From f3c42b855875ad08f75a99bfe318cadaaf5a3f0f Mon Sep 17 00:00:00 2001 From: Philippe Lagadec Date: Mon, 15 Oct 2012 21:51:48 +0200 Subject: [PATCH] Renamed xxxswf2 to pyxswf --- README.md | 20 +++++++++++--------- oletools/README.txt | 28 +++++++++++++++++----------- oletools/olebrowse.py | 2 +- oletools/pyxswf.py | 103 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ oletools/xxxswf2.py | 103 ------------------------------------------------------------------------------------------------------- 5 files changed, 132 insertions(+), 124 deletions(-) create mode 100644 oletools/pyxswf.py delete mode 100644 oletools/xxxswf2.py diff --git a/README.md b/README.md index 6c41d4e..ea08118 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Tools in oletools: - **olebrowse**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams. -- **xxxswf2**: a script to detect, extract and analyze Flash objects (SWF) that may +- **pyxswf**: a script to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis. - and a few others (coming soon) @@ -17,7 +17,7 @@ Tools in oletools: News ---- -- 2012-10-09: Initial version of olebrowse and xxxswf2 +- 2012-10-09: Initial version of olebrowse and pyxswf - see changelog in source code for more info. Download: @@ -34,16 +34,18 @@ view and extract individual data streams. Usage: olebrowse.py [file] +If you provide a file it will be opened, else a dialog will allow you to browse folders to open a file. Then if it is a valid OLE file, the list of data streams will be displayed. You can select a stream, and then either view its content in a builtin hexadecimal viewer, or save it to a file for further analysis. + olebrowse project website: [http://www.decalage.info/python/olebrowse](http://www.decalage.info/python/olebrowse) -xxxswf2: +pyxswf: -------- -xxxswf2 is a script to detect, extract and analyze Flash objects (SWF files) that may +pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis. -xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel on +pyxswf is an improved version of xxxswf.py published by Alexander Hanel on [http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html](http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html) Compared to xxxswf, it can extract streams from MS Office documents by parsing @@ -53,7 +55,7 @@ Stream fragmentation is a known obfuscation technique, as explained on For this, simply add the -o option to work on OLE streams rather than raw files. - Usage: xxxswf2.py [options] + Usage: pyxswf.py [options] Options: -o, --ole Parse an OLE file (e.g. Word, Excel) to look for SWF @@ -75,18 +77,18 @@ For this, simply add the -o option to work on OLE streams rather than raw files. Example - detecting and extracting a SWF file from a Word document on Windows: - C:\oletools>xxxswf2.py -o word_flash.doc + C:\oletools>pyxswf.py -o word_flash.doc OLE stream: 'Contents' [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents [ADDR] SWF 1 at 0x8 - FWS Header - C:\oletools>xxxswf2.py -xo word_flash.doc + C:\oletools>pyxswf.py -xo word_flash.doc OLE stream: 'Contents' [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents [ADDR] SWF 1 at 0x8 - FWS Header [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf -xxxswf2 project website: [http://www.decalage.info/python/xxxswf2](http://www.decalage.info/python/xxxswf2) +pyxswf project website: [http://www.decalage.info/python/pyxswf](http://www.decalage.info/python/pyxswf) How to contribute: diff --git a/oletools/README.txt b/oletools/README.txt index 5633061..8a9441e 100644 --- a/oletools/README.txt +++ b/oletools/README.txt @@ -16,7 +16,7 @@ Tools in oletools: - **olebrowse**: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams. -- **xxxswf2**: a script to detect, extract and analyze Flash objects +- **pyxswf**: a script to detect, extract and analyze Flash objects (SWF) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis. - and a few others (coming soon) @@ -24,7 +24,7 @@ Tools in oletools: News ---- -- 2012-10-09: Initial version of olebrowse and xxxswf2 +- 2012-10-09: Initial version of olebrowse and pyxswf - see changelog in source code for more info. Download: @@ -43,17 +43,23 @@ documents), to view and extract individual data streams. Usage: olebrowse.py [file] +If you provide a file it will be opened, else a dialog will allow you to +browse folders to open a file. Then if it is a valid OLE file, the list +of data streams will be displayed. You can select a stream, and then +either view its content in a builtin hexadecimal viewer, or save it to a +file for further analysis. + olebrowse project website: `http://www.decalage.info/python/olebrowse `_ -xxxswf2: --------- +pyxswf: +------- -xxxswf2 is a script to detect, extract and analyze Flash objects (SWF +pyxswf is a script to detect, extract and analyze Flash objects (SWF files) that