Commit d251039a3b66c20b991c9d36e0b68d2e9942424d
1 parent
f9086ed4
mraptor/mraptor3: added support for Word/PowerPoint 2007+ XML (aka Flat OPC) - issue #283
Showing
3 changed files
with
11 additions
and
23 deletions
oletools/mraptor.py
| @@ -9,6 +9,7 @@ Supported formats: | @@ -9,6 +9,7 @@ Supported formats: | ||
| 9 | - Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm) | 9 | - Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm) |
| 10 | - Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb) | 10 | - Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb) |
| 11 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) | 11 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) |
| 12 | +- Word/PowerPoint 2007+ XML (aka Flat OPC) | ||
| 12 | - Word 2003 XML (.xml) | 13 | - Word 2003 XML (.xml) |
| 13 | - Word/Excel Single File Web Page / MHTML (.mht) | 14 | - Word/Excel Single File Web Page / MHTML (.mht) |
| 14 | - Publisher (.pub) | 15 | - Publisher (.pub) |
| @@ -22,7 +23,7 @@ http://www.decalage.info/python/oletools | @@ -22,7 +23,7 @@ http://www.decalage.info/python/oletools | ||
| 22 | 23 | ||
| 23 | # === LICENSE ================================================================== | 24 | # === LICENSE ================================================================== |
| 24 | 25 | ||
| 25 | -# MacroRaptor is copyright (c) 2016-2017 Philippe Lagadec (http://www.decalage.info) | 26 | +# MacroRaptor is copyright (c) 2016-2018 Philippe Lagadec (http://www.decalage.info) |
| 26 | # All rights reserved. | 27 | # All rights reserved. |
| 27 | # | 28 | # |
| 28 | # Redistribution and use in source and binary forms, with or without modification, | 29 | # Redistribution and use in source and binary forms, with or without modification, |
| @@ -56,8 +57,9 @@ http://www.decalage.info/python/oletools | @@ -56,8 +57,9 @@ http://www.decalage.info/python/oletools | ||
| 56 | # 2016-10-25 PL: - fixed print for Python 3 | 57 | # 2016-10-25 PL: - fixed print for Python 3 |
| 57 | # 2016-12-21 v0.51 PL: - added more ActiveX macro triggers | 58 | # 2016-12-21 v0.51 PL: - added more ActiveX macro triggers |
| 58 | # 2017-03-08 PL: - fixed absolute imports | 59 | # 2017-03-08 PL: - fixed absolute imports |
| 60 | +# 2018-05-25 v0.53 PL: - added Word/PowerPoint 2007+ XML (aka Flat OPC) issue #283 | ||
| 59 | 61 | ||
| 60 | -__version__ = '0.51' | 62 | +__version__ = '0.53dev12' |
| 61 | 63 | ||
| 62 | #------------------------------------------------------------------------------ | 64 | #------------------------------------------------------------------------------ |
| 63 | # TODO: | 65 | # TODO: |
| @@ -83,6 +85,7 @@ from oletools.thirdparty.xglob import xglob | @@ -83,6 +85,7 @@ from oletools.thirdparty.xglob import xglob | ||
| 83 | from oletools.thirdparty.tablestream import tablestream | 85 | from oletools.thirdparty.tablestream import tablestream |
| 84 | 86 | ||
| 85 | from oletools import olevba | 87 | from oletools import olevba |
| 88 | +from oletools.olevba import TYPE2TAG | ||
| 86 | 89 | ||
| 87 | # === LOGGING ================================================================= | 90 | # === LOGGING ================================================================= |
| 88 | 91 | ||
| @@ -131,15 +134,6 @@ RE_DECLARE_LIB = r'(?:\bDeclare\b[^\n]+\bLib\b)' | @@ -131,15 +134,6 @@ RE_DECLARE_LIB = r'(?:\bDeclare\b[^\n]+\bLib\b)' | ||
| 131 | re_execute = re.compile(r'(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|' | 134 | re_execute = re.compile(r'(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|' |
| 132 | + r'MacScript|FollowHyperlink|CreateThread|ShellExecute)\b|' + RE_DECLARE_LIB) | 135 | + r'MacScript|FollowHyperlink|CreateThread|ShellExecute)\b|' + RE_DECLARE_LIB) |
| 133 | 136 | ||
| 134 | -# short tag to display file types in triage mode: | ||
| 135 | -TYPE2TAG = { | ||
| 136 | - olevba.TYPE_OLE: 'OLE', | ||
| 137 | - olevba.TYPE_OpenXML: 'OpX', | ||
| 138 | - olevba.TYPE_Word2003_XML: 'XML', | ||
| 139 | - olevba.TYPE_MHTML: 'MHT', | ||
| 140 | - olevba.TYPE_TEXT: 'TXT', | ||
| 141 | -} | ||
| 142 | - | ||
| 143 | 137 | ||
| 144 | # === CLASSES ================================================================= | 138 | # === CLASSES ================================================================= |
| 145 | 139 |
oletools/mraptor3.py
| @@ -9,6 +9,7 @@ Supported formats: | @@ -9,6 +9,7 @@ Supported formats: | ||
| 9 | - Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm) | 9 | - Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm) |
