plugin_biff: updated to v0.0.17

New version of the BIFF plugin from Didier Stevens. Changelog: - 2020/05/26: 0.0.16 added logic for reserved bits in BOUNDSHEET - 2020/07/17: 0.0.17 added option --statistics Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>

plugin_biff: updated to v0.0.17
New version of the BIFF plugin from Didier Stevens. Changelog: - 2020/05/26: 0.0.16 added logic for reserved bits in BOUNDSHEET - 2020/07/17: 0.0.17 added option --statistics Signed-off-by: Jürgen Löhel <juergen.loehel@inlyse.com>
Jürgen Löhel
1 parent be57af2f
Showing 1 changed file with 41 additions and 10 deletions
oletools/thirdparty/oledump/plugin_biff.py
@@ -2,8 +2,8 @@
  
 __description__ = 'BIFF plugin for oledump.py'
 __author__ = 'Didier Stevens'
-__version__ = '0.0.15'
-__date__ = '2020/05/22'
+__version__ = '0.0.17'
+__date__ = '2020/07/17'
  
 # Slightly modified version by Philippe Lagadec to be imported into olevba
  
@@ -41,7 +41,9 @@ History:
   2020/05/18: continue
   2020/05/20: 0.0.13 option -j
   2020/05/21: 0.0.14 improved parsing for a83890bbc081b9ec839c9a32ec06eae6f549a0f85fe0a30751ef229a58e440af, bc39d3bb128f329d95393bf0a4f6ec813356e847a00794c18258bfa48df6937f, 002a8371570487bc81eec4aeea9fdfb7
-  2020/05/22: Python 3 fix STRING record 0x207
+  2020/05/22: 0.0.15 Python 3 fix STRING record 0x207
+  2020/05/26: 0.0.16 added logic for reserved bits in BOUNDSHEET
+  2020/07/17: 0.0.17 added option --statistics
  
  
 Todo:
@@ -55,7 +57,14 @@ import json
 # Modifications for olevba:
 import sys
 import binascii
-from .oledump_extract import *
+from .oledump_extract import(
+    cPluginParent,
+    AddPlugin,
+    CIC,
+    IFF,
+    P23Ord,
+    P23Chr
+)
 # end modifications
  
 DEFAULT_SEPARATOR = ','
@@ -1301,8 +1310,6 @@ def DecodeRKValue(data):
     if number & 0x01:
         divider = 100.0
     if number & 0x02:
-        print(repr(data))
-        raise Exception('DecodeRKValue')
         return (struct.unpack('<i', data)[0] >> 2) / divider
     else:
         return struct.unpack('<d', b'\x00\x00\x00\x00' + data)[0] / divider
@@ -1607,6 +1614,7 @@ class cBIFF(cPluginParent):
             oParser.add_option('-c', '--csv', action='store_true', default=False, help='Produce CSV')
             oParser.add_option('-j', '--json', action='store_true', default=False, help='Produce JSON')
             oParser.add_option('-r', '--cellrefformat', type=str, default='rc', help='Cell reference format (RC, LN)')
+            oParser.add_option('-S', '--statistics', action='store_true', default=False, help='Produce BIFF record statistics')
             (options, args) = oParser.parse_args(self.options.split(' '))
  
             if options.find.startswith('0x'):
@@ -1619,12 +1627,14 @@ class cBIFF(cPluginParent):
             sheetNames = []
             definesNames = []
             currentSheetname = ''
+            dOpcodeStatistics = {}
             while position < len(stream):
                 formatcodes = 'HH'
                 formatsize = struct.calcsize(formatcodes)
                 if len(stream[position:position + formatsize]) < formatsize:
                     break
                 opcode, length = struct.unpack(formatcodes, stream[position:position + formatsize])
+                dOpcodeStatistics[opcode] = [dOpcodeStatistics.get(opcode, [0, 0])[0] + 1, dOpcodeStatistics.get(opcode, [0, 0])[1] + length]
                 data = stream[position + formatsize:position + formatsize + length]
                 positionBIFFRecord = position
                 position = position + formatsize + length
@@ -1674,7 +1684,10 @@ class cBIFF(cPluginParent):
                     definesNames.append(name)
                     if flags & 0x01:
                         line += ' hidden'
-                    parsedExpression, stack = ParseExpression(data[offset+lnName:offset+lnName+szFormula], definesNames, sheetNames, options.cellrefformat)
+                    try:
+                        parsedExpression, stack = ParseExpression(data[offset+lnName:offset+lnName+szFormula], definesNames, sheetNames, options.cellrefformat)
+                    except IndexError:
+                        parsedExpression = '*PARSING ERROR*'
                     line += ' len=%d %s' % (szFormula, parsedExpression)
  
                 # FILEPASS record
@@ -1689,11 +1702,17 @@ class cBIFF(cPluginParent):
                     dSheetType = {0: 'worksheet or dialog sheet', 1: 'Excel 4.0 macro sheet', 2: 'chart', 6: 'Visual Basic module'}
                     if sheetType == 1:
                         macros4Found = True
-                    dSheetState = {0: 'visible', 1: 'hidden', 2: 'very hidden'}
                     sheetName = ShortXLUnicodeString(data[6:])
                     dSheetNames[positionBOF] = sheetName
                     sheetNames.append(sheetName)
-                    line += ' - %s, %s - %s' % (dSheetType.get(sheetType, '%02x' % sheetType), dSheetState.get(sheetState, '%02x' % sheetState), sheetName)
+
+                    dSheetState = {0: 'visible', 1: 'hidden', 2: 'very hidden', 3: 'visibility=3'}
+                    visibility = ''
+                    if sheetState > 3:
+                        visibility = 'reserved bits not zero: 0x%02x ' % (sheetState & 0xFC)
+                    visibility += dSheetState.get(sheetState & 3, '0x%02x' % (sheetState & 3))
+
+                    line += ' - %s, %s - %s' % (dSheetType.get(sheetType, '%02x' % sheetType), visibility, sheetName)
  
                 # BOF record
                 if opcode == 0x0809 and len(data) >= 4:
@@ -1715,7 +1734,6 @@ class cBIFF(cPluginParent):
                     if values[1] != []:
                         if strings != '':
                             strings += ' '
-                        print(values)
                         strings += ' '.join(values[1])
                     line += ' - %s' % strings
  
@@ -1761,6 +1779,19 @@ class cBIFF(cPluginParent):
  
             if options.xlm and filepassFound:
                 result = ['FILEPASS record: file is password protected']
+            elif options.statistics:
+                stats = []
+                for opcode in sorted(dOpcodeStatistics.keys()):
+                    stats.append((opcode, dOpcodes.get(opcode, ''), dOpcodeStatistics[opcode][0], dOpcodeStatistics[opcode][1]))
+                if options.csv:
+                    result = [MakeCSVLine(['opcode', 'description', 'count', 'totalsize'], DEFAULT_SEPARATOR, QUOTE)]
+                else:
+                    result = []
+                for item in stats:
+                    if options.csv:
+                        result.append(MakeCSVLine(item, DEFAULT_SEPARATOR, QUOTE))
+                    else:
+                        result.append('%d %s: %d %d' % item)
             elif options.xlm and not macros4Found:
                 result = []
             elif options.csv: