Commit eb2b93eb7357a7f2f3defeb4c87b3eb2ebe1de7c
1 parent
99148905
oledir: added table displaying storage tree and CLSIDs
Showing
2 changed files
with
18 additions
and
4 deletions
oletools/oledir.py
| ... | ... | @@ -14,7 +14,7 @@ http://www.decalage.info/python/oletools |
| 14 | 14 | |
| 15 | 15 | #=== LICENSE ================================================================== |
| 16 | 16 | |
| 17 | -# oledir is copyright (c) 2015-2017 Philippe Lagadec (http://www.decalage.info) | |
| 17 | +# oledir is copyright (c) 2015-2018 Philippe Lagadec (http://www.decalage.info) | |
| 18 | 18 | # All rights reserved. |
| 19 | 19 | # |
| 20 | 20 | # Redistribution and use in source and binary forms, with or without modification, |
| ... | ... | @@ -48,8 +48,9 @@ from __future__ import print_function |
| 48 | 48 | # 2016-08-09 PL: - fixed issue #77 (imports from thirdparty dir) |
| 49 | 49 | # 2017-03-08 v0.51 PL: - fixed absolute imports, added optparse |
| 50 | 50 | # - added support for zip files and wildcards |
| 51 | +# 2018-04-11 v0.53 PL: - added table displaying storage tree and CLSIDs | |
| 51 | 52 | |
| 52 | -__version__ = '0.51' | |
| 53 | +__version__ = '0.53dev1' | |
| 53 | 54 | |
| 54 | 55 | #------------------------------------------------------------------------------ |
| 55 | 56 | # TODO: |
| ... | ... | @@ -105,7 +106,7 @@ STORAGE_NAMES = { |
| 105 | 106 | |
| 106 | 107 | STORAGE_COLORS = { |
| 107 | 108 | olefile.STGTY_EMPTY: 'green', |
| 108 | - olefile.STGTY_STORAGE: 'blue', | |
| 109 | + olefile.STGTY_STORAGE: 'cyan', | |
| 109 | 110 | olefile.STGTY_STREAM: 'yellow', |
| 110 | 111 | olefile.STGTY_LOCKBYTES: 'magenta', |
| 111 | 112 | olefile.STGTY_PROPERTY: 'magenta', |
| ... | ... | @@ -118,6 +119,12 @@ STATUS_COLORS = { |
| 118 | 119 | 'ORPHAN': 'red', |
| 119 | 120 | } |
| 120 | 121 | |
| 122 | +KNOWN_CLSIDS = { | |
| 123 | + '00020906-0000-0000-C000-000000000046': 'MS Word', | |
| 124 | + '0002CE02-0000-0000-C000-000000000046': 'MS Equation Editor (may trigger CVE-2017-11882)', | |
| 125 | + '00000300-0000-0000-C000-000000000046': 'StdOleLink (embedded OLE object)', | |
| 126 | +} | |
| 127 | + | |
| 121 | 128 | |
| 122 | 129 | # === FUNCTIONS ============================================================== |
| 123 | 130 | |
| ... | ... | @@ -127,6 +134,13 @@ def sid_display(sid): |
| 127 | 134 | else: |
| 128 | 135 | return sid |
| 129 | 136 | |
| 137 | +def clsid_display(clsid): | |
| 138 | + if clsid in KNOWN_CLSIDS: | |
| 139 | + clsid += '\n%s' % KNOWN_CLSIDS[clsid] | |
| 140 | + color = 'yellow' | |
| 141 | + if 'CVE-' in clsid: | |
| 142 | + color = 'red' | |
| 143 | + return (clsid, color) | |
| 130 | 144 | |
| 131 | 145 | # === MAIN =================================================================== |
| 132 | 146 | ... | ... |
setup.py
| ... | ... | @@ -43,7 +43,7 @@ import os, fnmatch |
| 43 | 43 | #--- METADATA ----------------------------------------------------------------- |
| 44 | 44 | |
| 45 | 45 | name = "oletools" |
| 46 | -version = '0.52.5' | |
| 46 | +version = '0.53dev1' | |
| 47 | 47 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 48 | 48 | long_desc = open('oletools/README.rst').read() |
| 49 | 49 | author = "Philippe Lagadec" | ... | ... |