Skip to content
Permalink
master
Switch branches/tags
Go to file
 
 
Cannot retrieve contributors at this time
import re
import io
import sys
import pefile
import olefile
import hashlib
import zipfile
import tempfile
from subprocess import Popen, PIPE
from oletools import olevba
from base64 import b64decode
B64_RX ='(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?'
vba = olevba.VBA_Parser(sys.argv[1])
path = ['Macros','UserForm1','o']
ole = vba.ole_file
if not ole:
zipf = zipfile.ZipFile(sys.argv[1])
data=zipf.read('word/vbaProject.bin')
vba = olevba.VBA_Parser(io.BytesIO(data))
path = ['UserForm1','o']
ole = vba.ole_file
for _, _, _, t in vba.extract_macros():
x = t.find('Lib "')
if x !=-1:
print('LIB: '+t[x+5:x+200].split('"')[0])
x = t.find('"S-')
if x != -1:
print('KEY: '+t[x+1:x+200].split('"')[0])
str = ole.openstream(path).read()
for x in re.findall(B64_RX,str):
if len(x) > 0x1000:
x = b64decode(b64decode(x))
h = hashlib.md5(x).hexdigest()
with open(h,'wb') as f: f.write(x)
if 'MZ' ==x[:2]:
pe = pefile.PE(data=x)
t = 'DLL x86' if pe.FILE_HEADER.IMAGE_FILE_32BIT_MACHINE else 'PE x64'
else:
t = 'DOC'
print('saving {} {}'.format(t,h)