def stomp_file(original_file):
stomped_file = original_file + '.stomped'
if olefile.isOleFile(original_file):
shutil.copyfile(original_file, stomped_file)
stomp_ole(stomped_file)
return True
elif zipfile.is_zipfile(original_file):
tmpdir = tempfile.TemporaryDirectory(prefix='stomp_')
with zipfile.ZipFile(original_file) as zf:
zf.extractall(tmpdir.name)
file_list = [
f for f in iglob(tmpdir.name + '/**/*', recursive=True)
if os.path.isfile(f)
]
for f in file_list:
if olefile.isOleFile(f):
stomp_ole(f)
os.chdir(pathlib.Path(stomped_file).resolve().parent)
shutil.make_archive(stomped_file, 'zip', tmpdir.name)
if os.path.exists(stomped_file):
os.remove(stomped_file)
os.rename(stomped_file + '.zip', stomped_file)
return True
else:
return False
def read_meta_txm(file_name, meta_data_name=None):
try:
olef.isOleFile(file_name)
meta_data= None
ole = olef.OleFileIO(file_name)
if ole.exists('ImageInfo/NoOfImages'):
stream = ole.openstream('ImageInfo/NoOfImages')
data = stream.read()
n_images = struct.unpack('<I', data)
number_of_images = n_images[0]
if ole.exists(meta_data_name):
print 'Reading: [%s].' % meta_data_name
stream = ole.openstream(meta_data_name)
data = stream.read()
if (meta_data_name == 'ImageInfo/Date'):
meta_data = struct.unpack('<'+'17s23x'*number_of_images, data)
else:
struct_fmt = "<{}f".format(number_of_images)
meta_data = struct.unpack(struct_fmt, data)
ole.close()
except KeyError:
print 'Reading: [%s] failed.' % file_name
meta_data = None
return np.asarray(meta_data)
def read_meta_txm(file_name, meta_data_name=None):
try:
olef.isOleFile(file_name)
meta_data = None
ole = olef.OleFileIO(file_name)
if ole.exists('ImageInfo/NoOfImages'):
stream = ole.openstream('ImageInfo/NoOfImages')
data = stream.read()
n_images = struct.unpack('<I', data)
number_of_images = n_images[0]
if ole.exists(meta_data_name):
print 'Reading: [%s].' % meta_data_name
stream = ole.openstream(meta_data_name)
data = stream.read()
if (meta_data_name == 'ImageInfo/Date'):
meta_data = struct.unpack(
'<' + '17s23x' * number_of_images, data)
else:
struct_fmt = "<{}f".format(number_of_images)
meta_data = struct.unpack(struct_fmt, data)
ole.close()
except KeyError:
print 'Reading: [%s] failed.' % file_name
meta_data = None
return np.asarray(meta_data)
def __init__(self, file):
self.format = "ooxml"
file.seek(
0) # TODO: Investigate the effect (required for olefile.isOleFile)
# olefile cannot process non password protected ooxml files.
if olefile.isOleFile(file):
ole = olefile.OleFileIO(file)
self.file = ole
self.type, self.info = _parseinfo(
self.file.openstream('EncryptionInfo'))
logger.debug("OOXMLFile.type: {}".format(self.type))
self.secret_key = None
if self.type == 'agile':
# TODO: Support aliases?
self.keyTypes = ('password', 'private_key', 'secret_key')
elif self.type == 'standard':
self.keyTypes = ('password', 'secret_key')
elif self.type == 'extensible':
pass
elif zipfile.is_zipfile(file):
self.file = file
self.type, self.info = None, None
self.secret_key = None
else:
raise Exception("Unsupported file format")
def is_file_encrypted(filepath):
if olefile.isOleFile(filepath):
return FileEncryptionValidator._validate_ole_file(filepath)
elif zipfile.is_zipfile(filepath):
return FileEncryptionValidator._validate_zip_file(filepath)
return None
def parse_snt_file(snt_file):
if not olefile.isOleFile(snt_file):
print "This is not an OLE file"
return None
ole = olefile.OleFileIO(snt_file)
note = {}
for stream in ole.listdir():
if stream[0].count("-") == 3:
if stream[0] not in note:
note[stream[0]] = {
# Read timestamps
"created": ole.getctime(stream[0]),
"modified": ole.getmtime(stream[0])
}
content = None
if stream[1] == '0':
# Parse RTF text
content = ole.openstream(stream).read()
elif stream[1] == '3':
# Parse UTF text
content = ole.openstream(stream).read().decode("utf-16")
if content:
note[stream[0]][stream[1]] = content
return note
def match(cls, meta, local_path):
if isOleFile(local_path):
if meta.mime_type in cls.MIME_TYPES:
return cls.BASE_SCORE
if meta.extension in cls.EXTENSIONS:
return cls.BASE_SCORE
return -1
def extract_ole_metadata(self, file_path):
with open(file_path, 'r') as fh:
if not isOleFile(fh):
return
fh.seek(0)
ole = OleFileIO(fh)
self.extract_olefileio_metadata(ole)
def extract_office2003_from_unknown_office(fullpath, fileobj=None):
'''
从不明 office(可能是 office2003, office2007) 中解出内嵌的 office2003
:return: [
(host_fullpath,filename_from_host,<file_open_handler>),
]
'''
import zipfile
import olefile
import io
r = []
if olefile.isOleFile(fileobj if fileobj else fullpath):
r.append((fullpath, os.path.basename(fullpath),
fileobj if fileobj else open(fullpath, 'rb')))
elif zipfile.is_zipfile(fileobj if fileobj else fullpath):
with zipfile.ZipFile(fileobj if fileobj else fullpath) as z:
for subfile in z.namelist():
with z.open(subfile) as zt:
magic = zt.read(len(olefile.MAGIC))
if magic == olefile.MAGIC:
r.append((fullpath, io_text_arg(subfile),
io.BytesIO(z.open(subfile).read())))
else:
raise ValueError(u'not office file')
return r
def main():
import argparse
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-k',
dest='secret_key',
help='MS-OFFCRYPTO secretKey value (hex)')
group.add_argument('-p',
dest='private_key',
type=argparse.FileType('rb'),
help='RSA private key file')
group.add_argument('-P', dest='password', help='Password ASCII')
parser.add_argument('infile', nargs='?', type=argparse.FileType('rb'))
parser.add_argument('outfile', nargs='?', type=argparse.FileType('wb'))
args = parser.parse_args()
if not olefile.isOleFile(args.infile):
raise AssertionError("No OLE file")
file = OfficeFile(args.infile)
if args.secret_key:
file.load_skey(binascii.unhexlify(args.secret_key))
elif args.private_key:
file.load_privkey(args.private_key)
elif args.password:
file.load_password(args.password)
file.decrypt(args.outfile)
def check(self):
"""
Open file and run all checks on it.
