search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.81k stars 560 forks source link

handle new record in new vbaproject.bin if present #819

Closed beauvankirk closed 9 months ago

beauvankirk commented 12 months ago

In one of the recent updates to the MS-OVBA Office VBA File Format Structure specs, a new 10-byte CompatVersionRecord block was added to the PROJECTINFORMATION block:

image image

The record is identified with id 0x004A:

image

The insertion of this new record leads to corrupt/failed parsing of the remainder of the PROJECTINFORMATION record. For my use case this was the source of this issue: https://github.com/decalage2/oletools/issues/811.

Adding a conditional check to skip over this new 10-byte record if encountered resolved the issue for me. This is a pretty targeted/brittle solution...I'm not sure if there is a more robust route (this was my first time actually diving into the file format).

DevDmitryHub commented 11 months ago

Similar PR https://github.com/decalage2/oletools/pull/723 Faced with the same issue on the latest stable version (oletools-0.60.1) for excel worksheet in XLSM format, so hope for soon fix.

olevba 0.60.1 on Python 3.11.0 - http://decalage.info/python/oletools
===============================================================================
FILE: .\vbaProject.bin
Type: OLE
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0004
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "C:\Python311\Lib\site-packages\oletools-0.60.1-py3.11.egg\oletools\olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "C:\Python311\Lib\site-packages\oletools-0.60.1-py3.11.egg\oletools\olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python311\Lib\site-packages\oletools-0.60.1-py3.11.egg\oletools\olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
beauvankirk commented 11 months ago

Apologies, I searched for prior issues, hence linking #811, and I thought PRs as well but I missed that preexisting PR.

christian-intra2net commented 9 months ago

I reviewed #723 and this one and I suggest merging the other one as it includes test data and actually parses the record. Just needs a rebase onto main