Commit dafe55c6197af19d52454f340502e07b2a0fe96f
1 parent
23ffafb3
enable macro deofuscation in json mode if --deof is given
Showing
1 changed file
with
11 additions
and
5 deletions
oletools/olevba.py
| ... | ... | @@ -2771,12 +2771,14 @@ class VBA_Parser_CLI(VBA_Parser): |
| 2771 | 2771 | else: |
| 2772 | 2772 | print 'No suspicious keyword or IOC found.' |
| 2773 | 2773 | |
| 2774 | - def print_analysis_json(self, show_decoded_strings=False): | |
| 2774 | + def print_analysis_json(self, show_decoded_strings=False, deobfuscate=False): | |
| 2775 | 2775 | """ |
| 2776 | 2776 | Analyze the provided VBA code, and return the results in json format |
| 2777 | 2777 | |
| 2778 | 2778 | :param vba_code: str, VBA source code to be analyzed |
| 2779 | 2779 | :param show_decoded_strings: bool, if True hex-encoded strings will be displayed with their decoded content. |
| 2780 | + :param deobfuscate: bool, if True attempt to deobfuscate VBA expressions (slow) | |
| 2781 | + | |
| 2780 | 2782 | :return: dict |
| 2781 | 2783 | """ |
| 2782 | 2784 | # print a waiting message only if the output is not redirected to a file: |
| ... | ... | @@ -2784,7 +2786,7 @@ class VBA_Parser_CLI(VBA_Parser): |
| 2784 | 2786 | print 'Analysis...\r', |
| 2785 | 2787 | sys.stdout.flush() |
| 2786 | 2788 | return [dict(type=kw_type, keyword=keyword, description=description) |
| 2787 | - for kw_type, keyword, description in self.analyze_macros(show_decoded_strings)] | |
| 2789 | + for kw_type, keyword, description in self.analyze_macros(show_decoded_strings, deobfuscate)] | |
| 2788 | 2790 | |
| 2789 | 2791 | def process_file(self, show_decoded_strings=False, |
| 2790 | 2792 | display_code=True, hide_attributes=True, |
| ... | ... | @@ -2856,7 +2858,8 @@ class VBA_Parser_CLI(VBA_Parser): |
| 2856 | 2858 | |
| 2857 | 2859 | def process_file_json(self, show_decoded_strings=False, |
| 2858 | 2860 | display_code=True, hide_attributes=True, |
| 2859 | - vba_code_only=False, show_deobfuscated_code=False): | |
| 2861 | + vba_code_only=False, show_deobfuscated_code=False, | |
| 2862 | + deobfuscate=False): | |
| 2860 | 2863 | """ |
| 2861 | 2864 | Process a single file |
| 2862 | 2865 | |
| ... | ... | @@ -2869,6 +2872,7 @@ class VBA_Parser_CLI(VBA_Parser): |
| 2869 | 2872 | :param global_analysis: bool, if True all modules are merged for a single analysis (default), |
| 2870 | 2873 | otherwise each module is analyzed separately (old behaviour) |
| 2871 | 2874 | :param hide_attributes: bool, if True the first lines starting with "Attribute VB" are hidden (default) |
| 2875 | + :param deobfuscate: bool, if True attempt to deobfuscate VBA expressions (slow) | |
| 2872 | 2876 | """ |
| 2873 | 2877 | #TODO: fix conflicting parameters (?) |
| 2874 | 2878 | |
| ... | ... | @@ -2907,7 +2911,8 @@ class VBA_Parser_CLI(VBA_Parser): |
| 2907 | 2911 | macros.append(curr_macro) |
| 2908 | 2912 | if not vba_code_only: |
| 2909 | 2913 | # analyse the code from all modules at once: |
| 2910 | - result['analysis'] = self.print_analysis_json(show_decoded_strings) | |
| 2914 | + result['analysis'] = self.print_analysis_json(show_decoded_strings, | |
| 2915 | + deobfuscate) | |
| 2911 | 2916 | if show_deobfuscated_code: |
| 2912 | 2917 | result['code_deobfuscated'] = self.reveal() |
| 2913 | 2918 | result['macros'] = macros |
| ... | ... | @@ -3130,7 +3135,8 @@ def main(): |
| 3130 | 3135 | vba_parser.process_file_json(show_decoded_strings=options.show_decoded_strings, |
| 3131 | 3136 | display_code=options.display_code, |
| 3132 | 3137 | hide_attributes=options.hide_attributes, vba_code_only=options.vba_code_only, |
| 3133 | - show_deobfuscated_code=options.show_deobfuscated_code)) | |
| 3138 | + show_deobfuscated_code=options.show_deobfuscated_code, | |
| 3139 | + deobfuscate=options.deobfuscate)) | |
| 3134 | 3140 | else: # (should be impossible) |
| 3135 | 3141 | raise ValueError('unexpected output mode: "{0}"!'.format(options.output_mode)) |
| 3136 | 3142 | count += 1 | ... | ... |