Commit e011de51f04082c128e6a86332bc4ffc2ed10f55
1 parent
0bc2449b
olevba: renamed option --hex to --decode, fixed display
Showing
1 changed file
with
18 additions
and
17 deletions
oletools/olevba.py
| ... | ... | @@ -117,8 +117,9 @@ https://github.com/unixfreak0037/officeparser |
| 117 | 117 | # 2015-02-03 v0.23 PL: - triage now uses VBA_Scanner results, shows Base64 and |
| 118 | 118 | # Dridex strings |
| 119 | 119 | # - exception handling in detect_base64_strings |
| 120 | +# 2015-02-07 v0.24 PL: - renamed option --hex to --decode, fixed display | |
| 120 | 121 | |
| 121 | -__version__ = '0.23' | |
| 122 | +__version__ = '0.24' | |
| 122 | 123 | |
| 123 | 124 | #------------------------------------------------------------------------------ |
| 124 | 125 | # TODO: |
| ... | ... | @@ -1062,13 +1063,13 @@ class VBA_Scanner (object): |
| 1062 | 1063 | # If hex-encoded strings were discovered, add an item to suspicious keywords: |
| 1063 | 1064 | if self.hex_strings: |
| 1064 | 1065 | self.suspicious_keywords.append(('Hex Strings', |
| 1065 | - 'Hex-encoded strings were detected, may be used to obfuscate strings (option --hex to see all)')) | |
| 1066 | + 'Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)')) | |
| 1066 | 1067 | if self.base64_strings: |
| 1067 | 1068 | self.suspicious_keywords.append(('Base64 Strings', |
| 1068 | - 'Base64-encoded strings were detected, may be used to obfuscate strings (option --hex to see all)')) | |
| 1069 | + 'Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)')) | |
| 1069 | 1070 | if self.dridex_strings: |
| 1070 | 1071 | self.suspicious_keywords.append(('Dridex Strings', |
| 1071 | - 'Dridex-encoded strings were detected, may be used to obfuscate strings (option --hex to see all)')) | |
| 1072 | + 'Dridex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)')) | |
| 1072 | 1073 | for keyword, description in self.autoexec_keywords: |
| 1073 | 1074 | results.append(('AutoExec', keyword, description)) |
| 1074 | 1075 | for keyword, description in self.suspicious_keywords: |
| ... | ... | @@ -1333,15 +1334,15 @@ class VBA_Parser(object): |
| 1333 | 1334 | self.ole_file.close() |
| 1334 | 1335 | |
| 1335 | 1336 | |
| 1336 | -def print_analysis(vba_code, show_hex_strings=False): | |
| 1337 | +def print_analysis(vba_code, show_decoded_strings=False): | |
| 1337 | 1338 | """ |
| 1338 | 1339 | Analyze the provided VBA code, and print the results in a table |
| 1339 | 1340 | |
| 1340 | 1341 | :param vba_code: str, VBA source code to be analyzed |
| 1341 | - :param show_hex_strings: bool, if True hex-encoded strings will be displayed with their decoded content. | |
| 1342 | + :param show_decoded_strings: bool, if True hex-encoded strings will be displayed with their decoded content. | |
| 1342 | 1343 | :return: None |
| 1343 | 1344 | """ |
| 1344 | - results = scan_vba(vba_code, show_hex_strings) | |
| 1345 | + results = scan_vba(vba_code, show_decoded_strings) | |
| 1345 | 1346 | if results: |
| 1346 | 1347 | t = prettytable.PrettyTable(('Type', 'Keyword', 'Description')) |
| 1347 | 1348 | t.align = 'l' |
| ... | ... | @@ -1356,7 +1357,7 @@ def print_analysis(vba_code, show_hex_strings=False): |
| 1356 | 1357 | |
| 1357 | 1358 | |
| 1358 | 1359 | |
| 1359 | -def process_file (container, filename, data, show_hex_strings=False): | |
| 1360 | +def process_file (container, filename, data, show_decoded_strings=False): | |
| 1360 | 1361 | """ |
| 1361 | 1362 | Process a single file |
| 1362 | 1363 | |
| ... | ... | @@ -1364,7 +1365,7 @@ def process_file (container, filename, data, show_hex_strings=False): |
| 1364 | 1365 | a zip archive, None otherwise. |
| 1365 | 1366 | :param filename: str, path and filename of file on disk, or within the container. |
| 1366 | 1367 | :param data: bytes, content of the file if it is in a container, None if it is a file on disk. |
