def main():
"""
Main function
"""
try:
filename = sys.argv[1]
except:
filename = easygui.fileopenbox()
try:
ole = olefile.OleFileIO(filename)
listdir = ole.listdir()
streams = []
for direntry in listdir:
#print direntry
streams.append('/'.join(direntry))
streams.append(ABOUT)
streams.append(QUIT)
stream = True
while stream is not None:
msg = "Select a stream, or press Esc to exit"
title = "olebrowse"
stream = easygui.choicebox(msg, title, streams)
if stream is None or stream == QUIT:
break
if stream == ABOUT:
about()
else:
browse_stream(ole, stream)
except:
easygui.exceptionbox()
def main():
try:
ole = olefile.OleFileIO(sys.argv[1])
except IndexError:
sys.exit(__doc__)
# parse and display metadata:
meta = ole.get_metadata()
# console output with UTF8 encoding:
# It looks like we do not need the UTF8 codec anymore, both for Python 2 and 3
console_utf8 = sys.stdout #codecs.getwriter('utf8')(sys.stdout)
# TODO: move similar code to a function
print('Properties from the SummaryInformation stream:')
t = tablestream.TableStream([21, 30],
header_row=['Property', 'Value'],
outfile=console_utf8)
for prop in meta.SUMMARY_ATTRIBS:
value = getattr(meta, prop)
if value is not None:
# TODO: pretty printing for strings, dates, numbers
# TODO: better unicode handling
# print('- %s: %s' % (prop, value))
# if isinstance(value, unicode):
# # encode to UTF8, avoiding errors
# value = value.encode('utf-8', errors='replace')
# else:
# value = str(value)
t.write_row([prop, value], colors=[None, 'yellow'])
t.close()
print('')
print('Properties from the DocumentSummaryInformation stream:')
t = tablestream.TableStream([21, 30],
header_row=['Property', 'Value'],
outfile=console_utf8)
for prop in meta.DOCSUM_ATTRIBS:
value = getattr(meta, prop)
if value is not None:
# TODO: pretty printing for strings, dates, numbers
# TODO: better unicode handling
# print('- %s: %s' % (prop, value))
# if isinstance(value, unicode):
# # encode to UTF8, avoiding errors
# value = value.encode('utf-8', errors='replace')
# else:
# value = str(value)
t.write_row([prop, value], colors=[None, 'yellow'])
t.close()
ole.close()
def check(self):
# check if it is actually an OLE file:
oleformat = Indicator('ole_format', True, name='OLE format')
self.indicators.append(oleformat)
if not olefile.isOleFile(self.filename):
oleformat.value = False
return self.indicators
# parse file:
self.ole = olefile.OleFileIO(self.filename)
# checks:
self.check_properties()
self.check_encrypted()
self.check_word()
self.check_excel()
self.check_powerpoint()
self.check_visio()
self.check_ObjectPool()
self.check_flash()
self.ole.close()
return self.indicators
def main():
# print banner with version
print('oletimes %s - http://decalage.info/python/oletools' % __version__)
try:
ole = olefile.OleFileIO(sys.argv[1])
except IndexError:
sys.exit(__doc__)
def dt2str(dt):
"""
Convert a datetime object to a string for display, without microseconds
:param dt: datetime.datetime object, or None
:return: str, or None
"""
if dt is None:
return None
dt = dt.replace(microsecond=0)
return str(dt)
t = prettytable.PrettyTable(
['Stream/Storage name', 'Modification Time', 'Creation Time'])
t.align = 'l'
t.max_width = 26
#t.border = False
#print'- Root mtime=%s ctime=%s' % (ole.root.getmtime(), ole.root.getctime())
t.add_row(
('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime())))
for obj in ole.listdir(streams=True, storages=True):
#print '- %s: mtime=%s ctime=%s' % (repr('/'.join(obj)), ole.getmtime(obj), ole.getctime(obj))
t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)),
dt2str(ole.getctime(obj))))
print(t)
ole.close()
# TODO:
# + optparse
# + nicer output: table with fixed columns, datetime, etc
# + CSV output
# + option to only show available timestamps (by default?)
#=== IMPORTS =================================================================
import sys, datetime
import thirdparty.olefile as olefile
from thirdparty.prettytable import prettytable
#=== MAIN =================================================================
try:
ole = olefile.OleFileIO(sys.argv[1])
except IndexError:
sys.exit(__doc__)
def dt2str(dt):
"""
Convert a datetime object to a string for display, without microseconds
:param dt: datetime.datetime object, or None
:return: str, or None
"""
if dt is None:
return None
dt = dt.replace(microsecond=0)
return str(dt)
def main():
# Scenarios:
# Scan file for SWF(s)
# Scan file for SWF(s) and extract them
# Scan file for SWF(s) and scan them with Yara
# Scan file for SWF(s), extract them and scan with Yara
# Scan directory recursively for files that contain SWF(s)
# Scan directory recursively for files that contain SWF(s) and extract them
usage = 'usage: %prog [options] <file.bad>'
parser = optparse.OptionParser(usage=__doc__ + '\n' + usage)
parser.add_option(
'-x',
'--extract',
action='store_true',
dest='extract',
help=
'Extracts the embedded SWF(s), names it MD5HASH.swf & saves it in the working dir. No addition args needed'
)
parser.add_option(
'-y',
'--yara',
action='store_true',
dest='yara',
help=
'Scans the SWF(s) with yara. If the SWF(s) is compressed it will be deflated. No addition args needed'
)
parser.add_option(
'-s',
'--md5scan',
action='store_true',
dest='md5scan',
help=
'Scans the SWF(s) for MD5 signatures. Please see func checkMD5 to define hashes. No addition args needed'
)
parser.add_option(
'-H',
'--header',
action='store_true',
dest='header',
help='Displays the SWFs file header. No addition args needed')
parser.add_option('-d',
'--decompress',
action='store_true',
dest='decompress',
help='Deflates compressed SWFS(s)')
parser.add_option(
'-r',
'--recdir',
dest='PATH',
type='string',
help=
'Will recursively scan a directory for files that contain SWFs. Must provide path in quotes'
)
parser.add_option('-c',
'--compress',
action='store_true',
dest='compress',
help='Compresses the SWF using Zlib')
parser.add_option(
'-o',
'--ole',
action='store_true',
dest='ole',
help=
'Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream')
parser.add_option(
'-f',
'--rtf',
action='store_true',
dest='rtf',
help='Parse an RTF file to look for SWF in each embedded object')
(options, args) = parser.parse_args()
# Print help if no arguments are passed
if len(args) == 0:
parser.print_help()
return
# OLE MODE:
if options.ole:
for filename in args:
ole = olefile.OleFileIO(filename)
for direntry in ole.direntries:
if direntry is not None and direntry.entry_type == olefile.STGTY_STREAM:
f = ole._open(direntry.isectStart, direntry.size)
# check if data contains the SWF magic: FWS or CWS
data = f.getvalue()
if 'FWS' in data or 'CWS' in data:
print 'OLE stream: %s' % repr(direntry.name)
# call xxxswf to scan or extract Flash files:
xxxswf.disneyland(f, direntry.name, options)
f.close()
ole.close()
# RTF MODE:
elif options.rtf:
for filename in args:
for index, data in rtfobj.rtf_iter_objects(filename):
if 'FWS' in data or 'CWS' in data:
print 'RTF embedded object size %d at index %08X' % (
len(data), index)
f = StringIO.StringIO(data)
name = 'RTF_embedded_object_%08X' % index
# call xxxswf to scan or extract Flash files:
xxxswf.disneyland(f, name, options)
else:
xxxswf.main()