Open kevross33 opened 8 years ago
kevross33
commented
8 years ago Would it also please be possible to hook OleConvertOLESTREAMToIStorage for RTF decoding mentioned here: https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html
jbremer
commented
8 years ago Unfortunately only Office 2007 as of yet. Regarding your request, I added that a little while ago as well https://github.com/cuckoosandbox/monitor/blob/master/sigs/ole.rst#oleconvertolestreamtoistorage. The issue though is the fact that this dumps a plain OLE1 file I believe they call it and I couldn't find any existing tools to work with OLE1 files. I believe it is possible to convert it to an OLE2 structure with some Windows API usage, but that obviously requires some additional work.
jbremer
commented
8 years ago I do plan to add other versions of Office, it's just that one can only focus on so many things at once. Thanks for the continuous requests, though! Keep 'em coming :-)
kevross33
commented
8 years ago Hi,
Yes I understand this; just was unsure as it wasn't noted office 2007 (not that it would be). Unfortunately this bit is beyond me or I would just get it done; I have been looking at the API stuff though and while not wrapped my head around that I want to see if I can figure out enough to get some more hooks that I have requested although I hope my signature stuff will be somewhat helpful. Thanks for the response :-)
On 22 July 2016 at 09:41, Jurriaan Bremer notifications@github.com wrote:
I do plan to add other versions of Office, it's just that one can only focus on so many things at once.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cuckoosandbox/monitor/issues/27#issuecomment-234487627, or mute the thread https://github.com/notifications/unsubscribe-auth/ACTXtXWGmgNQ8FISAURY2A7IejrasoKbks5qYIIvgaJpZM4JOnfK .
Hi,
Looking through this I noticed it covers VBE6 https://github.com/cuckoosandbox/monitor/blob/master/sigs/office.rst. This I was hoping would lead me to be able to dynamically analyze office files better and create signatures for this (something I have wanted for a while in cuckoo given all the office downloaders).
Now I don't really understand the hooking or I think have the ability to add in the hooks myself unless there is an easy framework for this being done which doesn't take too much tinkering but I think other vbe versions need covered.
For instance I have office 2010 on some of my images; this from what I understand utilises vbe7.dll. and instrumentation of this covered here for windbg: https://hiddencodes.wordpress.com/2015/05/18/instrument-microsoft-office-applications-to-defeat-macro-obfuscations/. So as well as vbe6_StringConcat things like vbe7_StringConcat would need hooked too as well as other versions of office to handle this?
If it should be hooking vbe6 in office 2010 onwards I can see it is not showing these hooked results on mine so if you let me know what info you need to investigate why and I will provide. Thank you very much.