Commit dafe55c6197af19d52454f340502e07b2a0fe96f
1 parent
23ffafb3
enable macro deofuscation in json mode if --deof is given
Showing
1 changed file
with
11 additions
and
5 deletions
oletools/olevba.py
| @@ -2771,12 +2771,14 @@ class VBA_Parser_CLI(VBA_Parser): | @@ -2771,12 +2771,14 @@ class VBA_Parser_CLI(VBA_Parser): | ||
| 2771 | else: | 2771 | else: |
| 2772 | print 'No suspicious keyword or IOC found.' | 2772 | print 'No suspicious keyword or IOC found.' |
| 2773 | 2773 | ||
| 2774 | - def print_analysis_json(self, show_decoded_strings=False): | 2774 | + def print_analysis_json(self, show_decoded_strings=False, deobfuscate=False): |
| 2775 | """ | 2775 | """ |
| 2776 | Analyze the provided VBA code, and return the results in json format | 2776 | Analyze the provided VBA code, and return the results in json format |
| 2777 | 2777 | ||
| 2778 | :param vba_code: str, VBA source code to be analyzed | 2778 | :param vba_code: str, VBA source code to be analyzed |
| 2779 | :param show_decoded_strings: bool, if True hex-encoded strings will be displayed with their decoded content. | 2779 | :param show_decoded_strings: bool, if True hex-encoded strings will be displayed with their decoded content. |
| 2780 | + :param deobfuscate: bool, if True attempt to deobfuscate VBA expressions (slow) | ||
| 2781 | + | ||
| 2780 | :return: dict | 2782 | :return: dict |
| 2781 | """ | 2783 | """ |
| 2782 | # print a waiting message only if the output is not redirected to a file: | 2784 | # print a waiting message only if the output is not redirected to a file: |
| @@ -2784,7 +2786,7 @@ class VBA_Parser_CLI(VBA_Parser): | @@ -2784,7 +2786,7 @@ class VBA_Parser_CLI(VBA_Parser): | ||
| 2784 | print 'Analysis...\r', | 2786 | print 'Analysis...\r', |
| 2785 | sys.stdout.flush() | 2787 | sys.stdout.flush() |
| 2786 | return [dict(type=kw_type, keyword=keyword, description=description) | 2788 | return [dict(type=kw_type, keyword=keyword, description=description) |
| 2787 | - for kw_type, keyword, description in self.analyze_macros(show_decoded_strings)] | 2789 | + for kw_type, keyword, description in self.analyze_macros(show_decoded_strings, deobfuscate)] |
| 2788 | 2790 | ||
| 2789 | def process_file(self, show_decoded_strings=False, | 2791 | def process_file(self, show_decoded_strings=False, |
| 2790 | display_code=True, hide_attributes=True, | 2792 | display_code=True, hide_attributes=True, |
| @@ -2856,7 +2858,8 @@ class VBA_Parser_CLI(VBA_Parser): | @@ -2856,7 +2858,8 @@ class VBA_Parser_CLI(VBA_Parser): | ||
| 2856 | 2858 | ||
| 2857 | def process_file_json(self, show_decoded_strings=False, | 2859 | def process_file_json(self, show_decoded_strings=False, |
| 2858 | display_code=True, hide_attributes=True, | 2860 | display_code=True, hide_attributes=True, |
| 2859 | - vba_code_only=False, show_deobfuscated_code=False): | 2861 | + vba_code_only=False, show_deobfuscated_code=False, |
| 2862 | + deobfuscate=False): | ||
| 2860 | """ | 2863 | """ |
| 2861 | Process a single file | 2864 | Process a single file |
| 2862 | 2865 | ||
| @@ -2869,6 +2872,7 @@ class VBA_Parser_CLI(VBA_Parser): | @@ -2869,6 +2872,7 @@ class VBA_Parser_CLI(VBA_Parser): | ||
| 2869 | :param global_analysis: bool, if True all modules are merged for a single analysis (default), | 2872 | :param global_analysis: bool, if True all modules are merged for a single analysis (default), |
| 2870 | otherwise each module is analyzed separately (old behaviour) | 2873 | otherwise each module is analyzed separately (old behaviour) |
| 2871 | :param hide_attributes: bool, if True the first lines starting with "Attribute VB" are hidden (default) | 2874 | :param hide_attributes: bool, if True the first lines starting with "Attribute VB" are hidden (default) |
| 2875 | + :param deobfuscate: bool, if True attempt to deobfuscate VBA expressions (slow) | ||
| 2872 | """ | 2876 | """ |
| 2873 | #TODO: fix conflicting parameters (?) | 2877 | #TODO: fix conflicting parameters (?) |
| 2874 | 2878 | ||
| @@ -2907,7 +2911,8 @@ class VBA_Parser_CLI(VBA_Parser): | @@ -2907,7 +2911,8 @@ class VBA_Parser_CLI(VBA_Parser): | ||
| 2907 | macros.append(curr_macro) | 2911 | macros.append(curr_macro) |
| 2908 | if not vba_code_only: | 2912 | if not vba_code_only: |
| 2909 | # analyse the code from all modules at once: | 2913 | # analyse the code from all modules at once: |
| 2910 | - result['analysis'] = self.print_analysis_json(show_decoded_strings) | 2914 | + result['analysis'] = self.print_analysis_json(show_decoded_strings, |
| 2915 | + deobfuscate) | ||
| 2911 | if show_deobfuscated_code: | 2916 | if show_deobfuscated_code: |
| 2912 | result['code_deobfuscated'] = self.reveal() | 2917 | result['code_deobfuscated'] = self.reveal() |
| 2913 | result['macros'] = macros | 2918 | result['macros'] = macros |
| @@ -3130,7 +3135,8 @@ def main(): | @@ -3130,7 +3135,8 @@ def main(): | ||
| 3130 | vba_parser.process_file_json(show_decoded_strings=options.show_decoded_strings, | 3135 | vba_parser.process_file_json(show_decoded_strings=options.show_decoded_strings, |
| 3131 | display_code=options.display_code, | 3136 | display_code=options.display_code, |
| 3132 | hide_attributes=options.hide_attributes, vba_code_only=options.vba_code_only, | 3137 | hide_attributes=options.hide_attributes, vba_code_only=options.vba_code_only, |
| 3133 | - show_deobfuscated_code=options.show_deobfuscated_code)) | 3138 | + show_deobfuscated_code=options.show_deobfuscated_code, |
| 3139 | + deobfuscate=options.deobfuscate)) | ||
| 3134 | else: # (should be impossible) | 3140 | else: # (should be impossible) |
| 3135 | raise ValueError('unexpected output mode: "{0}"!'.format(options.output_mode)) | 3141 | raise ValueError('unexpected output mode: "{0}"!'.format(options.output_mode)) |
| 3136 | count += 1 | 3142 | count += 1 |