may be embedded in files such as MS Office documents (e.g. Word, Excel), which is especially useful for malware analysis. -xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel +pyxswf is an improved version of xxxswf.py published by Alexander Hanel on `http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html `_ @@ -68,7 +74,7 @@ raw files. :: - Usage: xxxswf2.py [options] + Usage: pyxswf.py [options] Options: -o, --ole Parse an OLE file (e.g. Word, Excel) to look for SWF @@ -93,19 +99,19 @@ Windows: :: - C:\oletools>xxxswf2.py -o word_flash.doc + C:\oletools>pyxswf.py -o word_flash.doc OLE stream: 'Contents' [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents [ADDR] SWF 1 at 0x8 - FWS Header - C:\oletools>xxxswf2.py -xo word_flash.doc + C:\oletools>pyxswf.py -xo word_flash.doc OLE stream: 'Contents' [SUMMARY] 1 SWF(s) in MD5:993664cc86f60d52d671b6610813cfd1:Contents [ADDR] SWF 1 at 0x8 - FWS Header [FILE] Carved SWF MD5: 2498e9c0701dc0e461ab4358f9102bc5.swf -xxxswf2 project website: -`http://www.decalage.info/python/xxxswf2 `_ +pyxswf project website: +`http://www.decalage.info/python/pyxswf `_ How to contribute: ------------------ diff --git a/oletools/olebrowse.py b/oletools/olebrowse.py index 95fcd45..3bf6871 100644 --- a/oletools/olebrowse.py +++ b/oletools/olebrowse.py @@ -43,7 +43,7 @@ __version__ = '0.01' # TODO: # - menu option to open another file # - menu option to display properties -# - menu option to run xxxswf2, oleid, oleyara, olecarve, etc +# - menu option to run other oletools, external tools such as OfficeCat? # - for a stream, display info: size, path, etc # - stream info: magic, entropy, ... ? diff --git a/oletools/pyxswf.py b/oletools/pyxswf.py new file mode 100644 index 0000000..3aaca98 --- /dev/null +++ b/oletools/pyxswf.py @@ -0,0 +1,103 @@ +#!/usr/bin/env python +""" +pyxswf.py - Philippe Lagadec 2012-09-17 + +pyxswf is a script to detect, extract and analyze Flash objects (SWF) that may +be embedded in files such as MS Office documents (e.g. Word, Excel), +which is especially useful for malware analysis. +pyxswf is an improved version of xxxswf.py published by Alexander Hanel on +http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html +Compared to xxxswf, it can extract streams from MS Office documents by parsing +their OLE structure properly, which is necessary when streams are fragmented. +Stream fragmentation is a known obfuscation technique, as explained on +http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/ + +pyxswf project website: http://www.decalage.info/python/pyxswf + +pyxswf is copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) +All rights reserved. + +Redistribution and use in source and binary forms, with or without modification, +are permitted provided that the following conditions are met: + + * Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +""" + +__version__ = '0.01' + +#------------------------------------------------------------------------------ +# CHANGELOG: +# 2012-09-17 v0.01 PL: - first version + +#------------------------------------------------------------------------------ +# TODO: +# - check if file is OLE +# - support -r + +import optparse, sys, os +from thirdparty.xxxswf import xxxswf +from thirdparty.OleFileIO_PL import OleFileIO_PL + +def main(): + # Scenarios: + # Scan file for SWF(s) + # Scan file for SWF(s) and extract them + # Scan file for SWF(s) and scan them with Yara + # Scan file for SWF(s), extract them and scan with Yara + # Scan directory recursively for files that contain SWF(s) + # Scan directory recursively for files that contain SWF(s) and extract them + + usage = 'usage: %prog [options] ' + parser = optparse.OptionParser(usage=usage) + parser.add_option('-x', '--extract', action='store_true', dest='extract', help='Extracts the embedded SWF(s), names it MD5HASH.swf & saves it in the working dir. No addition args needed') + parser.add_option('-y', '--yara', action='store_true', dest='yara', help='Scans the SWF(s) with yara. If the SWF(s) is compressed it will be deflated. No addition args needed') + parser.add_option('-s', '--md5scan', action='store_true', dest='md5scan', help='Scans the SWF(s) for MD5 signatures. Please see func checkMD5 to define hashes. No addition args needed') + parser.add_option('-H', '--header', action='store_true', dest='header', help='Displays the SWFs file header. No addition args needed') + parser.add_option('-d', '--decompress', action='store_true', dest='decompress', help='Deflates compressed SWFS(s)') + parser.add_option('-r', '--recdir', dest='PATH', type='string', help='Will recursively scan a directory for files that contain SWFs. Must provide path in quotes') + parser.add_option('-c', '--compress', action='store_true', dest='compress', help='Compresses the SWF using