From e07a649f95969697e7d0fd10ece15f8267bb534f Mon Sep 17 00:00:00 2001 From: Christian Herdtweck Date: Thu, 12 May 2016 14:37:43 +0200 Subject: [PATCH] created PptParser.read_vba_storage for uncompressed data storages --- oletools/olevba.py | 3 +-- oletools/ppt_parser.py | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/oletools/olevba.py b/oletools/olevba.py index ff6961c..dea06fe 100755 --- a/oletools/olevba.py +++ b/oletools/olevba.py @@ -2218,8 +2218,7 @@ class VBA_Parser(object): storage_decomp = ppt.decompress_vba_storage(storage) n_compressed += 1 else: - log.warning('just guessing here: decompressed storage = storage?') - storage_decomp = storage.read_all() # not implemented yet + storage_decomp = ppt.read_vba_storage_data(storage) self.ole_subfiles.append(VBA_Parser(None, storage_decomp, container='PptParser')) log.info('File is PPT with {} vba infos ({} with macros) and {} ' diff --git a/oletools/ppt_parser.py b/oletools/ppt_parser.py index 3a16f9a..e2ff392 100644 --- a/oletools/ppt_parser.py +++ b/oletools/ppt_parser.py @@ -1490,6 +1490,28 @@ class PptParser(object): stream.close() + def read_vba_storage_data(self, storage): + """ return data pointed to by uncompressed storage """ + + log.debug('reading uncompressed VBA OLE data stream') + stream = None + try: + log.debug('opening stream') + stream = self.ole.openstream(MAIN_STREAM_NAME) + + log.debug('reading {} bytes starting at {}' + .format(storage.data_size, storage.data_offset)) + stream.seek(storage.data_offset, os.SEEK_SET) + data = stream.read(storage.data_size) + + return data + + finally: + if stream is not None: + log.debug('closing stream') + stream.close() + + def iterative_decompress(stream, size, chunk_size=4096): """ decompress data from stream chunk-wise """ -- libgit2 0.21.4