:returns: list of all :py:class:`Indicator`s created
"""
# check if it is actually an OLE file:
oleformat = Indicator('ole_format', True, name='OLE format')
self.indicators.append(oleformat)
if self.ole:
oleformat.value = True
elif not olefile.isOleFile(self.filename):
oleformat.value = False
return self.indicators
else:
# parse file:
self.ole = olefile.OleFileIO(self.filename)
# checks:
self.check_properties()
self.check_encrypted()
self.check_word()
self.check_excel()
self.check_powerpoint()
self.check_visio()
self.check_object_pool()
self.check_flash()
self.ole.close()
return self.indicators
def main():
p = ArgumentParser(description="Lord Of The Bups")
p.add_argument("-f", "--file", help=".bup file to parse")
p.add_argument("-c", "--corrupt", help="Attempt to parse the Details portion of a corrupted bup file", action="store_true")
p.add_argument("-d", "--details", help="Print detection details", action="store_true")
p.add_argument("-o", "--output", help="Specify an output directory for the decoded files")
args = p.parse_args()
if args.file:
if os.path.isfile(args.file):
if olefile.isOleFile(args.file):
b = Bupectomy()
else:
sys.exit("[ - ] Not an OLE file")
else:
sys.exit("[ - ] {} not found".format(args.file))
if args.details:
b.extractfiles(args.file)
b.details_to_json()
print b.details
elif args.output:
b.extractfiles(args.file)
b.details_to_json()
b.writefiles(args.output)
elif args.corrupt:
b.corrupted_bup(args.file)
else:
b.extractfiles(args.file)
b.details_to_json()
b.writefiles()
def load_data(self):
tmp_list = []
hex_content = []
total = []
hex_arr = []
total_list = []
total_arr = []
#check if olefile
for file in self.im_file:
im_file = 'hwp_seeds\\' + file
if not olefile.isOleFile(im_file):
self.im_file.remove(file)
for file in self.im_file:
ole = olefile.OleFileIO(im_file, write_mode=True)
stream = ole.openstream(field)
data = stream.read()
stream.seek(0)
hex_content.append(data)
#print(len(hex_content)) #274
for string_hex in hex_content:
string_hex = binascii.hexlify(string_hex)
hex_list = [
int(string_hex[i:i + 2], 16)
for i in range(0, len(string_hex), 2)
]
hex_arr = np.asarray(hex_list)
total_list.append(hex_arr)
total_arr = np.asarray(total_list)
print(total_arr.shape) #(290,101430)
def get_rfa_info(rfa_file):
rfa_version = "unknown"
rfa_owner = "unknown"
try:
creationdate = time.strftime('%m/%d/%Y', time.gmtime(os.path.getctime(rfa_file)))
creationtime = time.strftime('%H:%M:%S', time.gmtime(os.path.getctime(rfa_file)))
modifieddate = time.strftime('%m/%d/%Y', time.gmtime(os.path.getmtime(rfa_file)))
modifiedtime = time.strftime('%H:%M:%S', time.gmtime(os.path.getmtime(rfa_file)))
except:
creationdate, creationtime, modifieddate, modifiedtime = "unknown", "unknown", "unknown", "unknown"
try:
sd = win32security.GetFileSecurity(rfa_file, win32security.OWNER_SECURITY_INFORMATION)
owner_sid = sd.GetSecurityDescriptorOwner ()
owner_name, owner_domain, type = win32security.LookupAccountSid(None, owner_sid)
rfa_owner = f'{owner_domain}\\{owner_name}'
if olefile.isOleFile(rfa_file):
try:
rfa_ole = olefile.OleFileIO(rfa_file)
rfa_bfi = rfa_ole.openstream("BasicFileInfo")
rfa_file_info = str(rfa_bfi.read()).replace("\\x00", "")
adesk_version_pattern = re.compile(r'Autodesk Revit \d{4}|Format..\d{4}')
rfa_version = re.search(adesk_version_pattern, rfa_file_info)[0]
except:
pass
else:
print(f'file does not appear to be an ole file: {rfa_file}')
except:
pass
return creationdate, creationtime, modifieddate, modifiedtime, rfa_owner, rfa_version
def _winoffice(self):
"""Process a winoffice file using olefile/oletools."""
oid = oletools.oleid.OleID(self.src_path) # First assume a valid file
if not olefile.isOleFile(self.src_path):
# Manual processing, may already count as suspicious
try:
ole = olefile.OleFileIO(self.src_path, raise_defects=olefile.DEFECT_INCORRECT)
except Exception:
self.make_dangerous('Unparsable WinOffice file')
if ole.parsing_issues:
self.make_dangerous('Parsing issues with WinOffice file')
else:
if ole.exists('macros/vba') or ole.exists('Macros') \
or ole.exists('_VBA_PROJECT_CUR') or ole.exists('VBA'):
self.make_dangerous('WinOffice file containing a macro')
else:
indicators = oid.check()
# Encrypted can be set by multiple checks on the script
if oid.encrypted.value:
self.make_dangerous('Encrypted WinOffice file')
if oid.macros.value or oid.ole.exists('macros/vba') or oid.ole.exists('Macros') \
or oid.ole.exists('_VBA_PROJECT_CUR') or oid.ole.exists('VBA'):
self.make_dangerous('WinOffice file containing a macro')
for i in indicators:
if i.id == 'ObjectPool' and i.value:
self.make_dangerous('WinOffice file containing an object pool')
elif i.id == 'flash' and i.value:
self.make_dangerous('WinOffice file with embedded flash')
self.add_description('WinOffice file')
def _winoffice(self):
"""Process a winoffice file using olefile/oletools."""
# LOG: processing_type property
self.set_property('processing_type', 'WinOffice')
oid = oletools.oleid.OleID(self.src_path) # First assume a valid file
if not olefile.isOleFile(self.src_path):
# Manual processing, may already count as suspicious
try:
ole = olefile.OleFileIO(self.src_path,
raise_defects=olefile.DEFECT_INCORRECT)
except:
self.make_dangerous('not parsable')
if ole.parsing_issues:
self.make_dangerous('parsing issues')
else:
if ole.exists('macros/vba') or ole.exists('Macros') \
or ole.exists('_VBA_PROJECT_CUR') or ole.exists('VBA'):
self.make_dangerous('macro')
else:
indicators = oid.check()
# Encrypted can be set by multiple checks on the script
if oid.encrypted.value:
self.make_dangerous('encrypted')
if oid.macros.value or oid.ole.exists('macros/vba') or oid.ole.exists('Macros') \
or oid.ole.exists('_VBA_PROJECT_CUR') or oid.ole.exists('VBA'):
self.make_dangerous('macro')
for i in indicators:
if i.id == 'ObjectPool' and i.value:
# TODO: Is it suspicious?
# LOG: user defined property
self.set_property('objpool', True)
elif i.id == 'flash' and i.value:
self.make_dangerous('flash')
def getHashes(bupname,htype):
#
#Return a dictionary of stream name and hash.
#
try:
if olefile.isOleFile(bupname) is not True:
print >>sys.stderr, 'Error - %s is not a valid OLE file.' % bupname
sys.exit(1)
ole = olefile.OleFileIO(bupname)
hashes = {}
for entry in ole.listdir():
if entry[0] != "Details":
fdata = ole.openstream(entry[0]).read()
ptext = decryptStream(fdata)
if htype == 'md5':
m = hashlib.md5()
elif htype == 'sha1':
m = hashlib.sha1()
elif htype == 'sha256':
m = hashlib.sha256()
m.update(ptext)
hashes[entry[0]] = m.hexdigest()
ole.close()
return hashes
except Exception as e:
print >>sys.stderr, 'Error - %s' % e
sys.exit(1)
def main():
args = parser.parse_args()
if args.test_encrypted:
if not is_encrypted(args.infile):
print("{}: not encrypted".format(args.infile.name),
file=sys.stderr)
sys.exit(1)
else:
logger.debug("{}: encrypted".format(args.infile.name))
return
if not olefile.isOleFile(args.infile):
raise AssertionError("Not OLE file")
if args.verbose:
logger.removeHandler(logging.NullHandler())
logging.basicConfig(level=logging.DEBUG, format="%(message)s")
file = OfficeFile(args.infile)
if args.password:
file.load_key(password=args.password)
else:
raise AssertionError("Password is required")
if args.outfile is None:
ifWIN32SetBinary(sys.stdout)
if hasattr(sys.stdout, 'buffer'): # For Python 2
args.outfile = sys.stdout.buffer
else:
args.outfile = sys.stdout
file.decrypt(args.outfile)
def BasicInfoGa(targetFile):
# Check for ole structures
if isOleFile(targetFile) == True:
print(f"{infoS} Ole File: {green}True{white}")
else:
print(f"{infoS} Ole File: {red}False{white}")
# Check for encryption
if is_encrypted(targetFile) == True:
print(f"{infoS} Encrypted: {green}True{white}")
else:
print(f"{infoS} Encrypted: {red}False{white}")
# VBA_MACRO scanner
vbascan = OleID(targetFile)
vbascan.check()
# Sanitizing the array
vba_params = []
for vb in vbascan.indicators:
vba_params.append(vb.id)
if "vba_macros" in vba_params:
for vb in vbascan.indicators:
if vb.id == "vba_macros":
if vb.value == True:
print(f"{infoS} VBA Macros: {green}Found{white}")
MacroHunter(targetFile)
else:
print(f"{infoS} VBA Macros: {red}Not Found{white}")
else:
MacroHunter(targetFile)
def unquarantine(f):
base = os.path.basename(f)
realbase, ext = os.path.splitext(base)
if not HAVE_OLEFILE:
log.info("Missed olefile dependency: pip install olefile")
if ext.lower() == ".bup" or (HAVE_OLEFILE and olefile.isOleFile(f)):
try:
return mcafee_unquarantine(f)
except:
pass
if ext.lower() in func_map:
try:
return func_map[ext.lower()](f)
except Exception as e:
print(e)
pass
for func in (kav_unquarantine, trend_unquarantine, sep_unquarantine,
mse_unquarantine, xorff_unquarantine):
try:
quarfile = func(f)
if quarfile:
return quarfile
except:
pass
def __init__(self, file):
self.format = "ooxml"
file.seek(
0) # TODO: Investigate the effect (required for olefile.isOleFile)
# olefile cannot process non password protected ooxml files.
# TODO: this code is duplicate of OfficeFile(). Merge?
if olefile.isOleFile(file):
ole = olefile.OleFileIO(file)
self.file = ole
with self.file.openstream("EncryptionInfo") as stream:
self.type, self.info = _parseinfo(stream)
logger.debug("OOXMLFile.type: {}".format(self.type))
self.secret_key = None
if self.type == "agile":
# TODO: Support aliases?
self.keyTypes = ("password", "private_key", "secret_key")
elif self.type == "standard":
self.keyTypes = ("password", "secret_key")
elif self.type == "extensible":
pass
elif zipfile.is_zipfile(file):
self.file = file
self.type, self.info = None, None
self.secret_key = None
else:
raise Exception("Unsupported file format")
def check(self):
"""
Open file and run all checks on it.
