search

lmco / laikaboss

Laika BOSS: Object Scanning System
Apache License 2.0
732 stars 155 forks source link

New Explode Module: EXPLODE_RTF #62

Open askkemp opened 7 years ago

askkemp commented 7 years ago

explode_rtf.py is a scanning module to explode the objects inside an RTF. It uses rtfobj from decalage's oletools to perform the object extraction.

Input is an RTF. Output is extracted embedded objects in the RTF file. Output types can be OLE, OLE package, or just a raw object. Extracted objects will have appropriate file headers if they are not a raw object type (all part of declage's code). EXPLODE_RTF module also adds metadata about the object when possible. An example of the module's function is below. I have included running rtfobj against a sample RTF followed by the metadata output created by the RTF module and the output files.

[user@localhost laikaboss]# rtfobj mysample.rtf
rtfobj 0.50 - http://decalage.info/python/oletools
THIS IS WORK IN PROGRESS - Check updates regularly!
Please report any issue at https://github.com/decalage2/oletools/issues

===============================================================================
File: 'mysample.rtf' - size: 223826 bytes
---+----------+-------------------------------+-------------------------------
id |index     |OLE Object                     |OLE Package
---+----------+-------------------------------+-------------------------------
0  |000000D1h |format_id: 2                   |Filename: '1.jpg'
   |          |class name: 'Package'          |Source path: 'C:\\Documents and
   |          |data size: 108421              |Settings\\user\\Meus
   |          |                               |doc\\sdd2ss
   |          |                               |imagens\\1.jpg'
   |          |                               |Temp path = 'C:\\Documents and
   |          |                               |Settings\\user\\Meus
   |          |                               |doc\\sdd2ss
   |          |                               |imagens\\2.jpg'
---+----------+-------------------------------+-------------------------------
[user@localhost laikaboss]# python laika.py mysample.rtf
...
      "EXPLODE_RTF": {
        "Parsed_Objects_Metadata": {
          "Index": 0,
          "Temp Path": "C:\\Documents and Settings\\user\\Meus doc\\sdd2ss imagens\\2.jpg",
          "Type": "OLEPackage",
          "Source Patch": "C:\\Documents and Settings\\user\\Meus doc\\sdd2ss imagens\\1.jpg",
          "Filename": "1.jpg"
        }
...
[user@localhost laikaboss]# ls -lart ~/EXPLODED/c80f57df-e2bb-49ac-9014-f96016b4975a
e0a35273-1ad5-4e0a-a35e-b87e4cc4411e
..
e_rtf_object_000000D1.olepackage -> e0a35273-1ad5-4e0a-a35e-b87e4cc4411e
result.json
mysample.rtf -> c80f57df-e2bb-49ac-9014-f96016b4975a
c80f57df-e2bb-49ac-9014-f96016b4975a

Note: Requires a dispatch (dispatch.yara) addition.


rule type_is_rtf
{
    meta:
        scan_modules = "EXPLODE_RTF"
        file_type = "rtf"
    condition:
        uint32(0) == 0x74725c7b
}```