olevba: moved DridexUrlDecoder from 3rd party folder into olevba, fixes

#485
decalage2 · Sep 24, 2019 · 4f51278 · 4f51278
1 parent 8a20f7b
commit 4f51278
Show file tree

Hide file tree

Showing 5 changed files with 44 additions and 51 deletions.
diff --git a/oletools/olevba.py b/oletools/olevba.py
@@ -218,8 +218,9 @@
 # 2019-04-09       PL: - decompress_stream accepts bytes (issue #422)
 # 2019-05-23 v0.55 PL: - added option --pcode to call pcodedmp and display P-code
 # 2019-06-05       PL: - added VBA stomping detection
+# 2019-09-24       PL: - included DridexUrlDecode into olevba (issue #485)
 
-__version__ = '0.55.dev3'
+__version__ = '0.55.dev4'
 
 #------------------------------------------------------------------------------
 # TODO:
@@ -2201,6 +2202,46 @@ def detect_base64_strings(vba_code):
                 # if an exception occurs, it is likely not a base64-encoded string
     return results
 
+# DridexUrlDecode written by James Habben
+# Originally published on https://github.com/JamesHabben/MalwareStuff
+# included here with James' permission
+# 2015-01-27 Slight modifications from Philippe Lagadec (PL) to use it from olevba
+
+def StripChars (input) :
+    result = ''
+    for c in input :
+        if c.isdigit() :
+            result += c
+    return int(result)
+
+def StripCharsWithZero (input) :
+    result = ''
+    for c in input :
+        if c.isdigit() :
+            result += c
+        else:
+            result += '0'
+    return int(result)
+
+def DridexUrlDecode (inputText) :
+    work = inputText[4:-4]
+    strKeyEnc = StripCharsWithZero(work[(len(work) / 2) - 2: (len(work) / 2)])
+    strKeySize = StripCharsWithZero(work[(len(work) / 2): (len(work) / 2) + 2])
+    nCharSize = strKeySize - strKeyEnc
+    work = work[:(len(work) / 2) - 2] + work[(len(work) / 2) + 2:]
+    strKeyEnc2 = StripChars(work[(len(work) / 2) - (nCharSize/2): (len(work) / 2) + (nCharSize/2)])
+    work = work[:(len(work) / 2) - (nCharSize/2)] + work[(len(work) / 2) + (nCharSize/2):]
+    work_split = [work[i:i+nCharSize] for i in range(0, len(work), nCharSize)]
+    decoded = ''
+    for group in work_split:
+        # sys.stdout.write(chr(StripChars(group)/strKeyEnc2))
+        decoded += chr(StripChars(group)/strKeyEnc2)
+    return decoded
+
+# DridexUrlDecode("C3iY1epSRGe6q8g15xStVesdG717MAlg2H4hmV1vkL6Glnf0cknj")
+# DridexUrlDecode("HLIY3Nf3z2k8jD37h1n2OM3N712DGQ3c5M841RZ8C5e6P1C50C4ym1oF504WyV182p4mJ16cK9Z61l47h2dU1rVB5V681sFY728i16H3E2Qm1fn47y2cgAo156j8T1s600hukKO1568X1xE4Z7d2q17jvcwgk816Yz32o9Q216Mpr0B01vcwg856a17b9j2zAmWf1536B1t7d92rI1FZ5E36Pu1jl504Z34tm2R43i55Lg2F3eLE3T28lLX1D504348Goe8Gbdp37w443ADy36X0h14g7Wb2G3u584kEG332Ut8ws3wO584pzSTf")
+# DridexUrlDecode("YNPH1W47E211z3P6142cM4115K2J1696CURf1712N1OCJwc0w6Z16840Z1r600W16Z3273k6SR16Bf161Q92a016Vr16V1pc")
+
 
 def detect_dridex_strings(vba_code):
     """
@@ -2209,9 +2250,6 @@ def detect_dridex_strings(vba_code):
     :param vba_code: str, VBA source code
     :return: list of str tuples (encoded string, decoded string)
     """
-    # TODO: move this at the beginning of script
-    from oletools.thirdparty.DridexUrlDecoder.DridexUrlDecoder import DridexUrlDecode
-
     results = []
     found = set()
     for match in re_dridex_string.finditer(vba_code):

diff --git a/oletools/thirdparty/DridexUrlDecoder/DridexUrlDecoder.py b/oletools/thirdparty/DridexUrlDecoder/DridexUrlDecoder.py
diff --git a/oletools/thirdparty/DridexUrlDecoder/LICENSE.txt b/oletools/thirdparty/DridexUrlDecoder/LICENSE.txt
diff --git a/oletools/thirdparty/DridexUrlDecoder/__init__.py b/oletools/thirdparty/DridexUrlDecoder/__init__.py
diff --git a/setup.py b/setup.py
@@ -31,6 +31,7 @@
 # 2019-02-26       CH: - add optional dependency msoffcrypto for decryption
 # 2019-05-22       PL: - 'msoffcrypto-tool' is now a required dependency
 # 2019-05-23 v0.55 PL: - added pcodedmp as dependency
+# 2019-09-24       PL: - removed oletools.thirdparty.DridexUrlDecoder
 
 #--- TODO ---------------------------------------------------------------------
 
@@ -50,7 +51,7 @@
 #--- METADATA -----------------------------------------------------------------
 
 name         = "oletools"
-version      = '0.55.dev3'
+version      = '0.55.dev4'
 desc         = "Python tools to analyze security characteristics of MS Office and OLE files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), for Malware Analysis and Incident Response #DFIR"
 long_desc    = open('oletools/README.rst').read()
 author       = "Philippe Lagadec"
@@ -91,7 +92,6 @@
     'oletools.thirdparty.xxxswf',
     'oletools.thirdparty.prettytable',
     'oletools.thirdparty.xglob',
-    'oletools.thirdparty.DridexUrlDecoder',
     'oletools.thirdparty.tablestream',
     'oletools.thirdparty.oledump',
 ]