Peter M. Groen / oletools

Commit e011de51f04082c128e6a86332bc4ffc2ed10f55

Authored by Philippe Lagadec
1 parent 0bc2449b

olevba: renamed option --hex to --decode, fixed display

Inline Side-by-side
Showing 1 changed file with 18 additions and 17 deletions
oletools/olevba.py
  View file @e011de5
@@ -117,8 +117,9 @@ https://github.com/unixfreak0037/officeparser @@ -117,8 +117,9 @@ https://github.com/unixfreak0037/officeparser
117 # 2015-02-03 v0.23 PL: - triage now uses VBA_Scanner results, shows Base64 and 117 # 2015-02-03 v0.23 PL: - triage now uses VBA_Scanner results, shows Base64 and
118 # Dridex strings 118 # Dridex strings
119 # - exception handling in detect_base64_strings 119 # - exception handling in detect_base64_strings
  120 +# 2015-02-07 v0.24 PL: - renamed option --hex to --decode, fixed display
120 121
121 -__version__ = '0.23' 122 +__version__ = '0.24'
122 123
123 #------------------------------------------------------------------------------ 124 #------------------------------------------------------------------------------
124 # TODO: 125 # TODO:
@@ -1062,13 +1063,13 @@ class VBA_Scanner (object): @@ -1062,13 +1063,13 @@ class VBA_Scanner (object):
1062 # If hex-encoded strings were discovered, add an item to suspicious keywords: 1063 # If hex-encoded strings were discovered, add an item to suspicious keywords:
1063 if self.hex_strings: 1064 if self.hex_strings:
1064 self.suspicious_keywords.append(('Hex Strings', 1065 self.suspicious_keywords.append(('Hex Strings',
1065 - 'Hex-encoded strings were detected, may be used to obfuscate strings (option --hex to see all)')) 1066 + 'Hex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)'))
1066 if self.base64_strings: 1067 if self.base64_strings:
1067 self.suspicious_keywords.append(('Base64 Strings', 1068 self.suspicious_keywords.append(('Base64 Strings',
1068 - 'Base64-encoded strings were detected, may be used to obfuscate strings (option --hex to see all)')) 1069 + 'Base64-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)'))
1069 if self.dridex_strings: 1070 if self.dridex_strings:
1070 self.suspicious_keywords.append(('Dridex Strings', 1071 self.suspicious_keywords.append(('Dridex Strings',
1071 - 'Dridex-encoded strings were detected, may be used to obfuscate strings (option --hex to see all)')) 1072 + 'Dridex-encoded strings were detected, may be used to obfuscate strings (option --decode to see all)'))
1072 for keyword, description in self.autoexec_keywords: 1073 for keyword, description in self.autoexec_keywords:
1073 results.append(('AutoExec', keyword, description)) 1074 results.append(('AutoExec', keyword, description))
1074 for keyword, description in self.suspicious_keywords: 1075 for keyword, description in self.suspicious_keywords:
@@ -1333,15 +1334,15 @@ class VBA_Parser(object): @@ -1333,15 +1334,15 @@ class VBA_Parser(object):
1333 self.ole_file.close() 1334 self.ole_file.close()
1334 1335
1335 1336
1336 -def print_analysis(vba_code, show_hex_strings=False): 1337 +def print_analysis(vba_code, show_decoded_strings=False):
1337 """ 1338 """
1338 Analyze the provided VBA code, and print the results in a table 1339 Analyze the provided VBA code, and print the results in a table
1339 1340
1340 :param vba_code: str, VBA source code to be analyzed 1341 :param vba_code: str, VBA source code to be analyzed
1341 - :param show_hex_strings: bool, if True hex-encoded strings will be displayed with their decoded content. 1342 + :param show_decoded_strings: bool, if True hex-encoded strings will be displayed with their decoded content.
1342 :return: None 1343 :return: None
1343 """ 1344 """
1344 - results = scan_vba(vba_code, show_hex_strings) 1345 + results = scan_vba(vba_code, show_decoded_strings)
1345 if results: 1346 if results:
1346 t = prettytable.PrettyTable(('Type', 'Keyword', 'Description')) 1347 t = prettytable.PrettyTable(('Type', 'Keyword', 'Description'))
1347 t.align = 'l' 1348 t.align = 'l'
@@ -1356,7 +1357,7 @@ def print_analysis(vba_code, show_hex_strings=False): @@ -1356,7 +1357,7 @@ def print_analysis(vba_code, show_hex_strings=False):
1356 1357
1357 1358
1358 1359
1359 -def process_file (container, filename, data, show_hex_strings=False): 1360 +def process_file (container, filename, data, show_decoded_strings=False):
1360 """ 1361 """
1361 Process a single file 1362 Process a single file
1362 1363
@@ -1364,7 +1365,7 @@ def process_file (container, filename, data, show_hex_strings=False): @@ -1364,7 +1365,7 @@ def process_file (container, filename, data, show_hex_strings=False):
1364 a zip archive, None otherwise. 1365 a zip archive, None otherwise.
1365 :param filename: str, path and filename of file on disk, or within the container. 1366 :param filename: str, path and filename of file on disk, or within the container.
1366 :param data: bytes, content of the file if it is in a container, None if it is a file on disk. 1367 :param data: bytes, content of the file if it is in a container, None if it is a file on disk.
