decalage2 / ViperMonkey

A VBA parser and emulation engine to analyze malicious macros.
1.05k stars 186 forks source link

vmonkey, read_ole_fields: use zipfile with in-memory buffer instead of temp file #107

Open decalage2 opened 3 years ago

decalage2 commented 3 years ago

In several places a temporary file on disk is used to parse a zip file and extract files. It should all be done in memory to avoid issues with temp files. (search for "unzip", "/tmp", "tempfile", ...)

Issues due to temp files on disk:

decalage2 commented 3 years ago

done for vmonkey/pull_embedded_pe_files in commit b0fb1b2772846f17e1f57a711edd32bf9cca79c6