Commit ec2468a32b56f1e8aa372326a0b2d7df42c42c7b
1 parent
7b213e49
olevba: added suspicious keywords EnumDateFormats and EnumSystemLanguageGroups
Showing
2 changed files
with
11 additions
and
6 deletions
oletools/olevba.py
| ... | ... | @@ -187,8 +187,9 @@ from __future__ import print_function |
| 187 | 187 | # 2016-09-06 PL: - fixed issue #20, is_zipfile on Python 2.6 |
| 188 | 188 | # 2016-09-12 PL: - enabled packrat to improve pyparsing performance |
| 189 | 189 | # 2016-10-25 PL: - fixed raise and print statements for Python 3 |
| 190 | +# 2016-11-03 v0.51 PL: - added EnumDateFormats and EnumSystemLanguageGroupsW | |
| 190 | 191 | |
| 191 | -__version__ = '0.50' | |
| 192 | +__version__ = '0.51a' | |
| 192 | 193 | |
| 193 | 194 | #------------------------------------------------------------------------------ |
| 194 | 195 | # TODO: |
| ... | ... | @@ -547,7 +548,11 @@ SUSPICIOUS_KEYWORDS = { |
| 547 | 548 | ('Lib',), |
| 548 | 549 | 'May inject code into another process': |
| 549 | 550 | ('CreateThread', 'VirtualAlloc', # (issue #9) suggested by Davy Douhine - used by MSF payload |
| 551 | + 'VirtualAllocEx', 'RtlMoveMemory', | |
| 550 | 552 | ), |
| 553 | + 'May run a shellcode in memory': | |
| 554 | + ('EnumSystemLanguageGroupsW?', # Used by Hancitor in Oct 2016 | |
| 555 | + 'EnumDateFormats(?:W|(?:Ex){1,2})?'), # see https://msdn.microsoft.com/en-us/library/windows/desktop/dd317810(v=vs.85).aspx | |
| 551 | 556 | 'May download files from the Internet': |
| 552 | 557 | #TODO: regex to find urlmon+URLDownloadToFileA on same line |
| 553 | 558 | ('URLDownloadToFileA', 'Msxml2.XMLHTTP', 'Microsoft.XMLHTTP', |
| ... | ... | @@ -602,8 +607,6 @@ SUSPICIOUS_KEYWORDS = { |
| 602 | 607 | 'May detect WinJail Sandbox': |
| 603 | 608 | # ref: http://www.cplusplus.com/forum/windows/96874/ |
| 604 | 609 | ('Afx:400000:0',), |
| 605 | - 'Memory manipulation': | |
| 606 | - ('VirtualAllocEx', 'RtlMoveMemory'), | |
| 607 | 610 | } |
| 608 | 611 | |
| 609 | 612 | # Regular Expression for a URL: |
| ... | ... | @@ -1773,9 +1776,11 @@ def detect_suspicious(vba_code, obfuscation=None): |
| 1773 | 1776 | for description, keywords in SUSPICIOUS_KEYWORDS.items(): |
| 1774 | 1777 | for keyword in keywords: |
| 1775 | 1778 | # search using regex to detect word boundaries: |
| 1776 | - if re.search(r'(?i)\b' + keyword + r'\b', vba_code): | |
| 1779 | + match = re.search(r'(?i)\b' + keyword + r'\b', vba_code) | |
| 1780 | + if match: | |
| 1777 | 1781 | #if keyword.lower() in vba_code: |
| 1778 | - results.append((keyword, description + obf_text)) | |
| 1782 | + found_keyword = match.group() | |
| 1783 | + results.append((found_keyword, description + obf_text)) | |
| 1779 | 1784 | return results |
| 1780 | 1785 | |
| 1781 | 1786 | ... | ... |
setup.py
| ... | ... | @@ -40,7 +40,7 @@ import os, fnmatch |
| 40 | 40 | #--- METADATA ----------------------------------------------------------------- |
| 41 | 41 | |
| 42 | 42 | name = "oletools" |
| 43 | -version = '0.50' | |
| 43 | +version = '0.51a' | |
| 44 | 44 | desc = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR" |
| 45 | 45 | long_desc = open('oletools/README.rst').read() |
| 46 | 46 | author = "Philippe Lagadec" | ... | ... |