| 10 | - Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb) | 10 | - Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb) |
| 11 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) | 11 | - PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm) |
| 12 | +- Word/PowerPoint 2007+ XML (aka Flat OPC) | ||
| 12 | - Word 2003 XML (.xml) | 13 | - Word 2003 XML (.xml) |
| 13 | - Word/Excel Single File Web Page / MHTML (.mht) | 14 | - Word/Excel Single File Web Page / MHTML (.mht) |
| 14 | - Publisher (.pub) | 15 | - Publisher (.pub) |
| @@ -22,7 +23,7 @@ http://www.decalage.info/python/oletools | @@ -22,7 +23,7 @@ http://www.decalage.info/python/oletools | ||
| 22 | 23 | ||
| 23 | # === LICENSE ================================================================== | 24 | # === LICENSE ================================================================== |
| 24 | 25 | ||
| 25 | -# MacroRaptor is copyright (c) 2016-2017 Philippe Lagadec (http://www.decalage.info) | 26 | +# MacroRaptor is copyright (c) 2016-2018 Philippe Lagadec (http://www.decalage.info) |
| 26 | # All rights reserved. | 27 | # All rights reserved. |
| 27 | # | 28 | # |
| 28 | # Redistribution and use in source and binary forms, with or without modification, | 29 | # Redistribution and use in source and binary forms, with or without modification, |
| @@ -55,8 +56,9 @@ http://www.decalage.info/python/oletools | @@ -55,8 +56,9 @@ http://www.decalage.info/python/oletools | ||
| 55 | # 2016-08-26 PL: - changed imports for Python 3 | 56 | # 2016-08-26 PL: - changed imports for Python 3 |
| 56 | # 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141) | 57 | # 2017-04-26 v0.51 PL: - fixed absolute imports (issue #141) |
| 57 | # 2017-06-29 PL: - synced with mraptor.py 0.51 | 58 | # 2017-06-29 PL: - synced with mraptor.py 0.51 |
| 59 | +# 2018-05-25 v0.53 PL: - added Word/PowerPoint 2007+ XML (aka Flat OPC) issue #283 | ||
| 58 | 60 | ||
| 59 | -__version__ = '0.51' | 61 | +__version__ = '0.53dev12' |
| 60 | 62 | ||
| 61 | #------------------------------------------------------------------------------ | 63 | #------------------------------------------------------------------------------ |
| 62 | # TODO: | 64 | # TODO: |
| @@ -83,6 +85,7 @@ from oletools.thirdparty.tablestream import tablestream | @@ -83,6 +85,7 @@ from oletools.thirdparty.tablestream import tablestream | ||
| 83 | 85 | ||
| 84 | # import the python 3 version of olevba | 86 | # import the python 3 version of olevba |
| 85 | from oletools import olevba3 as olevba | 87 | from oletools import olevba3 as olevba |
| 88 | +from oletools.olevba3 import TYPE2TAG | ||
| 86 | 89 | ||
| 87 | # === LOGGING ================================================================= | 90 | # === LOGGING ================================================================= |
| 88 | 91 | ||
| @@ -131,15 +134,6 @@ RE_DECLARE_LIB = r'(?:\bDeclare\b[^\n]+\bLib\b)' | @@ -131,15 +134,6 @@ RE_DECLARE_LIB = r'(?:\bDeclare\b[^\n]+\bLib\b)' | ||
| 131 | re_execute = re.compile(r'(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|' | 134 | re_execute = re.compile(r'(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|' |
| 132 | + r'MacScript|FollowHyperlink|CreateThread|ShellExecute)\b|' + RE_DECLARE_LIB) | 135 | + r'MacScript|FollowHyperlink|CreateThread|ShellExecute)\b|' + RE_DECLARE_LIB) |
| 133 | 136 | ||
| 134 | -# short tag to display file types in triage mode: | ||
| 135 | -TYPE2TAG = { | ||
| 136 | - olevba.TYPE_OLE: 'OLE', | ||
| 137 | - olevba.TYPE_OpenXML: 'OpX', | ||
| 138 | - olevba.TYPE_Word2003_XML: 'XML', | ||
| 139 | - olevba.TYPE_MHTML: 'MHT', | ||
| 140 | - olevba.TYPE_TEXT: 'TXT', | ||
| 141 | -} | ||
| 142 | - | ||
| 143 | 137 | ||
| 144 | # === CLASSES ================================================================= | 138 | # === CLASSES ================================================================= |
| 145 | 139 |
setup.py
| @@ -43,7 +43,7 @@ import os, fnmatch | @@ -43,7 +43,7 @@ import os, fnmatch | ||
| 43 | #--- METADATA ----------------------------------------------------------------- | 43 | #--- METADATA ----------------------------------------------------------------- |
| 44 | 44 | ||
| 45 | name = "oletools" | 45 | name = "oletools" |
| 46 | -version = '0.53dev11' | 46 | +version = '0.53dev12' |
| 47 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" | 47 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 48 | long_desc = open('oletools/README.rst').read() | 48 | long_desc = open('oletools/README.rst').read() |
| 49 | author = "Philippe Lagadec" | 49 | author = "Philippe Lagadec" |