 | 'Runs when the Excel Workbook is closed': |
| 454 | ('Auto_Close', 'Workbook_Close'), | 462 | ('Auto_Close', 'Workbook_Close'), |
| 463 | + | ||
| 464 | + # any MS Office application: | ||
| 455 | 'Runs when the file is opened (using InkPicture ActiveX object)': | 465 | 'Runs when the file is opened (using InkPicture ActiveX object)': |
| 456 | # ref:https://twitter.com/joe4security/status/770691099988025345 | 466 | # ref:https://twitter.com/joe4security/status/770691099988025345 |
| 457 | (r'\w+_Painted',), | 467 | (r'\w+_Painted',), |