:returns: list of all :py:class:`Indicator`s created
"""
# check if it is actually an OLE file:
oleformat = Indicator('ole_format', True, name='OLE format')
self.indicators.append(oleformat)
if self.ole:
oleformat.value = True
elif not olefile.isOleFile(self.filename):
oleformat.value = False
return self.indicators
else:
# parse file:
self.ole = olefile.OleFileIO(self.filename)
# checks:
self.check_properties()
self.check_encrypted()
self.check_word()
self.check_excel()
self.check_powerpoint()
self.check_visio()
self.check_object_pool()
self.check_flash()
self.ole.close()
return self.indicators
def test(filenames, ole_file_class=OleRecordFile,
must_parse=None, do_per_record=None, verbose=False):
""" parse all given file names and print rough structure
if an error occurs while parsing a stream of type in must_parse, the error
will be raised. Otherwise a message is printed
"""
logging.basicConfig(level=logging.DEBUG if verbose else logging.INFO)
if do_per_record is None:
def do_per_record(record): # pylint: disable=function-redefined
pass # do nothing
if not filenames:
logging.info('need file name[s]')
return 2
for filename in filenames:
logging.info('checking file {0}'.format(filename))
if not olefile.isOleFile(filename):
logging.info('not an ole file - skip')
continue
ole = ole_file_class(filename)
for stream in ole.iter_streams():
logging.info(' parse ' + str(stream))
try:
for record in stream.iter_records():
logging.info(' ' + str(record))
do_per_record(record)
except Exception:
if not must_parse:
raise
elif isinstance(stream, must_parse):
raise
else:
logging.info(' failed to parse', exc_info=True)
return 0
def printDump(bupname, DumpFunction=IdentityFunction, allfiles=False):
#
#Print Hex dump/Hex-ASCII dump of first or all streams
#
if sys.platform == 'win32' and DumpFunction == IdentityFunction:
import msvcrt
msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY)
try:
if olefile.isOleFile(bupname) is not True:
print >>sys.stderr, 'Error - %s is not a valid OLE file.' % bupname
sys.exit(1)
ole = olefile.OleFileIO(bupname)
printNewline = False
for entry in ole.listdir():
if entry[0] != "Details":
if printNewline:
print
printNewline = True
StdoutWriteChunked(DumpFunction(decryptStream(ole.openstream(entry[0]).read())))
if not allfiles:
break
ole.close()
except Exception as e:
print >>sys.stderr, 'Error - %s' % e
sys.exit(1)
def _winoffice(self):
"""Process a winoffice file using olefile/oletools."""
oid = oletools.oleid.OleID(self.src_path) # First assume a valid file
if not olefile.isOleFile(self.src_path):
# Manual processing, may already count as suspicious
try:
ole = olefile.OleFileIO(self.src_path,
raise_defects=olefile.DEFECT_INCORRECT)
except Exception:
self.make_dangerous('Unparsable WinOffice file')
if ole.parsing_issues:
self.make_dangerous('Parsing issues with WinOffice file')
else:
if ole.exists('macros/vba') or ole.exists('Macros') \
or ole.exists('_VBA_PROJECT_CUR') or ole.exists('VBA'):
self.make_dangerous('WinOffice file containing a macro')
else:
indicators = oid.check()
# Encrypted can be set by multiple checks on the script
if oid.encrypted.value:
self.make_dangerous('Encrypted WinOffice file')
if oid.macros.value or oid.ole.exists('macros/vba') or oid.ole.exists('Macros') \
or oid.ole.exists('_VBA_PROJECT_CUR') or oid.ole.exists('VBA'):
self.make_dangerous('WinOffice file containing a macro')
for i in indicators:
if i.id == 'ObjectPool' and i.value:
self.make_dangerous(
'WinOffice file containing an object pool')
elif i.id == 'flash' and i.value:
self.make_dangerous('WinOffice file with embedded flash')
self.add_description('WinOffice file')
def main():
args = parser.parse_args()
if not olefile.isOleFile(args.infile):
raise AssertionError("No OLE file")
file = OfficeFile(args.infile)
if args.verbose:
logger.removeHandler(logging.NullHandler())
logging.basicConfig(level=logging.DEBUG, format="%(message)s")
if args.password:
file.load_key(password=args.password)
else:
raise AssertionError("Password is required")
if args.outfile == None:
ifWIN32SetBinary(sys.stdout)
if hasattr(sys.stdout, 'buffer'): ## For Python 2
args.outfile = sys.stdout.buffer
else:
args.outfile = sys.stdout
file.decrypt(args.outfile)
def test_rough_doctype(self):
"""Checks all samples, expect either ole files or good ooxml output"""
# map from extension to expected doctype
ext2doc = dict(
docx=ooxml.DOCTYPE_WORD,
docm=ooxml.DOCTYPE_WORD,
dotx=ooxml.DOCTYPE_WORD,
dotm=ooxml.DOCTYPE_WORD,
xml=(ooxml.DOCTYPE_EXCEL_XML, ooxml.DOCTYPE_WORD_XML),
xlsx=ooxml.DOCTYPE_EXCEL,
xlsm=ooxml.DOCTYPE_EXCEL,
xlsb=ooxml.DOCTYPE_EXCEL,
xlam=ooxml.DOCTYPE_EXCEL,
xltx=ooxml.DOCTYPE_EXCEL,
xltm=ooxml.DOCTYPE_EXCEL,
pptx=ooxml.DOCTYPE_POWERPOINT,
pptm=ooxml.DOCTYPE_POWERPOINT,
ppsx=ooxml.DOCTYPE_POWERPOINT,
ppsm=ooxml.DOCTYPE_POWERPOINT,
potx=ooxml.DOCTYPE_POWERPOINT,
potm=ooxml.DOCTYPE_POWERPOINT,
)
# files that are neither OLE nor xml:
except_files = 'empty', 'text'
except_extns = 'rtf', 'csv'
# analyse all files in data dir
for base_dir, _, files in os.walk(DATA_BASE_DIR):
for filename in files:
if filename in except_files:
if self.DO_DEBUG:
print('skip file: ' + filename)
continue
extn = splitext(filename)[1]
if extn:
extn = extn[1:] # remove the dot
if extn in except_extns:
if self.DO_DEBUG:
print('skip extn: ' + filename)
continue
full_name = join(base_dir, filename)
if isOleFile(full_name):
if self.DO_DEBUG:
print('skip ole: ' + filename)
continue
acceptable = ext2doc[extn]
if not isinstance(acceptable, tuple):
acceptable = (acceptable, )
try:
doctype = ooxml.get_type(full_name)
except Exception:
self.fail('Failed to get doctype of {0}'.format(filename))
self.assertTrue(
doctype in acceptable,
msg='Doctype "{0}" for {1} not acceptable'.format(
doctype, full_name))
if self.DO_DEBUG:
print('ok: {0} --> {1}'.format(filename, doctype))
def test(filenames, ole_file_class=OleRecordFile,
must_parse=None, do_per_record=None, verbose=False):
""" parse all given file names and print rough structure
if an error occurs while parsing a stream of type in must_parse, the error
will be raised. Otherwise a message is printed
"""
logging.basicConfig(level=logging.DEBUG if verbose else logging.INFO)
if do_per_record is None:
def do_per_record(record): # pylint: disable=function-redefined
pass # do nothing
if not filenames:
logging.info('need file name[s]')
return 2
for filename in filenames:
logging.info('checking file {0}'.format(filename))
if not olefile.isOleFile(filename):
logging.info('not an ole file - skip')
continue
ole = ole_file_class(filename)
for stream in ole.iter_streams():
logging.info(' parse ' + str(stream))
try:
for record in stream.iter_records():
logging.info(' ' + str(record))
do_per_record(record)
except Exception:
if not must_parse:
raise
elif isinstance(stream, must_parse):
raise
else:
logging.info(' failed to parse', exc_info=True)
return 0
def __init__(self, data: bytes):
self.oid: Optional[oletools.oleid.OleID] = None
if isOleFile(data):
ole_file = OleFileIO(data)
self.oid = oletools.oleid.OleID(ole_file)
self.oid.check()
def validate(msg):
validation_dict = {
'input': {
'class': get_full_class_name(msg), # Get the full name of the class
'has_len': has_len(msg), # Does the input have a __len__ attribute?