1367 - :param show_hex_strings: bool, if True hex-encoded strings will be displayed with their decoded content. 1368 + :param show_decoded_strings: bool, if True hex-encoded strings will be displayed with their decoded content.
1368 """ 1369 """
1369 #TODO: replace print by writing to a provided output file (sys.stdout by default) 1370 #TODO: replace print by writing to a provided output file (sys.stdout by default)
1370 if container: 1371 if container:
@@ -1394,7 +1395,7 @@ def process_file (container, filename, data, show_hex_strings=False): @@ -1394,7 +1395,7 @@ def process_file (container, filename, data, show_hex_strings=False):
1394 print vba_code 1395 print vba_code
1395 print '- '*39 1396 print '- '*39
1396 print 'ANALYSIS:' 1397 print 'ANALYSIS:'
1397 - print_analysis(vba_code, show_hex_strings) 1398 + print_analysis(vba_code, show_decoded_strings)
1398 else: 1399 else:
1399 print 'No VBA macros found.' 1400 print 'No VBA macros found.'
1400 except: #TypeError: 1401 except: #TypeError:
@@ -1517,8 +1518,8 @@ def main(): @@ -1517,8 +1518,8 @@ def main():
1517 help='detailed mode, display full results (default for single file)') 1518 help='detailed mode, display full results (default for single file)')
1518 parser.add_option("-i", "--input", dest='input', type='str', default=None, 1519 parser.add_option("-i", "--input", dest='input', type='str', default=None,
1519 help='input file containing VBA source code to be analyzed (no parsing)') 1520 help='input file containing VBA source code to be analyzed (no parsing)')
1520 - parser.add_option("--hex", action="store_true", dest="show_hex_strings",  
1521 - help='display all the hex-encoded strings with their decoded content.') 1521 + parser.add_option("--decode", action="store_true", dest="show_decoded_strings",
  1522 + help='display all the obfuscated strings with their decoded content (Hex, Base64, StrReverse, Dridex).')
1522 1523
1523 (options, args) = parser.parse_args() 1524 (options, args) = parser.parse_args()
1524 1525
@@ -1536,14 +1537,14 @@ def main(): @@ -1536,14 +1537,14 @@ def main():
1536 # input file provided with VBA source code to be analyzed directly: 1537 # input file provided with VBA source code to be analyzed directly:
1537 print 'Analysis of VBA source code from %s:' % options.input 1538 print 'Analysis of VBA source code from %s:' % options.input
1538 vba_code = open(options.input).read() 1539 vba_code = open(options.input).read()
1539 - print_analysis(vba_code, show_hex_strings=options.show_hex_strings) 1540 + print_analysis(vba_code, show_decoded_strings=options.show_decoded_strings)
1540 sys.exit() 1541 sys.exit()
1541 1542
1542 # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('Type', 'Macros', 'AutoEx', 'Susp.', 'IOCs', 'HexStr') 1543 # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('Type', 'Macros', 'AutoEx', 'Susp.', 'IOCs', 'HexStr')
1543 # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('-'*8, '-'*7, '-'*7, '-'*7, '-'*7, '-'*7) 1544 # print '%-8s %-7s %-7s %-7s %-7s %-7s' % ('-'*8, '-'*7, '-'*7, '-'*7, '-'*7, '-'*7)
1544 if not options.detailed_mode or options.triage_mode: 1545 if not options.detailed_mode or options.triage_mode:
1545 - print '%-6s %-72s' % ('Flags', 'Filename')  
1546 - print '%-6s %-72s' % ('-'*6, '-'*72) 1546 + print '%-11s %-65s' % ('Flags', 'Filename')
  1547 + print '%-11s %-65s' % ('-'*11, '-'*65)
1547 previous_container = None 1548 previous_container = None
1548 count = 0 1549 count = 0
1549 container = filename = data = None 1550 container = filename = data = None
@@ -1554,7 +1555,7 @@ def main(): @@ -1554,7 +1555,7 @@ def main():
1554 continue 1555 continue
1555 if options.detailed_mode and not options.triage_mode: 1556 if options.detailed_mode and not options.triage_mode:
1556 # fully detailed output 1557 # fully detailed output
1557 - process_file(container, filename, data, show_hex_strings=options.show_hex_strings) 1558 + process_file(container, filename, data, show_decoded_strings=options.show_decoded_strings)
1558 else: 1559 else:
1559 # print container name when it changes: 1560 # print container name when it changes:
1560 if container != previous_container: 1561 if container != previous_container:
@@ -1570,7 +1571,7 @@ def main(): @@ -1570,7 +1571,7 @@ def main():
1570 if count == 1 and not options.triage_mode and not options.detailed_mode: 1571 if count == 1 and not options.triage_mode and not options.detailed_mode:
1571 # if options -t and -d were not specified and it's a single file, print details: 1572 # if options -t and -d were not specified and it's a single file, print details:
1572 #TODO: avoid doing the analysis twice by storing results 1573 #TODO: avoid doing the analysis twice by storing results
1573 - process_file(container, filename, data, show_hex_strings=options.show_hex_strings) 1574 + process_file(container, filename, data, show_decoded_strings=options.show_decoded_strings)
1574 1575
1575 if __name__ == '__main__': 1576 if __name__ == '__main__':
1576 main() 1577 main()