search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.88k stars 564 forks source link

files in ole document not found due to encoding issues #153

Open dfberger opened 7 years ago

dfberger commented 7 years ago

I have an ole document I'm examining, and browse was failing to find streams with this error:

$ olebrowse lib/python2.7/site-packages/oletools/thirdparty/olefile/olefile.py:1973: UnicodeWarning: Unicode equal comparison failed to convert both arguments to Unicode - interpreting them as being unequal if kid.name.lower() == name.lower():

the following patch fixes it, but I'm not sure it's generally correct

--- /home/dberger/.local/lib/python2.7/site-packages/oletools/thirdparty/olefile/olefile.py.orig    2017-03-29 13:42:26.277034848 -0700
+++ /home/dberger/.local/lib/python2.7/site-packages/oletools/thirdparty/olefile/olefile.py 2017-03-29 13:51:33.122839787 -0700
@@ -1970,7 +1970,7 @@
         node = self.root
         for name in filename:
             for kid in node.kids:
-                if kid.name.lower() == name.lower():
+                if kid.name.lower() == name.encode("utf-8").lower():
                     break
             else:
                 raise IOError("file not found")
decalage2 commented 7 years ago

Hi @dfberger, would it be possible to share the file(s) that trigger(s) this error, or the hash(es)? Thanks!

dfberger commented 7 years ago

sample.zip zip password: "bad stuff" without the quotes and to be clear, that file is a second stage payload of a trojan, so caveat emptor.