'len': len(msg) if has_len(msg) else None, # If input has __len__, put the value here
},
'olefile': {
'valid': olefile.isOleFile(msg),
},
}
if validation_dict['olefile']['valid']:
validation_dict['message'] = {
'initializes': False,
}
try:
msg_instance = Message(msg)
except NotImplementedError:
# Should we have a special procedure for handling it if we get "not implemented"?
pass
except:
pass
else:
validation_dict['message']['initializes'] = True
validation_dict['message']['msg'] = validate_msg(msg_instance)
return validation_dict
def getZipFiles(self, attachment, filename):
'''
Checks a zip for parsable files and extracts all macros
'''
log.debug(
"[%d] Found attachment with archive extension - file name: %s" %
(self.id, filename))
vba_code_all_modules = ''
file_object = StringIO.StringIO(attachment)
files_in_zip = self.zipwalk(file_object, 0, [])
for zip_name, zip_data in files_in_zip:
# checks if it is a file
zip_mem_data = StringIO.StringIO(zip_data)
name, ext = os.path.splitext(zip_name.filename)
# send to the VBA_Parser
# fallback with extensions - maybe removed in future releases
if olefile.isOleFile(zip_mem_data) or ext in EXTENSIONS:
log.info(
"[%d] File in zip detected! Name: %s - check for VBA" %
(self.id, zip_name.filename))
vba_parser = olevba.VBA_Parser(filename=zip_name.filename,
data=zip_data)
for (subfilename, stream_path, vba_filename,
vba_code) in vba_parser.extract_all_macros():
vba_code_all_modules += vba_code + '\n'
return vba_code_all_modules
def match(cls, meta, local_path):
if isOleFile(local_path):
if meta.mime_type in cls.MIME_TYPES:
return cls.BASE_SCORE
if meta.extension in cls.EXTENSIONS:
return cls.BASE_SCORE
return -1
def _get_reference(ole, txrm_name, custom_reference, ignore_reference):
if custom_reference is not None:
logging.info("%s is being processed with file %s as a reference.",
txrm_name, custom_reference.name)
reference_path = str(custom_reference)
try:
if isOleFile(reference_path):
with OleFileIO(reference_path) as ref_ole:
references = txrm_wrapper.extract_all_images(
ref_ole) # should be float for averaging & dividing
elif ".tif" in reference_path:
with tf.TiffFile(reference_path) as tif:
references = np.asarray(tif.pages[:])
else:
msg = f"Unable to open file '{reference_path}'. Only tif/tiff or xrm/txrm files are supported for custom references."
logging.error(msg)
raise IOError(msg)
except:
logging.error("Error occurred reading custom reference",
exc_info=True)
raise
if len(references) > 1:
# if reference file is an image stack take median of the images
return _dynamic_despeckle_and_average_series(references)
return references[0]
elif ole.exists("ReferenceData/Image") and not ignore_reference:
logging.info("Internal reference will be applied to %s", txrm_name)
return txrm_wrapper.extract_reference_image(ole)
logging.debug("%s is being processed without a reference.", txrm_name)
return None
def main():
args = parser.parse_args()
if args.test_encrypted:
if not is_encrypted(args.infile):
print("{}: not encrypted".format(args.infile.name), file=sys.stderr)
sys.exit(1)
else:
logger.debug("{}: encrypted".format(args.infile.name))
return
if not olefile.isOleFile(args.infile):
raise AssertionError("Not OLE file")
if args.verbose:
logger.removeHandler(logging.NullHandler())
logging.basicConfig(level=logging.DEBUG, format="%(message)s")
file = OfficeFile(args.infile)
if args.password:
# this will always raise an error for 2000-03 files, cannot be decrypted.
# TODO: check and return output stating such, allowing safedocs to ignore file.
file.load_key(password=args.password)
else:
raise AssertionError("Password is required")
if args.outfile is None:
ifWIN32SetBinary(sys.stdout)
if hasattr(sys.stdout, 'buffer'): # For Python 2
args.outfile = sys.stdout.buffer
else:
args.outfile = sys.stdout
file.decrypt(args.outfile)
def collectMetaDataFromFile(self, file):
allAssetMetaData = None
if olefile.isOleFile(file):
with olefile.OleFileIO(file) as ole:
oleDirs = ole.listdir()
streamName = ''
streamData = b''
hasResolvedPath = False
if ole.exists('FileAssetMetaData2'):
streamName = 'FileAssetMetaData2'
elif ole.exists('FileAssetMetaData3'):
streamName = 'FileAssetMetaData3'
hasResolvedPath = True
else:
return None
oleStream = ole.openstream(streamName)
allAssetMetaData = []
for a in self.readStream(oleStream, hasResolvedPath):
#print(a)
allAssetMetaData.append(a)
return allAssetMetaData
else:
return allAssetMetaData
def validate(msg):
validation_dict = {
'input': {
'class': get_full_class_name(msg), # Get the full name of the class
'has_len': has_len(msg), # Does the input have a __len__ attribute?
'len': len(msg) if has_len(msg) else None, # If input has __len__, put the value here
},
'olefile': {
'valid': olefile.isOleFile(msg),
},
}
if validation_dict['olefile']['valid']:
validation_dict['message'] = {
'initializes': False,
}
try:
msg_instance = Message(msg)
except NotImplementedError:
# Should we have a special procedure for handling it if we get "not implemented"?
pass
except:
pass
else:
validation_dict['message']['initializes'] = True
validation_dict['message']['msg'] = validate_msg(msg_instance)
return validation_dict
def open_file(filename):
""" try to open somehow as zip or ole or so; raise exception if fail """
try:
if olefile.isOleFile(filename):
print('is ole file: ' + filename)
# todo: try ppt_parser first
yield olefile.OleFileIO(filename)
elif is_zipfile(filename):
print('is zip file: ' + filename)
zipper = ZipFile(filename, 'r')
for subfile in zipper.namelist():
head = b''
try:
head = zipper.open(subfile).read(len(olefile.MAGIC))
except RuntimeError:
print('zip is encrypted: ' + filename) # todo: passwords?!
yield None
if head == olefile.MAGIC:
print(' unzipping ole: ' + subfile)
yield olefile.OleFileIO(
zipper.open(subfile).read(MAX_SIZE))
else:
pass # print('unzip skip: ' + subfile)
else: # todo: add more file types
print('open failed: ' + filename)
yield None # --> leads to non-0 return code
except Exception:
print_exc()
yield None # --> leads to non-0 return code
def is_valid_msg_file(self):
if not os.path.exists(self.msg_file_path):
return False
if not isOleFile(self.msg_file_path):
return False
return True
def __init__(self, filedir, endian='<'):
self.file_dir = os.path.normpath(filedir)
self._endian = endian
assert olefile.isOleFile(
filedir), 'Input file should be an OLE container'
self.ole = olefile.OleFileIO(filename=filedir, write_mode=False)
self.clear_cache()
def __init__(self, olefile, path='', parent=None):
if not hasattr(olefile, 'openstream'):
isOleFile = import_isOleFile()
OleFileIO = import_OleFileIO()
if not isOleFile(olefile):
errormsg = 'Not an OLE2 Compound Binary File.'
raise InvalidOleStorageError(errormsg)
olefile = OleFileIO(olefile)
OleStorageItem.__init__(self, olefile, path, parent)
def dubbel_klik(self, event):
# methode voor het lezen van bestanden of navigeren van directories via de bestandList
selectie = str(self.bestandList.get(self.bestandList.curselection()))
fp = self.dirVar + selectie
# Pak de filepath omdat deze nog wel vaker gebruikt wordt.
# pak de selectie zonder extensies
# rpartition returnt "" als het scheidingsteken niet gevonden kan worden
if selectie.rpartition(".")[0] == "":
self.update_directory(self.dirVar + selectie.rpartition(".")[2])
# update de directory als er geen extensie is en het dus een map is.
else:
# anders kijken of het bestand een pdf of office bestand is
if selectie.rpartition(".")[2] == "pdf":
try:
file = open(fp, "rb")
parser = PDFParser(file)
# open het bestand en een parser
doc = PDFDocument(parser, None)
docDict = doc.info[0]
# parse het document. Om een of andere reden is doc.info een
# lijst met een dictionary als enig item. Haal de dictionary eruit.
self.console_print('"' + selectie + '" is een pdf-bestand.')
for tag in docDict.keys():
if docDict[tag] != "":
self.console_print("%s: %s" % (tag, docDict[tag]))
# print alle tags die niet leeg zijn. %s en %s zijn
# respectievelijk de eerste en tweede waarden ernaast.
file.close()
except (IOError, WindowsError):
self.console_print('"' + selectie + '" kan niet gelezen worden.')
