OLE工具套件分析OFFICE宏恶意样本

本文介绍了OLE工具套件中的oletools,用于分析OFFICE文档,特别是针对宏恶意样本的检查。通过olevba等工具,展示了如何检测样本的潜在威胁,如AutoOpen宏中的Shell命令和Base64编码字符串。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

零、绪论:OLE工具套件的介绍

OLE工具套件是一款针对OFFICE文档开发的具有强大分析功能一组工具集。这里主要介绍基于Python2.7的OLEtools的安装和使用。

(1)Python版本需求:2.7.9 及以上

(2)安装方法:pip install -U https://github.com/decalage2/oletools/archive/master.zip

(3)使用方法:在CMD、POWERSHELL或者LINUX SHELL中工具名称直接作为命令使用。

 

 

一、工具的介绍:

1、mraptor 检查样本是否为恶意。

 

 

结果为疑似SUSPICIOUS,权限AWX中没有写权限(w)A为自动执行权限,X为可执行权限

 

2、olebrowse介绍,一款可以查看ole文件内容的小“浏览器”

 

 

3、oledir 查看文档内部的ole目录

 

 

 

OLE的目录就是一种包含名称和存储了文件数据流位置的一种数据结构(详见[MS-CFB])。每个目录可能会被使用,或者完全是空的。

4、OLEMAP 查看文件的FAT分配表

 

/* cole - A free C OLE library. cole_extract - Extract a file from a filesystem. Copyright 1998, 1999 Roberto Arturo Tena Sanchez This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /* Arturo Tena */ #include /* To compile this file outside cole source tree, you must include here instead */ #include "cole.h" #define PRGNAME "iOLE" #define BUFFER_SIZE 128 int main(int argc, char **argv) { COLEFS *cfs; COLEFILE *cf; COLERRNO colerrno; char buffer[BUFFER_SIZE]; size_t char_read; if (argc != 3) { fprintf(stderr, "cole_extract. Extract a file from a " "filesystem to the standard output.\n" "Usage: "PRGNAME" \n" " FILE - File with the filesystem.\n" " INFILE - Filename of the file to extract.\n"); exit(1); } printf("%s",argv[1]); cfs = cole_mount(argv[1], &colerrno); if (cfs == NULL) { cole_perror(PRGNAME, colerrno); exit(1); } cf = cole_fopen(cfs, argv[2], &colerrno); if (cf == NULL) { cole_perror(PRGNAME, colerrno); cole_umount(cfs, NULL); exit(1); } while ((char_read = cole_fread(cf, buffer, BUFFER_SIZE, &colerrno))) { if (fwrite(buffer, 1, char_read, stdout) != char_read) { break; } } if (!cole_feof(cf)) { cole_perror(PRGNAME, colerrno); cole_umount(cfs, NULL); exit(1); } if (cole_fclose(
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值