def process_file_scanexpr (container, filename, data):
"""
Process a single file
:param container: str, path and filename of container if the file is within
a zip archive, None otherwise.
:param filename: str, path and filename of file on disk, or within the container.
:param data: bytes, content of the file if it is in a container, None if it is a file on disk.
"""
#TODO: replace print by writing to a provided output file (sys.stdout by default)
if container:
display_filename = '%s in %s' % (filename, container)
else:
display_filename = filename
print '='*79
print 'FILE:', display_filename
all_code = ''
try:
#TODO: handle olefile errors, when an OLE file is malformed
vba = VBA_Parser(filename, data)
print 'Type:', vba.type
if vba.detect_vba_macros():
#print 'Contains VBA Macros:'
for (subfilename, stream_path, vba_filename, vba_code) in vba.extract_macros():
# hide attribute lines:
#TODO: option to disable attribute filtering
vba_code_filtered = filter_vba(vba_code)
print '-'*79
print 'VBA MACRO %s ' % vba_filename
print 'in file: %s - OLE stream: %s' % (subfilename, repr(stream_path))
print '- '*39
# detect empty macros:
if vba_code_filtered.strip() == '':
print '(empty macro)'
else:
# TODO: option to display code
print vba_code_filtered
vba_code = vba_collapse_long_lines(vba_code)
all_code += '\n' + vba_code
print '-'*79
print 'EVALUATED VBA EXPRESSIONS:'
t = prettytable.PrettyTable(('Obfuscated expression', 'Evaluated value'))
t.align = 'l'
t.max_width['Obfuscated expression'] = 36
t.max_width['Evaluated value'] = 36
for expression, expr_eval in scan_expressions(all_code):
t.add_row((repr(expression), repr(expr_eval)))
print t
else:
print 'No VBA macros found.'
except: #TypeError:
#raise
#TODO: print more info if debug mode
#print sys.exc_value
# display the exception with full stack trace for debugging, but do not stop:
traceback.print_exc()
print ''
def process_ole(ole):
t = prettytable.PrettyTable(['Stream/Storage name', 'Modification Time', 'Creation Time'])
t.align = 'l'
t.max_width = 26
t.add_row(('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime())))
for obj in ole.listdir(streams=True, storages=True):
t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)), dt2str(ole.getctime(obj))))
print(t)
def main():
"""Called when running this file as script. Shows all info on input file."""
# print banner with version
print('oleid %s - http://decalage.info/oletools' % __version__)
print('THIS IS WORK IN PROGRESS - Check updates regularly!')
print('Please report any issue at '
'https://github.com/decalage2/oletools/issues')
print('')
parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('input',
type=str,
nargs='*',
metavar='FILE',
help='Name of files to process')
# parser.add_argument('-o', '--ole', action='store_true', dest='ole',
# help='Parse an OLE file (e.g. Word, Excel) to look for '
# 'SWF in each stream')
args = parser.parse_args()
# Print help if no argurments are passed
if len(args.input) == 0:
parser.print_help()
return
for filename in args.input:
print('Filename:', filename)
oleid = OleID(filename)
indicators = oleid.check()
#TODO: add description
#TODO: highlight suspicious indicators
table = prettytable.PrettyTable(['Indicator', 'Value'])
table.align = 'l'
table.max_width = 39
table.border = False
for indicator in indicators:
#print '%s: %s' % (indicator.name, indicator.value)
table.add_row((indicator.name, indicator.value))
print(table)
print('')
def main():
# print banner with version
print('oletimes %s - http://decalage.info/python/oletools' % __version__)
try:
ole = olefile.OleFileIO(sys.argv[1])
except IndexError:
sys.exit(__doc__)
def dt2str(dt):
"""
Convert a datetime object to a string for display, without microseconds
:param dt: datetime.datetime object, or None
:return: str, or None
"""
if dt is None:
return None
dt = dt.replace(microsecond=0)
return str(dt)
t = prettytable.PrettyTable(
['Stream/Storage name', 'Modification Time', 'Creation Time'])
t.align = 'l'
t.max_width = 26
#t.border = False
#print'- Root mtime=%s ctime=%s' % (ole.root.getmtime(), ole.root.getctime())
t.add_row(
('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime())))
for obj in ole.listdir(streams=True, storages=True):
#print '- %s: mtime=%s ctime=%s' % (repr('/'.join(obj)), ole.getmtime(obj), ole.getctime(obj))
t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)),
dt2str(ole.getctime(obj))))
print(t)
ole.close()
def main():
# print banner with version
print('oleid %s - http://decalage.info/oletools' % __version__)
print('THIS IS WORK IN PROGRESS - Check updates regularly!')
print(
'Please report any issue at https://github.com/decalage2/oletools/issues'
)
print('')
usage = 'usage: %prog [options] <file>'
parser = optparse.OptionParser(usage=__doc__ + '\n' + usage)
## parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream')
(options, args) = parser.parse_args()
# Print help if no argurments are passed
if len(args) == 0:
parser.print_help()
return
for filename in args:
print('Filename:', filename)
oleid = OleID(filename)
indicators = oleid.check()
#TODO: add description
#TODO: highlight suspicious indicators
t = prettytable.PrettyTable(['Indicator', 'Value'])
t.align = 'l'
t.max_width = 39
#t.border = False
for indicator in indicators:
#print '%s: %s' % (indicator.name, indicator.value)
t.add_row((indicator.name, indicator.value))
print(t)
print('')