From f34a8c1c7f6ce3206d9685de4f3a45bbc6414fbb Mon Sep 17 00:00:00 2001 From: decalage2 Date: Thu, 29 Jun 2017 22:50:00 +0200 Subject: [PATCH] updated doc for v0.51 --- oletools/README.html | 60 +++++++------- oletools/README.rst | 159 ++++++++++++----------------------- oletools/doc/Home.html | 4 +- oletools/doc/Home.md | 2 +- oletools/doc/License.html | 4 +- oletools/doc/License.md | 2 +- oletools/doc/mraptor.html | 1 + oletools/doc/olebrowse.html | 3 + oletools/doc/oledir.html | 1 + oletools/doc/oleid.html | 56 ++++++++----- oletools/doc/olemap.html | 2 + oletools/doc/olemeta.html | 1 + oletools/doc/olevba.html | 160 ++++++++++++++++++++---------------- oletools/doc/rtfobj.html | 49 +++++++---- 14 files changed, 256 insertions(+), 248 deletions(-) diff --git a/oletools/README.html b/oletools/README.html index 2e40975b..5a3199ec 100644 --- a/oletools/README.html +++ b/oletools/README.html @@ -9,12 +9,24 @@

python-oletools

-

oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

+

oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.

Quick links: Home page - Download/Install - Documentation - Report Issues/Suggestions/Questions - Contact the Author - Repository - Updates on Twitter

Note: python-oletools is not related to OLETools published by BeCubed Software.

News

-

Tools in python-oletools:

+

See the full changelog for more information.

+

Tools:

Projects using oletools:

-

oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, pcodedmp and probably VirusTotal. (Please contact me if you have or know a project using oletools)

+

oletools are used by a number of projects and online malware analysis services, including Viper, REMnux, FAME, Hybrid-analysis.com, Joe Sandbox, Deepviz, Laika BOSS, Cuckoo Sandbox, Anlyz.io, ViperMonkey, pcodedmp, dridex.malwareconfig.com, and probably VirusTotal. (Please contact me if you have or know a project using oletools)

Download and Install:

-

To use python-oletools from the command line as analysis tools, you may simply download the latest release archive and extract the files into the directory of your choice.

-

You may also download the latest development version with the most recent features.

-

Another possibility is to use a git client to clone the repository (https://github.com/decalage2/oletools.git) into a folder. You can then update it easily in the future.

-

If you plan to use python-oletools with other Python applications or your own scripts, then the simplest solution is to use "pip install oletools" or "easy_install oletools" to download and install in one go. Otherwise you may download/extract the zip archive and run "setup.py install".

-

Important: to update oletools if it is already installed, you must run "pip install -U oletools", otherwise pip will not update it.

+

The recommended way to download and install/update the latest stable release of oletools is to use pip:

+ +

This should automatically create command-line scripts to run each tool from any directory: olevba, mraptor, rtfobj, etc.

+

To get the latest development version instead:

+ +

See the documentation for other installation options.

Documentation:

The latest version of the documentation can be found online, otherwise a copy is provided in the doc subfolder of the package.

How to Suggest Improvements, Report Issues or Contribute:

@@ -75,7 +75,7 @@

How to Suggest

The code is available in a GitHub repository. You may use it to submit enhancements using forks and pull requests.

License

This license applies to the python-oletools package, apart from the thirdparty folder which contains third-party files published with their own license.

-

The python-oletools package is copyright (c) 2012-2016 Philippe Lagadec (http://www.decalage.info)

+

The python-oletools package is copyright (c) 2012-2017 Philippe Lagadec (http://www.decalage.info)

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Example:

-
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
-    print '-'*79
-    print 'Filename    :', filename
-    print 'OLE stream  :', stream_path
-    print 'VBA filename:', vba_filename
-    print '- '*39
-    print vba_code
+
for (filename, stream_path, vba_filename, vba_code) in vbaparser.extract_macros():
+    print '-'*79
+    print 'Filename    :', filename
+    print 'OLE stream  :', stream_path
+    print 'VBA filename:', vba_filename
+    print '- '*39
+    print vba_code

Alternatively, the VBA_Parser method extract_all_macros returns the same results as a list of tuples.

Analyze VBA Source Code

Since version 0.40, the VBA_Parser class provides simpler methods than VBA_Scanner to analyze all macros contained in a file:

@@ -265,24 +283,24 @@

Analyze VBA Source Code

  • description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.

    • Example:

    -
    results = vbaparser.analyze_macros()
-for kw_type, keyword, description in results:
-    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
    +
    results = vbaparser.analyze_macros()
+for kw_type, keyword, description in results:
+    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)

    After calling analyze_macros, the following VBA_Parser attributes also provide the number of items found for each category:

    -
    print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
-print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
-print 'IOCs: %d' % vbaparser.nb_iocs
-print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
-print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
-print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
-print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings
    +
    print 'AutoExec keywords: %d' % vbaparser.nb_autoexec
+print 'Suspicious keywords: %d' % vbaparser.nb_suspicious
+print 'IOCs: %d' % vbaparser.nb_iocs
+print 'Hex obfuscated strings: %d' % vbaparser.nb_hexstrings
+print 'Base64 obfuscated strings: %d' % vbaparser.nb_base64strings
+print 'Dridex obfuscated strings: %d' % vbaparser.nb_dridexstrings
+print 'VBA obfuscated strings: %d' % vbaparser.nb_vbastrings

    Deobfuscate VBA Macro Source Code

    The method reveal attempts to deobfuscate the macro source code by replacing all the obfuscated strings by their decoded content. Returns a single string.

