oletools包可以在不用office软件的情况下解析各种office格式文件中嵌入的OLE内容。
安装
root@66d4e20ec1d7:/par# python3 pip.pyz install oletools --break-system-packages
Collecting oletools
Downloading oletools-0.60.2-py2.py3-none-any.whl.metadata (16 kB)
...
Installing collected packages: easygui, pyparsing, pycparser, colorclass, cffi, cryptography, msoffcrypto-tool, pcodedmp, oletools
Successfully installed cffi-2.0.0 colorclass-2.2.2 cryptography-46.0.3 easygui-0.98.3 msoffcrypto-tool-5.4.2 oletools-0.60.2 pcodedmp-1.2.6 pycparser-2.23 pyparsing-3.2.5
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager, possibly rendering your system unusable. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv. Use the --root-user-action option if you know what you are doing and want to suppress this warning.
使用
1.提取xlsm文件中的vba代码并给出说明
root@66d4e20ec1d7:/par# olevba duckdb-odbc.xlsm
olevba 0.60.2 on Python 3.11.2 - http://decalage.info/python/oletools
===============================================================================
FILE: duckdb-odbc.xlsm
Type: OpenXML
WARNING For now, VBA stomping cannot be detected for files in memory
-------------------------------------------------------------------------------
VBA MACRO ThisWorkbook.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/ThisWorkbook'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Sheet2.cls
in file: xl/vbaProject.bin - OLE stream: 'VBA/Sheet2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub ReadCsv()
DuckDB.Execute "select encode(columns(*)) from read_csv('C:/Users/redraiment/Desktop/gbk.csv', encoding='zh_CN.GBK', header=true)", range("A1")
End Sub
-------------------------------------------------------------------------------
VBA MACRO DuckDB.bas
in file: xl/vbaProject.bin - OLE stream: 'VBA/DuckDB'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Function Strip(bytes() As Byte) As Byte()
Dim offset As Long
If UBound(bytes) >= 2 Then
If bytes(0) = &HFF And bytes(1) = &HFE Then
offset = 2
Else
offset = 0
End If
End If
If offset > 0 Then
Dim output() As Byte
ReDim output(UBound(bytes) - offset) As Byte
Dim index As Long
For index = 0 To UBound(output)
output(index) = bytes(index + offset)
Next index
Strip = output
Else
Strip = bytes
End If
End Function
...
+----------+--------------------+---------------------------------------------+
|Type |Keyword |Description |
+----------+--------------------+---------------------------------------------+
|Suspicious|Open |May open a file |
|Suspicious|Write |May write to a file (if combined with Open) |
|Suspicious|output |May write to a file (if combined with Open) |
|Suspicious|Binary |May read or write a binary file (if combined |
| | |with Open) |
|Suspicious|ADODB.Stream |May create a text file |
|Suspicious|WriteText |May create a text file |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|Hex Strings |Hex-encoded strings were detected, may be |
| | |used to obfuscate strings (option --decode to|
| | |see all) |
|Suspicious|VBA Stomping |VBA Stomping was detected: the VBA source |
| | |code and P-code are different, this may have |
| | |been used to hide malicious code |
+----------+--------------------+---------------------------------------------+
VBA Stomping detection is experimental: please report any false positive/negative at https://github.com/decalage2/oletools/issues
2.查看docx文件中包含的内容
root@66d4e20ec1d7:/par# oleid test1.docx
oleid 0.60.1 - http://decalage.info/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
Filename: test1.docx
--------------------+--------------------+----------+--------------------------
Indicator |Value |Risk |Description
--------------------+--------------------+----------+--------------------------
File format |MS Word 2007+ |info |
|Document (.docx) | |
--------------------+--------------------+----------+--------------------------
Container format |OpenXML |info |Container type
--------------------+--------------------+----------+--------------------------
Encrypted |False |none |The file is not encrypted
--------------------+--------------------+----------+--------------------------
VBA Macros |No |none |This file does not contain
| | |VBA macros.
--------------------+--------------------+----------+--------------------------
XLM Macros |No |none |This file does not contain
| | |Excel 4/XLM macros.
--------------------+--------------------+----------+--------------------------
External |0 |none |External relationships
Relationships | | |such as remote templates,
| | |remote OLE objects, etc
--------------------+--------------------+----------+--------------------------
3.查看从xlsm文件中提取出的vba.Project.bin
root@66d4e20ec1d7:/par# olemeta vbaProject.bin
olemeta 0.54 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues
===============================================================================
FILE: vbaProject.bin
Properties from the SummaryInformation stream:
+---------------------+------------------------------+
|Property |Value |
+---------------------+------------------------------+
+---------------------+------------------------------+
Properties from the DocumentSummaryInformation stream:
+---------------------+------------------------------+
|Property |Value |
+---------------------+------------------------------+
+---------------------+------------------------------+
扫一扫
783
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