| 1367 | - :param show_hex_strings: bool, if True hex-encoded strings will be displayed with their decoded content. | |
| 1368 | + :param show_decoded_strings: bool, if True hex-encoded strings will be displayed with their decoded content. | |
| 1368 | 1369 | """ |
| 1369 | 1370 | #TODO: replace print by writing to a provided output file (sys.stdout by default) |
| 1370 | 1371 | if container: |
| ... | ... | @@ -1394,7 +1395,7 @@ def process_file (container, filename, data, show_hex_strings=False): |
| 1394 | 1395 | print vba_code |
| 1395 | 1396 | print '- '*39 |
| 1396 | 1397 | print 'ANALYSIS:' |
| 1397 | - print_analysis(vba_code, show_hex_strings) | |
| 1398 | + print_analysis(vba_code, show_decoded_strings) | |
| 1398 | 1399 | else: |
| 1399 | 1400 | print 'No VBA macros found.' |
| 1400 | 1401 | except: #TypeError: |
| ... | ... | @@ -1517,8 +1518,8 @@ def main(): |
| 1517 | 1518 | help='detailed mode, display full results (default for single file)') |
| 1518 | 1519 | parser.add_option("-i", "--input", dest='input', type='str', default=None, |
| 1519 | 1520 | help='input file containing VBA source code to be analyzed (no parsing)') |
| 1520 | - parser.add_option("--hex", action="store_true", dest="show_hex_strings", | |
| 1521 | - help='display all the hex-encoded strings with their decoded content.') | |
| 1521 | + parser.add_option("--decode", action="store_true", dest="show_decoded_strings", | |
| 1522 | + help='display all the obfuscated strings with their decoded content (Hex, Base64, StrReverse, Dridex).') | |
| 1522 | 1523 | |
| 1523 | 1524 | (options, args) = parser.parse_args() |
| 1524 | 1525 | |
| ... | ... | @@ -1536,14 +1537,14 @@ def main(): |
| 1536 | 1537 | # input file provided with VBA source code to be analyzed directly: |
| 1537 | 1538 | print 'Analysis of VBA source code from %s:' % options.input |
| 1538 | 1539 | vba_code = open(options.input).read() |
| 1539 | - print_analysis(vba_code, show_hex_strings=options.show_hex_strings) | |
| 1540 | + print_analysis(vba_code, show_decoded_strings=options.show_decoded_strings) | |
| 1540 | 1541 | sys.exit() |
| 1541 | 1542 | |
| 1542 | 1543 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('Type', 'Macros', 'AutoEx', 'Susp.', 'IOCs', 'HexStr') |
| 1543 | 1544 | # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('-'*8, '-'*7, '-'*7, '-'*7, '-'*7, '-'*7) |
| 1544 | 1545 | if not options.detailed_mode or options.triage_mode: |
| 1545 | - print '%-6s %-72s' % ('Flags', 'Filename') | |
| 1546 | - print '%-6s %-72s' % ('-'*6, '-'*72) | |
| 1546 | + print '%-11s %-65s' % ('Flags', 'Filename') | |
| 1547 | + print '%-11s %-65s' % ('-'*11, '-'*65) | |
| 1547 | 1548 | previous_container = None |
| 1548 | 1549 | count = 0 |
| 1549 | 1550 | container = filename = data = None |
| ... | ... | @@ -1554,7 +1555,7 @@ def main(): |
| 1554 | 1555 | continue |
| 1555 | 1556 | if options.detailed_mode and not options.triage_mode: |
| 1556 | 1557 | # fully detailed output |
| 1557 | - process_file(container, filename, data, show_hex_strings=options.show_hex_strings) | |
| 1558 | + process_file(container, filename, data, show_decoded_strings=options.show_decoded_strings) | |
| 1558 | 1559 | else: |
| 1559 | 1560 | # print container name when it changes: |
| 1560 | 1561 | if container != previous_container: |
| ... | ... | @@ -1570,7 +1571,7 @@ def main(): |
| 1570 | 1571 | if count == 1 and not options.triage_mode and not options.detailed_mode: |
| 1571 | 1572 | # if options -t and -d were not specified and it's a single file, print details: |
| 1572 | 1573 | #TODO: avoid doing the analysis twice by storing results |
| 1573 | - process_file(container, filename, data, show_hex_strings=options.show_hex_strings) | |
| 1574 | + process_file(container, filename, data, show_decoded_strings=options.show_decoded_strings) | |
| 1574 | 1575 | |
| 1575 | 1576 | if __name__ == '__main__': |
| 1576 | 1577 | main() | ... | ... |