search

decalage2 / oletools

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.
http://www.decalage.info/python/oletools
Other
2.81k stars 560 forks source link

Olevba not expecting optional ProjectCompatVersion record #833

Closed Beakerboy closed 5 months ago

Beakerboy commented 7 months ago

Affected tool: olevba

Describe the bug MS-OVBA defines an optional attribute in the Dir Stream called the ProjectCompatVersion record. If this record is present in the dir stream, I receive the following error:

Type: OLE
WARNING  invalid value for PROJECTLCID_Id expected 0002 
got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 040
9 got 0003
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected
 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0
003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected
 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 
got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in rang
e [1-128]: 131075
ERROR    Error in _extract_vba

How To Reproduce the bug Version 0.0.10 of this file has the optional record, version 0.0.11 does not.

wget https://github.com/Beakerboy/VBA-CI-CD-Test/releases/download/0.0.10/Addin.xlam
mv Addin.xlam Addin.0.0.10.zip
unzip Addin.0.0.10.zip -d Addin.0.0.10
olevba -a Addin.0.0.10/xl/vbaProject.bin

Expected behavior The file should parse fine with the presence of the optional record.

Version information:

decalage2 commented 7 months ago

Hi, I think this issue should be fixed with PR #723, but I haven't had time to test it yet.

Beakerboy commented 7 months ago

@decalage2 Thanks! The 0.0.11 version of that Addin seems to pass the examination of olevba, but Excel complains that:

the file format or file extension is not valid.
Verify that the file has not been corrupted and that the file extension matches the format of the file.

let me know if you can think of any other places in the vbaProject.bin file that errors could be hiding.

decalage2 commented 5 months ago

The error shown above is now fixed thanks to PR #723, so I close this issue.

However, there seems to be another XML parsing issue with your XLAM file: xml.etree.ElementTree.ParseError: XML declaration not well-formed: line 1, column 49

Beakerboy commented 5 months ago

Thanks for the update. What program is displaying that xml error? I’ve inspected the XML files and they all appear to start with:

<?xml version="1.0” encoding=“UTF-8” standalone=“yes”?>

So is there a problem with the “yes”? Does it indicate which XML file has the issue?

decalage2 commented 5 months ago

I don't know what the actual problem is, but I get this error when parsing your latest releases of addin.xlam up to 0.0.14 with olevba. The error comes from the ElementTree XML parser, not from olevba itself.

Beakerboy commented 5 months ago

The header for olevba.py says the supported formats include Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb).

xlam is not listed, Do excel addins have a format that olevba cannot handle?

decalage2 commented 5 months ago

AFAIK, XLAM is very similar to an Excel file with macros (XLSM), so normally olevba works fine. In your case, there seems to be a slight XML issue somewhere. Does your file work with Excel?

Beakerboy commented 5 months ago

No it does not, which is why I was investigating it with olevba and found the earlier error. I'll see if I can find out which line in olevba is raising the exception and add a try/except block to isolate the issue in my file.

decalage2 commented 5 months ago

The issue is in the file _rels/.rels, there is standalone=true instead of yes