Zlib') + + parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream') + + + (options, args) = parser.parse_args() + + # Print help if no argurments are passed + if len(args) == 0: + parser.print_help() + return + + if options.ole: + for filename in args: + ole = OleFileIO_PL.OleFileIO(filename) + for direntry in ole.direntries: + if direntry is not None and direntry.entry_type == OleFileIO_PL.STGTY_STREAM: + f = ole._open(direntry.isectStart, direntry.size) + # check if data contains the SWF magic: FWS or CWS + data = f.getvalue() + if 'FWS' in data or 'CWS' in data: + print 'OLE stream: %s' % repr(direntry.name) + # call xxxswf to scan or extract Flash files: + xxxswf.disneyland(f, direntry.name, options) + f.close() + ole.close() + else: + xxxswf.main() + +if __name__ == '__main__': + main() diff --git a/oletools/xxxswf2.py b/oletools/xxxswf2.py deleted file mode 100644 index 82bd325..0000000 --- a/oletools/xxxswf2.py +++ /dev/null @@ -1,103 +0,0 @@ -#!/usr/bin/env python -""" -xxxswf2.py - Philippe Lagadec 2012-09-17 - -xxxswf2 is a script to detect, extract and analyze Flash objects (SWF) that may -be embedded in files such as MS Office documents (e.g. Word, Excel), -which is especially useful for malware analysis. -xxxswf2 is an improved version of xxxswf.py published by Alexander Hanel on -http://hooked-on-mnemonics.blogspot.nl/2011/12/xxxswfpy.html -Compared to xxxswf, it can extract streams from MS Office documents by parsing -their OLE structure properly, which is necessary when streams are fragmented. -Stream fragmentation is a known obfuscation technique, as explained on -http://www.breakingpointsystems.com/resources/blog/evasion-with-ole2-fragmentation/ - -xxxswf2 project website: http://www.decalage.info/python/xxxswf2 - -xxxswf2 is copyright (c) 2012, Philippe Lagadec (http://www.decalage.info) -All rights reserved. - -Redistribution and use in source and binary forms, with or without modification, -are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, this - list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED -WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -""" - -__version__ = '0.01' - -#------------------------------------------------------------------------------ -# CHANGELOG: -# 2012-09-17 v0.01 PL: - first version - -#------------------------------------------------------------------------------ -# TODO: -# - check if file is OLE -# - support -r - -import optparse, sys, os -from thirdparty.xxxswf import xxxswf -from thirdparty.OleFileIO_PL import OleFileIO_PL - -def main(): - # Scenarios: - # Scan file for SWF(s) - # Scan file for SWF(s) and extract them - # Scan file for SWF(s) and scan them with Yara - # Scan file for SWF(s), extract them and scan with Yara - # Scan directory recursively for files that contain SWF(s) - # Scan directory recursively for files that contain SWF(s) and extract them - - usage = 'usage: %prog [options] ' - parser = optparse.OptionParser(usage=usage) - parser.add_option('-x', '--extract', action='store_true', dest='extract', help='Extracts the embedded SWF(s), names it MD5HASH.swf & saves it in the working dir. No addition args needed') - parser.add_option('-y', '--yara', action='store_true', dest='yara', help='Scans the SWF(s) with yara. If the SWF(s) is compressed it will be deflated. No addition args needed') - parser.add_option('-s', '--md5scan', action='store_true', dest='md5scan', help='Scans the SWF(s) for MD5 signatures. Please see func checkMD5 to define hashes. No addition args needed') - parser.add_option('-H', '--header', action='store_true', dest='header', help='Displays the SWFs file header. No addition args needed') - parser.add_option('-d', '--decompress', action='store_true', dest='decompress', help='Deflates compressed SWFS(s)') - parser.add_option('-r', '--recdir', dest='PATH', type='string', help='Will recursively scan a directory for files that contain SWFs. Must provide path in quotes') - parser.add_option('-c', '--compress', action='store_true', dest='compress', help='Compresses the SWF using Zlib') - - parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream') - - - (options, args) = parser.parse_args() - - # Print help if no argurments are passed - if len(args) == 0: - parser.print_help() - return - - if options.ole: - for filename in args: - ole = OleFileIO_PL.OleFileIO(filename) - for direntry in ole.direntries: - if direntry is not None and direntry.entry_type == OleFileIO_PL.STGTY_STREAM: - f = ole._open(direntry.isectStart, direntry.size) - # check if data contains the SWF magic: FWS or CWS - data = f.getvalue() - if 'FWS' in data or 'CWS' in data: - print 'OLE stream: %s' % repr(direntry.name) - # call xxxswf to scan or extract Flash files: - xxxswf.disneyland(f, direntry.name, options) - f.close() - ole.close() - else: - xxxswf.main() - -if __name__ == '__main__': - main() -- libgit2 0.21.4