# Noot: Olefile leest geen nieuwe office extensies zoals docx.
if olefile.isOleFile(fp) == True:
try:
ole = olefile.OleFileIO(fp)
meta = ole.get_metadata()
# open het bestand in read-only modus, en lees de metadata
if ole.exists("WordDocument"):
self.console_print('"' + selectie + '" is een wordbestand.')
if ole.exists("PowerPoint Document"):
self.console_print('"' + selectie + '" is een powerpointbestand.')
if ole.exists("Workbook"):
self.console_print('"' + selectie + '" is een excelbestand.')
# Kijk of er in de storages aangegeven wordt dat het bestand een
# word, powerpoint danwel excelbestand is.
metaDict = dict(Auteur=str(meta.author), Titel=str(meta.title), Creatiedatum=str(meta.create_time))
# Alleen de creatiedatum, auteur en titel zijn van belang. Maak er een dictionary mee.
for tag in metaDict.keys():
if metaDict[tag] == "":
metaDict[tag] = "Geen"
self.console_print("%s: %s" % (tag, metaDict[tag]))
# Als er geen waarde is, is het handiger als er Geen staat.
ole.close()
except (IOError, WindowsError):
self.console_print('"' + selectie + '" kan niet gelezen worden.')
def process_msg(subdir,file):
if olefile.isOleFile(os.path.join(subdir,file))==False:
process_mime_msg(subdir,file)
return
os.mkdir(os.path.join(subdir,file)+".dir")
ole = olefile.OleFileIO(os.path.join(subdir,file))
attach_list = get_msg_attach_list(ole)
extract_msg_files(attach_list,ole,subdir,file)
extract_msg_message(ole,subdir,file)
ole.close()
os.remove(os.path.join(subdir,file))
def test_rough_doctype(self):
"""Checks all samples, expect either ole files or good ooxml output"""
# map from extension to expected doctype
ext2doc = dict(
docx=ooxml.DOCTYPE_WORD, docm=ooxml.DOCTYPE_WORD,
dotx=ooxml.DOCTYPE_WORD, dotm=ooxml.DOCTYPE_WORD,
xml=(ooxml.DOCTYPE_EXCEL_XML, ooxml.DOCTYPE_WORD_XML),
xlsx=ooxml.DOCTYPE_EXCEL, xlsm=ooxml.DOCTYPE_EXCEL,
xlsb=ooxml.DOCTYPE_EXCEL, xlam=ooxml.DOCTYPE_EXCEL,
xltx=ooxml.DOCTYPE_EXCEL, xltm=ooxml.DOCTYPE_EXCEL,
pptx=ooxml.DOCTYPE_POWERPOINT, pptm=ooxml.DOCTYPE_POWERPOINT,
ppsx=ooxml.DOCTYPE_POWERPOINT, ppsm=ooxml.DOCTYPE_POWERPOINT,
potx=ooxml.DOCTYPE_POWERPOINT, potm=ooxml.DOCTYPE_POWERPOINT,
ods=ooxml.DOCTYPE_NONE, odt=ooxml.DOCTYPE_NONE,
odp=ooxml.DOCTYPE_NONE,
)
# files that are neither OLE nor xml:
except_files = 'empty', 'text'
except_extns = 'rtf', 'csv'
# analyse all files in data dir
for base_dir, _, files in os.walk(DATA_BASE_DIR):
for filename in files:
if filename in except_files:
if self.DO_DEBUG:
print('skip file: ' + filename)
continue
extn = splitext(filename)[1]
if extn:
extn = extn[1:] # remove the dot
if extn in except_extns:
if self.DO_DEBUG:
print('skip extn: ' + filename)
continue
full_name = join(base_dir, filename)
if isOleFile(full_name):
if self.DO_DEBUG:
print('skip ole: ' + filename)
continue
acceptable = ext2doc[extn]
if not isinstance(acceptable, tuple):
acceptable = (acceptable, )
try:
doctype = ooxml.get_type(full_name)
except Exception:
self.fail('Failed to get doctype of {0}'.format(filename))
self.assertTrue(doctype in acceptable,
msg='Doctype "{0}" for {1} not acceptable'
.format(doctype, full_name))
if self.DO_DEBUG:
print('ok: {0} --> {1}'.format(filename, doctype))
def close_destination(self, destination):
if destination.cword == b'objdata':
log.debug('*** Close object data at index %Xh' % self.index)
rtfobj = RtfObject()
self.objects.append(rtfobj)
rtfobj.start = destination.start
rtfobj.end = destination.end
# Filter out all whitespaces first (just ignored):
hexdata1 = destination.data.translate(None, b' \t\r\n\f\v')
# Then filter out any other non-hex character:
hexdata = re.sub(b'[^a-fA-F0-9]', b'', hexdata1)
if len(hexdata) < len(hexdata1):
# this is only for debugging:
nonhex = re.sub(b'[a-fA-F0-9]', b'', hexdata1)
log.debug('Found non-hex chars in hexdata: %r' % nonhex)
# MS Word accepts an extra hex digit, so we need to trim it if present:
if len(hexdata) & 1:
log.debug('Odd length, trimmed last byte.')
hexdata = hexdata[:-1]
rtfobj.hexdata = hexdata
object_data = binascii.unhexlify(hexdata)
rtfobj.rawdata = object_data
rtfobj.rawdata_md5 = hashlib.md5(object_data).hexdigest()
# TODO: check if all hex data is extracted properly
obj = oleobj.OleObject()
try:
obj.parse(object_data)
rtfobj.format_id = obj.format_id
rtfobj.class_name = obj.class_name
rtfobj.oledata_size = obj.data_size
rtfobj.oledata = obj.data
rtfobj.oledata_md5 = hashlib.md5(obj.data).hexdigest()
rtfobj.is_ole = True
if obj.class_name.lower() == b'package':
opkg = oleobj.OleNativeStream(bindata=obj.data,
package=True)
rtfobj.filename = opkg.filename
rtfobj.src_path = opkg.src_path
rtfobj.temp_path = opkg.temp_path
rtfobj.olepkgdata = opkg.data
rtfobj.olepkgdata_md5 = hashlib.md5(opkg.data).hexdigest()
rtfobj.is_package = True
else:
if olefile.isOleFile(obj.data):
ole = olefile.OleFileIO(obj.data)
rtfobj.clsid = ole.root.clsid
rtfobj.clsid_desc = clsid.KNOWN_CLSIDS.get(rtfobj.clsid,
'unknown CLSID (please report at https://github.com/decalage2/oletools/issues)')
except:
pass
log.debug('*** Not an OLE 1.0 Object')
def process_file(filepath, field_filter_mode=None):
""" decides which of the process_* functions to call """
if olefile.isOleFile(filepath):
logger.debug('Is OLE. Checking streams to see whether this is xls')
if xls_parser.is_xls(filepath):
logger.debug('Process file as excel 2003 (xls)')
return process_xls(filepath)
# encrypted files also look like ole, even if office 2007+ (xml-based)
# so check for encryption, first
ole = olefile.OleFileIO(filepath, path_encoding=None)
oid = oleid.OleID(ole)
if oid.check_encrypted().value:
log.debug('is encrypted - raise error')
raise FileIsEncryptedError(filepath)
elif oid.check_powerpoint().value:
log.debug('is ppt - cannot have DDE')
return u''
else:
logger.debug('Process file as word 2003 (doc)')
return process_doc(ole)
with open(filepath, 'rb') as file_handle:
if file_handle.read(4) == RTF_START:
logger.debug('Process file as rtf')
return process_rtf(file_handle, field_filter_mode)
try:
doctype = ooxml.get_type(filepath)
logger.debug('Detected file type: {0}'.format(doctype))
except Exception as exc:
logger.debug('Exception trying to xml-parse file: {0}'.format(exc))
doctype = None
if doctype == ooxml.DOCTYPE_EXCEL:
logger.debug('Process file as excel 2007+ (xlsx)')
return process_xlsx(filepath)
elif doctype in (ooxml.DOCTYPE_EXCEL_XML, ooxml.DOCTYPE_EXCEL_XML2003):
logger.debug('Process file as xml from excel 2003/2007+')
return process_excel_xml(filepath)
elif doctype in (ooxml.DOCTYPE_WORD_XML, ooxml.DOCTYPE_WORD_XML2003):
logger.debug('Process file as xml from word 2003/2007+')
return process_docx(filepath)
elif doctype is None:
logger.debug('Process file as csv')
return process_csv(filepath)
else: # could be docx; if not: this is the old default code path
logger.debug('Process file as word 2007+ (docx)')
return process_docx(filepath, field_filter_mode)
def run(self):
super(Office, self).run()
if self.args is None:
return
if not __sessions__.is_set():
self.log('error', "No session opened")
return
if not HAVE_OLE:
self.log('error', "Missing dependency, install OleFileIO (`pip install olefile`)")
