def process_file_scanexpr (container, filename, data): """ Process a single file :param container: str, path and filename of container if the file is within a zip archive, None otherwise. :param filename: str, path and filename of file on disk, or within the container. :param data: bytes, content of the file if it is in a container, None if it is a file on disk. """ #TODO: replace print by writing to a provided output file (sys.stdout by default) if container: display_filename = '%s in %s' % (filename, container) else: display_filename = filename print '='*79 print 'FILE:', display_filename all_code = '' try: #TODO: handle olefile errors, when an OLE file is malformed vba = VBA_Parser(filename, data) print 'Type:', vba.type if vba.detect_vba_macros(): #print 'Contains VBA Macros:' for (subfilename, stream_path, vba_filename, vba_code) in vba.extract_macros(): # hide attribute lines: #TODO: option to disable attribute filtering vba_code_filtered = filter_vba(vba_code) print '-'*79 print 'VBA MACRO %s ' % vba_filename print 'in file: %s - OLE stream: %s' % (subfilename, repr(stream_path)) print '- '*39 # detect empty macros: if vba_code_filtered.strip() == '': print '(empty macro)' else: # TODO: option to display code print vba_code_filtered vba_code = vba_collapse_long_lines(vba_code) all_code += '\n' + vba_code print '-'*79 print 'EVALUATED VBA EXPRESSIONS:' t = prettytable.PrettyTable(('Obfuscated expression', 'Evaluated value')) t.align = 'l' t.max_width['Obfuscated expression'] = 36 t.max_width['Evaluated value'] = 36 for expression, expr_eval in scan_expressions(all_code): t.add_row((repr(expression), repr(expr_eval))) print t else: print 'No VBA macros found.' except: #TypeError: #raise #TODO: print more info if debug mode #print sys.exc_value # display the exception with full stack trace for debugging, but do not stop: traceback.print_exc() print ''
def process_ole(ole): t = prettytable.PrettyTable(['Stream/Storage name', 'Modification Time', 'Creation Time']) t.align = 'l' t.max_width = 26 t.add_row(('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime()))) for obj in ole.listdir(streams=True, storages=True): t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)), dt2str(ole.getctime(obj)))) print(t)
def main(): """Called when running this file as script. Shows all info on input file.""" # print banner with version print('oleid %s - http://decalage.info/oletools' % __version__) print('THIS IS WORK IN PROGRESS - Check updates regularly!') print('Please report any issue at ' 'https://github.com/decalage2/oletools/issues') print('') parser = argparse.ArgumentParser(description=__doc__) parser.add_argument('input', type=str, nargs='*', metavar='FILE', help='Name of files to process') # parser.add_argument('-o', '--ole', action='store_true', dest='ole', # help='Parse an OLE file (e.g. Word, Excel) to look for ' # 'SWF in each stream') args = parser.parse_args() # Print help if no argurments are passed if len(args.input) == 0: parser.print_help() return for filename in args.input: print('Filename:', filename) oleid = OleID(filename) indicators = oleid.check() #TODO: add description #TODO: highlight suspicious indicators table = prettytable.PrettyTable(['Indicator', 'Value']) table.align = 'l' table.max_width = 39 table.border = False for indicator in indicators: #print '%s: %s' % (indicator.name, indicator.value) table.add_row((indicator.name, indicator.value)) print(table) print('')
def main(): # print banner with version print('oletimes %s - http://decalage.info/python/oletools' % __version__) try: ole = olefile.OleFileIO(sys.argv[1]) except IndexError: sys.exit(__doc__) def dt2str(dt): """ Convert a datetime object to a string for display, without microseconds :param dt: datetime.datetime object, or None :return: str, or None """ if dt is None: return None dt = dt.replace(microsecond=0) return str(dt) t = prettytable.PrettyTable( ['Stream/Storage name', 'Modification Time', 'Creation Time']) t.align = 'l' t.max_width = 26 #t.border = False #print'- Root mtime=%s ctime=%s' % (ole.root.getmtime(), ole.root.getctime()) t.add_row( ('Root', dt2str(ole.root.getmtime()), dt2str(ole.root.getctime()))) for obj in ole.listdir(streams=True, storages=True): #print '- %s: mtime=%s ctime=%s' % (repr('/'.join(obj)), ole.getmtime(obj), ole.getctime(obj)) t.add_row((repr('/'.join(obj)), dt2str(ole.getmtime(obj)), dt2str(ole.getctime(obj)))) print(t) ole.close()
def main(): # print banner with version print('oleid %s - http://decalage.info/oletools' % __version__) print('THIS IS WORK IN PROGRESS - Check updates regularly!') print( 'Please report any issue at https://github.com/decalage2/oletools/issues' ) print('') usage = 'usage: %prog [options] <file>' parser = optparse.OptionParser(usage=__doc__ + '\n' + usage) ## parser.add_option('-o', '--ole', action='store_true', dest='ole', help='Parse an OLE file (e.g. Word, Excel) to look for SWF in each stream') (options, args) = parser.parse_args() # Print help if no argurments are passed if len(args) == 0: parser.print_help() return for filename in args: print('Filename:', filename) oleid = OleID(filename) indicators = oleid.check() #TODO: add description #TODO: highlight suspicious indicators t = prettytable.PrettyTable(['Indicator', 'Value']) t.align = 'l' t.max_width = 39 #t.border = False for indicator in indicators: #print '%s: %s' % (indicator.name, indicator.value) t.add_row((indicator.name, indicator.value)) print(t) print('')