xtchm - extract Compiled Help Modules

[EricFaehrmann]

Specification

It is possible to weaponize .chm files but binref can't extract this files.
There is a python lib PyCHM but this is just a wrapper for this c lib CHMLib. The c lib needs a string with the path to the chm file to open it. This is against the binref code of conduct.

I think the only solution would be to implement the algorithm in python as a new binref unit.

@huettenhain can you prove that there isn't a other way to extract chm files with binref? If so I can start to develop a new unit.

Test Cases

Malicious-CHM-Guide.md
AgentTesla Spreads Through CHM and PDF Files in Recent Attacks
Cryptowall Makes a Comeback Via Malicious Help Files (CHM)
Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

[huettenhain]

After our prior discussion, I did some research and could not identify any acceptable Python libraries to unpack CHM files either. I had collected a few links to CHM-related online resources, but not much more. I will leave them here to posterity:

• https://chmspec.nongnu.org/latest/
• https://code.google.com/archive/p/bookinsight/wikis/chmformat.wiki
• http://www.jedrea.com/chmlib/
• https://savannah.nongnu.org/projects/chmdeco

Notably, 7Zip can handle CHM files, so the 7Zip source code might also be a good reference. I probably won't have time to work on this myself, but I would be grateful for the contribution.