return
# Tests to check for valid Office structures.
OLE_FILE = olefile.isOleFile(__sessions__.current.file.path)
XML_FILE = zipfile.is_zipfile(__sessions__.current.file.path)
if OLE_FILE:
ole = olefile.OleFileIO(__sessions__.current.file.path)
elif XML_FILE:
zip_xml = zipfile.ZipFile(__sessions__.current.file.path, 'r')
else:
self.log('error', "Not a valid office document")
return
if self.args.export is not None:
if OLE_FILE:
self.export(ole, self.args.export)
elif XML_FILE:
self.xml_export(zip_xml, self.args.export)
elif self.args.meta:
if OLE_FILE:
self.metadata(ole)
elif XML_FILE:
self.xmlmeta(zip_xml)
elif self.args.streams:
if OLE_FILE:
self.metatimes(ole)
elif XML_FILE:
self.xmlstruct(zip_xml)
elif self.args.oleid:
if OLE_FILE:
self.oleid(ole)
else:
self.log('error', "Not an OLE file")
elif self.args.vba or self.args.code:
self.parse_vba(self.args.code)
else:
self.log('error', 'At least one of the parameters is required')
self.usage()
def getDetails(bupname):
try:
if olefile.isOleFile(bupname) is not True:
print >>sys.stderr, 'Error - %s is not a valid OLE file.' % bupname
sys.exit(1)
ole = olefile.OleFileIO(bupname)
#clean this up later by catching exception
data = ole.openstream("Details").read()
ptext=decryptStream(data)
ole.close()
return ptext
except Exception as e:
print >>sys.stderr, 'Error - %s' % e
sys.exit(1)
def _winoffice(self):
self.cur_file.add_log_details("processing_type", "WinOffice")
# Try as if it is a valid document
oid = oletools.oleid.OleID(self.cur_file.src_path)
if not olefile.isOleFile(self.cur_file.src_path):
# Manual processing, may already count as suspicious
try:
ole = olefile.OleFileIO(self.cur_file.src_path, raise_defects=olefile.DEFECT_INCORRECT)
except:
self.cur_file.add_log_details("not_parsable", True)
self.cur_file.make_dangerous()
if ole.parsing_issues:
self.cur_file.add_log_details("parsing_issues", True)
self.cur_file.make_dangerous()
else:
if (
ole.exists("macros/vba")
or ole.exists("Macros")
or ole.exists("_VBA_PROJECT_CUR")
or ole.exists("VBA")
):
self.cur_file.add_log_details("macro", True)
self.cur_file.make_dangerous()
else:
indicators = oid.check()
# Encrypted ban be set by multiple checks on the script
if oid.encrypted.value:
self.cur_file.add_log_details("encrypted", True)
self.cur_file.make_dangerous()
if (
oid.macros.value
or oid.ole.exists("macros/vba")
or oid.ole.exists("Macros")
or oid.ole.exists("_VBA_PROJECT_CUR")
or oid.ole.exists("VBA")
):
self.cur_file.add_log_details("macro", True)
self.cur_file.make_dangerous()
for i in indicators:
if i._id == "ObjectPool" and i.value:
# FIXME: Is it suspicious?
self.cur_file.add_log_details("objpool", True)
elif i._id == "flash" and i.value:
self.cur_file.add_log_details("flash", True)
self.cur_file.make_dangerous()
self._safe_copy()
def process_file(filename, extract):
pkgobj = None
if olefile.isOleFile(filename):
print ' [*] File is an OLE file...'
process_olefile(filename)
elif isstream(filename):
with open(filename, 'rb') as f:
sdata = f.read()
print ' [*] File is an extracted Packager Stream'
print ' [*] Stream contains Packager Formatted data...'
pkgobj = PackagerStream(sdata[4:].encode('hex'))
print
print pkgobj
else:
with open(filename, 'rb') as f:
file_data = f.read()
if file_data[0:2] == "PK":
print ' [*] File is a zip archive..searching for embedded objects..'
archive = StringIO(file_data)
zf = ZipFile(archive, "r")
for name in zf.namelist():
if 'oleObject' in name:
print ' [*] Found OLE object: %s' % name
pkgobj = process_olefile(zf.read(name))
if extract:
with open(pkgobj.gethash('md5'), 'wb') as out:
out.write(pkgobj.Data)
else:
# Treat the file as an rtf doc
rd = RTFDoc(filename)
print ' [*] Scanning file for embedded objects'
rd.scan()
if extract:
try:
print ' Extracting embedded data as %s' % pkgobj.gethash('md5')
with open(pkgobj.gethash('md5'), 'wb') as out:
out.write(pkgobj.Data)
except Exception as e:
print ' [!] An error occurred while writing the file :: %s' % e
def check(self):
# check if it is actually an OLE file:
oleformat = Indicator('ole_format', True, name='OLE format')
self.indicators.append(oleformat)
if not olefile.isOleFile(self.filename):
oleformat.value = False
return self.indicators
# parse file:
self.ole = olefile.OleFileIO(self.filename)
# checks:
self.check_properties()
self.check_encrypted()
self.check_word()
self.check_excel()
self.check_powerpoint()
self.check_visio()
self.check_ObjectPool()
self.check_flash()
self.ole.close()
return self.indicators
def main():
import argparse
parser = argparse.ArgumentParser()
group = parser.add_mutually_exclusive_group(required=True)
group.add_argument('-k', dest='secret_key', help='MS-OFFCRYPTO secretKey value (hex)')
group.add_argument('-p', dest='private_key', type=argparse.FileType('rb'), help='RSA private key file')
parser.add_argument('infile', nargs='?', type=argparse.FileType('rb'))
parser.add_argument('outfile', nargs='?', type=argparse.FileType('wb'))
args = parser.parse_args()
if not olefile.isOleFile(args.infile):
raise AssertionError, "No OLE file"
file = OfficeFile(args.infile)
if args.secret_key:
file.load_skey(binascii.unhexlify(args.secret_key))
elif args.private_key:
file.load_privkey(args.private_key)
file.decrypt(args.outfile)
def extract(infile, dirname=None):
if dirname is None:
dirname = os.getcwd()
try:
if olefile.isOleFile(infile) is not True:
print >>sys.stderr, 'Error - %s is not a valid OLE file.' % infile
sys.exit(1)
ole = olefile.OleFileIO(infile)
filelist = ole.listdir()
for fname in filelist:
if not ole.get_size(fname[0]):
print 'Warning: The "%s" stream reports a size of 0. Possibly a corrupt bup.' % fname[0]
data = ole.openstream(fname[0]).read()
fp = open(os.path.join(dirname, fname[0]),'wb')
fp.write(data)
fp.close()
ole.close()
return filelist
except Exception as e:
print >>sys.stderr, 'Error - %s' % e
sys.exit(1)
def process_file(filename, extract):
pkgobj = None
if olefile.isOleFile(filename):
print ' [*] File is an OLE file...'
ole = olefile.OleFileIO(filename)
filelist = ole.listdir()
print ' [*] Processing Streams...'
for fname in filelist:
if '\x01Ole10Native' in fname:
print ' [*] Found Ole10Native Stream...checking for packager data'
sdata = ole.openstream(fname).read()
if sdata[4:6].encode('hex') == '0200':
print ' [*] Stream contains Packager Formatted data...'
pkgobj = PackagerStream(sdata[4:].encode('hex'))
print
print pkgobj
elif isstream(filename):
with open(filename, 'rb') as f:
sdata = f.read()
print ' [*] File is an extracted Packager Stream'
print ' [*] Stream contains Packager Formatted data...'
