def test_encrypted(self): """ check that encrypted files lead to non-zero exit status Currently, only the encryption applied by Office 2010 (CryptoApi RC4 Encryption) is tested. """ CRYPT_DIR = join(BASE_DIR, 'encrypted') have_crypto = check_msoffcrypto() for filename in os.listdir(CRYPT_DIR): if have_crypto and 'standardpassword' in filename: # these are automagically decrypted self.do_test_validity(join(CRYPT_DIR, filename)) elif have_crypto: self.do_test_validity(join(CRYPT_DIR, filename), WrongEncryptionPassword) else: self.do_test_validity(join(CRYPT_DIR, filename), CryptoLibNotImported)
"""Check decryption of files from msodde works.""" import sys import unittest from os.path import basename, join as pjoin from tests.test_utils import DATA_BASE_DIR, call_and_capture from oletools import crypto @unittest.skipIf(not crypto.check_msoffcrypto(), 'Module msoffcrypto not installed for {}'.format( basename(sys.executable))) class MsoddeCryptoTest(unittest.TestCase): """Test integration of decryption in msodde.""" def test_standard_password(self): """Check dde-link is found in xls[mb] sample files.""" for suffix in 'xls', 'xlsx', 'xlsm', 'xlsb': example_file = pjoin(DATA_BASE_DIR, 'encrypted', 'dde-test-encrypt-standardpassword.' + suffix) output, _ = call_and_capture('msodde', [ example_file, ]) self.assertIn('\nDDE Links:\ncmd /c calc.exe\n', output, msg='Unexpected output {!r} for {}'.format( output, suffix)) # TODO: add more, in particular a sample with a "proper" password
"""Check decryption of files from olevba works.""" import sys import unittest import os from os.path import join as pjoin from subprocess import check_output, CalledProcessError import json from collections import OrderedDict from tests.test_utils import DATA_BASE_DIR, SOURCE_BASE_DIR from oletools import crypto @unittest.skipIf(not crypto.check_msoffcrypto(), 'Module msoffcrypto not installed for python{}.{}' .format(sys.version_info.major, sys.version_info.minor)) class OlevbaCryptoWriteProtectTest(unittest.TestCase): """ Test documents that are 'write-protected' through encryption. Excel has a way to 'write-protect' documents by encrypting them with a hard-coded standard password. When looking at the file-structure you see an OLE-file with streams `EncryptedPackage`, `StrongEncryptionSpace`, and `EncryptionInfo`. Contained in the first is the actual file. When opening such a file in excel, it is decrypted without the user noticing. Olevba should detect such encryption, try to decrypt with the standard password and look for VBA code in the decrypted file.