    Example:

    -
    print vbaparser.reveal()
    +
    print vbaparser.reveal()

    Close the VBA_Parser

    After usage, it is better to call the close method of the VBA_Parser object, to make sure the file is closed, especially if your application is parsing many files.

    -
    vbaparser.close()
    +
    vbaparser.close()

    Deprecated API

    The following methods and functions are still functional, but their usage is not recommended since they have been replaced by better solutions.

    @@ -297,54 +315,54 @@

    VBA_Scanner (deprecated)

  • description provides a description of the keyword. For obfuscated strings, it is the encoded value of the string.

    • Example:

    -
    vba_scanner = VBA_Scanner(vba_code)
-results = vba_scanner.scan(include_decoded_strings=True)
-for kw_type, keyword, description in results:
-    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
    +
    vba_scanner = VBA_Scanner(vba_code)
+results = vba_scanner.scan(include_decoded_strings=True)
+for kw_type, keyword, description in results:
+    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)

    The function scan_vba is a shortcut for VBA_Scanner(vba_code).scan():

    -
    results = scan_vba(vba_code, include_decoded_strings=True)
-for kw_type, keyword, description in results:
-    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)
    +
    results = scan_vba(vba_code, include_decoded_strings=True)
+for kw_type, keyword, description in results:
+    print 'type=%s - keyword=%s - description=%s' % (kw_type, keyword, description)

    scan_summary returns a tuple with the number of items found for each category: (autoexec, suspicious, IOCs, hex, base64, dridex).

    Detect auto-executable macros (deprecated)

    Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.

    The function detect_autoexec checks if VBA macro code contains specific macro names that will be triggered when the document/workbook is opened, closed, changed, etc.

    It returns a list of tuples containing two strings, the detected keyword, and the description of the trigger. (See the malware example above)

    Sample usage:

    -
    from oletools.olevba import detect_autoexec
-autoexec_keywords = detect_autoexec(vba_code)
-if autoexec_keywords:
-    print 'Auto-executable macro keywords found:'
-    for keyword, description in autoexec_keywords:
-        print '%s: %s' % (keyword, description)
-else:
-    print 'Auto-executable macro keywords: None found'
    +
    from oletools.olevba import detect_autoexec
+autoexec_keywords = detect_autoexec(vba_code)
+if autoexec_keywords:
+    print 'Auto-executable macro keywords found:'
+    for keyword, description in autoexec_keywords:
+        print '%s: %s' % (keyword, description)
+else:
+    print 'Auto-executable macro keywords: None found'

    Detect suspicious VBA keywords (deprecated)

    Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.

    The function detect_suspicious checks if VBA macro code contains specific keywords often used by malware to act on the system (create files, run commands or applications, write to the registry, etc).

    It returns a list of tuples containing two strings, the detected keyword, and the description of the corresponding malicious behaviour. (See the malware example above)

    Sample usage:

    -
    from oletools.olevba import detect_suspicious
-suspicious_keywords = detect_suspicious(vba_code)
-if suspicious_keywords:
-    print 'Suspicious VBA keywords found:'
-    for keyword, description in suspicious_keywords:
-        print '%s: %s' % (keyword, description)
-else:
-    print 'Suspicious VBA keywords: None found'
    +
    from oletools.olevba import detect_suspicious
+suspicious_keywords = detect_suspicious(vba_code)
+if suspicious_keywords:
+    print 'Suspicious VBA keywords found:'
+    for keyword, description in suspicious_keywords:
+        print '%s: %s' % (keyword, description)
+else:
+    print 'Suspicious VBA keywords: None found'

    Extract potential IOCs (deprecated)

    Deprecated: It is preferable to use either scan_vba or VBA_Scanner to get all results at once.

    The function detect_patterns checks if VBA macro code contains specific patterns of interest, that may be useful for malware analysis and detection (potential Indicators of Compromise): IP addresses, e-mail addresses, URLs, executable file names.

    It returns a list of tuples containing two strings, the pattern type, and the extracted value. (See the malware example above)

    Sample usage:

    -
    from oletools.olevba import detect_patterns
-patterns = detect_patterns(vba_code)
-if patterns:
-    print 'Patterns found:'
-    for pattern_type, value in patterns:
-        print '%s: %s' % (pattern_type, value)
-else:
-    print 'Patterns: None found'
    +
    from oletools.olevba import detect_patterns
+patterns = detect_patterns(vba_code)
+if patterns:
+    print 'Patterns found:'
+    for pattern_type, value in patterns:
+        print '%s: %s' % (pattern_type, value)
+else:
+    print 'Patterns: None found'

    python-oletools documentation