pkgobj = PackagerStream(sdata[4:].encode('hex'))
print
print pkgobj
else:
# Treat the file as an rtf doc
rd = RTFDoc(filename)
print ' [*] Scanning file for embedded objects'
rd.scan()
if extract:
try:
print ' Extracting embedded data as %s' % pkgobj.gethash('md5')
with open(pkgobj.gethash('md5'), 'wb') as out:
out.write(pkgobj.Data)
except Exception as e:
print ' [!] An error occurred while writing the file :: %s' % e
def _winoffice(self):
self.cur_file.add_log_details('processing_type', 'WinOffice')
# Try as if it is a valid document
oid = oletools.oleid.OleID(self.cur_file.src_path)
if not olefile.isOleFile(self.cur_file.src_path):
# Manual processing, may already count as suspicious
try:
ole = olefile.OleFileIO(self.cur_file.src_path, raise_defects=olefile.DEFECT_INCORRECT)
except:
self.cur_file.add_log_details('not_parsable', True)
self.cur_file.make_dangerous()
if ole.parsing_issues:
self.cur_file.add_log_details('parsing_issues', True)
self.cur_file.make_dangerous()
else:
if ole.exists('macros/vba') or ole.exists('Macros') \
or ole.exists('_VBA_PROJECT_CUR') or ole.exists('VBA'):
self.cur_file.add_log_details('macro', True)
self.cur_file.make_dangerous()
else:
indicators = oid.check()
# Encrypted ban be set by multiple checks on the script
if oid.encrypted.value:
self.cur_file.add_log_details('encrypted', True)
self.cur_file.make_dangerous()
if oid.macros.value or oid.ole.exists('macros/vba') or oid.ole.exists('Macros') \
or oid.ole.exists('_VBA_PROJECT_CUR') or oid.ole.exists('VBA'):
self.cur_file.add_log_details('macro', True)
self.cur_file.make_dangerous()
for i in indicators:
if i._id == 'ObjectPool' and i.value:
# FIXME: Is it suspicious?
self.cur_file.add_log_details('objpool', True)
elif i._id == 'flash' and i.value:
self.cur_file.add_log_details('flash', True)
self.cur_file.make_dangerous()
self._safe_copy()
def run(self):
super(Office, self).run()
if self.args is None:
return
if not __sessions__.is_set():
self.log('error', "No open session. This command expects a file to be open.")
return
if not HAVE_OLE:
self.log('error', "Missing dependency, install OleFileIO (`pip install olefile oletools`)")
return
file_data = __sessions__.current.file.data
if file_data.startswith(b'<?xml'):
OLD_XML = file_data
else:
OLD_XML = False
if file_data.startswith(b'MIME-Version:') and 'application/x-mso' in file_data:
MHT_FILE = file_data
else:
MHT_FILE = False
# Check for old office formats
try:
doctype = ooxml.get_type(__sessions__.current.file.path)
OOXML_FILE = True
except Exception:
OOXML_FILE = False
# set defaults
XLSX_FILE = False
EXCEL_XML_FILE = False
DOCX_FILE = False
if OOXML_FILE is True:
if doctype == ooxml.DOCTYPE_EXCEL:
XLSX_FILE = True
elif doctype in (ooxml.DOCTYPE_EXCEL_XML, ooxml.DOCTYPE_EXCEL_XML2003):
EXCEL_XML_FILE = True
elif doctype in (ooxml.DOCTYPE_WORD_XML, ooxml.DOCTYPE_WORD_XML2003):
DOCX_FILE = True
# Tests to check for valid Office structures.
OLE_FILE = olefile.isOleFile(__sessions__.current.file.path)
XML_FILE = zipfile.is_zipfile(__sessions__.current.file.path)
if OLE_FILE:
ole = olefile.OleFileIO(__sessions__.current.file.path)
elif XML_FILE:
zip_xml = zipfile.ZipFile(__sessions__.current.file.path, 'r')
elif OLD_XML:
pass
elif MHT_FILE:
pass
elif DOCX_FILE:
pass
elif EXCEL_XML_FILE:
pass
elif XLSX_FILE:
pass
else:
self.log('error', "Not a valid office document")
return
if self.args.export is not None:
if OLE_FILE:
self.export(ole, self.args.export)
elif XML_FILE:
self.xml_export(zip_xml, self.args.export)
elif self.args.meta:
if OLE_FILE:
self.metadata(ole)
elif XML_FILE:
self.xmlmeta(zip_xml)
elif self.args.streams:
if OLE_FILE:
self.metatimes(ole)
elif XML_FILE:
self.xmlstruct(zip_xml)
elif self.args.oleid:
if OLE_FILE:
self.oleid(ole)
else:
self.log('error', "Not an OLE file")
elif self.args.vba or self.args.code:
self.parse_vba(self.args.code)
elif self.args.dde:
self.get_dde(__sessions__.current.file.path)
else:
self.log('error', 'At least one of the parameters is required')
self.usage()
def sendFile():
#bring app to foreground
#root.deiconify()
home = getSNTFilePath()
try:
assert olefile.isOleFile(home)
except (AssertionError,FileNotFoundError) as e:
root.deiconify()
if app is not None:
app.infoLabel['text'] = "No Sticky Notes file found at " + home + ".\nYou need to run the Sticky Notes application for the first time to create a Sticky Notes file."
app.infoLabel['fg'] = 'red'
#bring app to foreground
ole = olefile.OleFileIO(home)
streamList = ole.listdir()
counter = 0
#print(streamList)
for streamIndex in range(len(streamList)):
# get zeroth streams
#print(streamIndex)
#print(len(streamList))
#print(streamList[streamIndex])
if (streamList[streamIndex])[len(streamList[streamIndex])
- 1:][0] is '0':
#print("valid stream with directory 0: "+ streamList[streamIndex])
# print(ole.get_size(streamList[streamIndex]))
# create file stream
handle = ole.openstream(streamList[streamIndex])
text = handle.read()
ole.close()
#find last index of actual closed bracket pair
textDecode = text.decode("utf-8")
openBracketsUnclosed = -1
for searchIndex in range(len(textDecode)):
if textDecode[searchIndex] == '{':
if openBracketsUnclosed == -1:
openBracketsUnclosed = 0
openBracketsUnclosed += 1
if textDecode[searchIndex] == '}':
openBracketsUnclosed -= 1
if openBracketsUnclosed == 0:
#print(searchIndex)
break;
# base64 encode
base64Encoded = base64.b64encode(extract_rtf.striprtf(textDecode[textDecode.find("{"):searchIndex+1].encode("utf-8")).encode('ascii'))
#ascii preview with viewing as string so we can see newline and carriage return
#print(textDecode.encode('ascii'))
# create payload
payload = {
'user': username,
'passcode': passcode,
'number': counter,
'data': base64Encoded,
}
try:
# make POST request with payload
r = requests.post(server+'/update',data=payload,timeout=5)
#print((r.status_code, r.reason))
if r.text[0:1] == '0':
print(('Sent note at index {0} success'.format(counter)))
app.infoLabel['text'] = 'Updated'
app.infoLabel['fg'] = 'black'
app.setUserPass['text'] = 'Update info'
counter = counter + 1
else:
print('Failed to update note at index {0} {0}'.format(counter, r.text))
app.infoLabel['text'] = r.text
app.infoLabel['fg'] = 'red'
#bring app to foreground
root.deiconify()
return r.text
except requests.exceptions.RequestException as e:
#messagebox.showerror("Error sending request to " + server, e)
print(e)
return "Update to " + server + " failed"
return 0
def run(self):
super(Debup, self).run()
if self.args is None:
return
if not __sessions__.is_set():
self.log('error', "No session opened")
return
if not HAVE_OLE:
self.log('error', "Missing dependency, install olefile (`pip install olefile`)")
return
# Check for valid OLE
if not olefile.isOleFile(__sessions__.current.file.path):
self.log('error', "Not a valid BUP File")
return
# Extract all the contents from the bup file.
ole = olefile.OleFileIO(__sessions__.current.file.path)
# We know that BUPS are xor'd with 6A which is dec 106 for the decoder
# This is the stored file.
data = self.xordata(ole.openstream('File_0').read(), 106)
# Get the details page
data2 = self.xordata(ole.openstream('Details').read(), 106)
# Close the OLE
ole.close()
# Process the details file
rows = []
filename = ''
lines = data2.split('\n')
for line in lines:
if line.startswith('OriginalName'):
fullpath = line.split('=')[1]
pathsplit = fullpath.split('\\')
filename = str(pathsplit[-1][:-1])
try:
k, v = line.split('=')
rows.append([k, v[:-1]]) # Strip the \r from v
except Exception as e:
pass
# If we opted to switch session then do that
if data and self.args.session:
try:
tempname = os.path.join('/tmp', filename)
with open(tempname, 'w') as temp:
temp.write(data)
self.log('info', "Switching Session to Embedded File")
__sessions__.new(tempname)
return
except:
self.log('error', "Unble to Switch Session")
# Else jsut print the date
else:
self.log('info', "BUP Details:")
self.log('table', dict(header=['Description', 'Value'], rows=rows))
def sendFile():
global sendFileTimer
sendFileTimer = threading.Timer(10, updateUISendFile)
sendFileTimer.start()
#bring app to foreground
#root.deiconify()
home = expanduser("~")
home += "\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt"
try:
assert olefile.isOleFile(home)
except (AssertionError,FileNotFoundError) as e:
root.deiconify()
if app is not None:
app.infoLabel['text'] = "No Sticky Notes file found at " + home + ".\nYou need to run the Sticky Notes application for the first time to create a Sticky Notes file."
app.infoLabel['fg'] = 'red'
#bring app to foreground
ole = olefile.OleFileIO(home)
streamList = ole.listdir()
counter = 0
#print(streamList)
for streamIndex in range(len(streamList)):
# get zeroth streams
#print(streamIndex)
#print(len(streamList))
#print(streamList[streamIndex])
if (streamList[streamIndex])[len(streamList[streamIndex])
- 1:][0] is '0':
#print("valid stream with directory 0: "+ streamList[streamIndex])
# print(ole.get_size(streamList[streamIndex]))
# create file stream
handle = ole.openstream(streamList[streamIndex])
text = handle.read()
ole.close()
#print text
# base64 encode
base64Encoded = base64.b64encode(text)
# create payload
payload = {
'user': username,
'passcode': passcode,
'number': counter,
'data': base64Encoded,
}
try:
# make POST request with payload
r = requests.post(server+'/update',data=payload,timeout=5)
#print((r.status_code, r.reason))
if r.text[0:1] == '0':
print(('Sent note at index {0} success'.format(counter)))
app.infoLabel['text'] = 'Updated'
app.infoLabel['fg'] = 'black'
app.setUserPass['text'] = 'Update info'
counter = counter + 1
else:
print('Fail update note at index {0} {0}'.format(counter, r.text))
app.infoLabel['text'] = r.text
app.infoLabel['fg'] = 'red'
#bring app to foreground
root.deiconify()
return r.text
except requests.exceptions.RequestException as e:
#messagebox.showerror("Error sending request to " + server, e)
print(e)
return "Update to " + server + " failed"
return 0
def run(self):
super(Office, self).run()
if self.args is None:
return
if not __sessions__.is_set():
self.log('error', "No open session")
return
if not HAVE_OLE:
self.log('error', "Missing dependency, install OleFileIO (`pip install olefile oletools`)")
return
file_data = __sessions__.current.file.data
if file_data.startswith(b'<?xml'):
OLD_XML = file_data
else:
OLD_XML = False
if file_data.startswith(b'MIME-Version:') and 'application/x-mso' in file_data:
MHT_FILE = file_data
else:
MHT_FILE = False
# Tests to check for valid Office structures.
OLE_FILE = olefile.isOleFile(__sessions__.current.file.path)
XML_FILE = zipfile.is_zipfile(__sessions__.current.file.path)
if OLE_FILE:
ole = olefile.OleFileIO(__sessions__.current.file.path)
elif XML_FILE:
zip_xml = zipfile.ZipFile(__sessions__.current.file.path, 'r')
elif OLD_XML:
pass
elif MHT_FILE:
pass
else:
self.log('error', "Not a valid office document")
return
if self.args.export is not None:
if OLE_FILE:
self.export(ole, self.args.export)
elif XML_FILE:
self.xml_export(zip_xml, self.args.export)
elif self.args.meta:
if OLE_FILE:
self.metadata(ole)
elif XML_FILE:
self.xmlmeta(zip_xml)
elif self.args.streams:
if OLE_FILE:
self.metatimes(ole)
elif XML_FILE:
self.xmlstruct(zip_xml)
elif self.args.oleid:
if OLE_FILE:
self.oleid(ole)
else:
self.log('error', "Not an OLE file")
elif self.args.vba or self.args.code:
self.parse_vba(self.args.code)
else:
self.log('error', 'At least one of the parameters is required')
self.usage()
def txrm(self,
array_name=None,
x_start=0,
x_end=0,
x_step=1,
y_start=0,
y_end=0,
y_step=1,
z_start=0,
z_end=0,
z_step=1):
"""
Read 3-D tomographic projection data from a TXRM file
Parameters
file_name : str
Input txrm file.
x_start, x_end, x_step : scalar, optional
Values of the start, end and step of the
slicing for the whole array.
y_start, y_end, y_step : scalar, optional
Values of the start, end and step of the
slicing for the whole array.
z_start, z_end, z_step : scalar, optional
Values of the start, end and step of the
slicing for the whole array.
Returns
out : array
Returns the data as a matrix.
"""
verbose = True
try:
olef.isOleFile(self.file_name)
if (array_name == "theta"):
ole = olef.OleFileIO(self.file_name)
if ole.exists('ImageInfo/ImagesTaken'):
stream = ole.openstream('ImageInfo/ImagesTaken')
data = stream.read()
nev = struct.unpack('<I', data)
if verbose: print "ImageInfo/ImagesTaken = %i" % nev[0]
n_images = nev[0]
if ole.exists('ImageInfo/Angles'):
stream = ole.openstream('ImageInfo/Angles')
data = stream.read()
struct_fmt = "<{}f".format(n_images)
angles = struct.unpack(struct_fmt, data)
if verbose: print "ImageInfo/Angles: \n ", angles
theta = np.asarray(angles)
num_z = theta.size
if z_end is 0: z_end = num_z
if verbose: print "Constructed theta"
dataset = theta[z_start:z_end:z_step]
else:
ole = olef.OleFileIO(self.file_name)
datasize = np.empty((3), dtype=np.int)
if ole.exists('ImageInfo/ImageWidth'):
stream = ole.openstream('ImageInfo/ImageWidth')
data = stream.read()
nev = struct.unpack('<I', data)
if verbose: print "ImageInfo/ImageWidth = %i" % nev[0]
datasize[0] = np.int(nev[0])
n_cols = datasize[0]
if ole.exists('ImageInfo/ImageHeight'):
stream = ole.openstream('ImageInfo/ImageHeight')
data = stream.read()
nev = struct.unpack('<I', data)
if verbose: print "ImageInfo/ImageHeight = %i" % nev[0]
datasize[1] = np.int(nev[0])
n_rows = datasize[1]
if ole.exists('ImageInfo/ImagesTaken'):
stream = ole.openstream('ImageInfo/ImagesTaken')
data = stream.read()
nev = struct.unpack('<I', data)
if verbose: print "ImageInfo/ImagesTaken = %i" % nev[0]
nimgs = nev[0]
datasize[2] = np.int(nimgs)
n_images = datasize[2]
# 10 float; 5 uint16 (unsigned 16-bit (2-byte) integers)
if ole.exists('ImageInfo/DataType'):
stream = ole.openstream('ImageInfo/DataType')
data = stream.read()
struct_fmt = '<1I'
datatype = struct.unpack(struct_fmt, data)
datatype = int(datatype[0])
if verbose: print "ImageInfo/DataType: %f " % datatype
if verbose: print 'Reading images - please wait...'
absdata = np.empty((n_cols, n_rows, n_images), dtype=np.float32)
#Read the images - They are stored in ImageData1, ImageData2... Each
#folder contains 100 images 1-100, 101-200...
for i in range(1, nimgs+1):
img_string = "ImageData%i/Image%i" % (np.ceil(i/100.0), i)
stream = ole.openstream(img_string)
data = stream.read()
# 10 float; 5 uint16 (unsigned 16-bit (2-byte) integers)
if datatype == 10:
struct_fmt = "<{}f".format(n_cols*n_rows)
imgdata = struct.unpack(struct_fmt, data)
elif datatype == 5:
struct_fmt = "<{}h".format(n_cols*n_rows)
imgdata = struct.unpack(struct_fmt, data)
else:
print "Wrong data type"
return
absdata[:,:,i-1] = np.reshape(imgdata, (n_cols, n_rows), order='F')
num_x, num_y, num_z = np.shape(absdata)
data = np.swapaxes(data,0,2)
num_z, num_y, num_x = np.shape(absdata)
if x_end is 0:
x_end = num_x
if y_end is 0:
y_end = num_y
if z_end is 0:
z_end = num_z
# Construct dataset from desired z, y, x.
dataset = absdata[z_start:z_end:z_step,
y_start:y_end:y_step,
x_start:x_end:x_step]
ole.close()
except KeyError:
dataset = None
return dataset
