New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds an additional check to detect DDE #205

Merged
merged 2 commits into from Oct 24, 2017

Conversation

Projects
None yet
2 participants
@staaldraad
Contributor

staaldraad commented Oct 23, 2017

DDE / DDEAUTO can also be specified with

<w:fldSimple w:instr='DDE "C:\\WINDOWS\\system32\\cmd.exe" "/k powershell.exe"' w:dirty="true">
    <w:r>
        <w:t>Pew</w:t>
    </w:r>
</w:fldSimple>

This adds some additional parsing to extract the link if it is inside a w:fldSimple element

@decalage2 decalage2 self-assigned this Oct 23, 2017

@decalage2 decalage2 added this to the oletools 0.52 milestone Oct 23, 2017

Etienne Stalmans
@decalage2

This comment has been minimized.

Show comment
Hide comment
@decalage2

decalage2 Oct 23, 2017

Owner

Hi @staaldraad, by any chance do you have a sample file that I could use to test it? Thanks.

Owner

decalage2 commented Oct 23, 2017

Hi @staaldraad, by any chance do you have a sample file that I could use to test it? Thanks.

@staaldraad

This comment has been minimized.

Show comment
Hide comment
@staaldraad

staaldraad Oct 23, 2017

Contributor

Of course, I should of thought of that:
simple.docx

I'll work on the QUOTED one as well, if you are interested before I get around to it;
dde_quoted.docx

Contributor

staaldraad commented Oct 23, 2017

Of course, I should of thought of that:
simple.docx

I'll work on the QUOTED one as well, if you are interested before I get around to it;
dde_quoted.docx

@staaldraad

This comment has been minimized.

Show comment
Hide comment
@staaldraad

staaldraad Oct 24, 2017

Contributor

If you are interested, I've started a branch on some of the TODO items, like tracking "begin" and "end" tags to group field codes: https://github.com/staaldraad/oletools/blob/ddedev/oletools/msodde.py

Also does auto unQUOTE if it finds a QUOTE field code:

Opening file: /tmp/dde_quoted.docx                             
DDE Links:                                                     
 SET C "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe      
 DDEAUTO  REF C "a"  

vs --nounquote

Opening file: /tmp/dde_quoted.docx
DDE Links:
 SET C " QUOTE 67 58 92 92 80 114 111 103 114 97 109 115 92 92 77 105 99 114 111 115 111 102 116 92 92 79 102 102 105 99 101 92 92 77 83 87 111 114 100 46 101 120 101 92 92 46 46 92 92 46 46 92 92 46 46 92 92 46 46 92 92 119 105 110 100 111 119 115 92 92 115 121 115 116 101 109 51 50 92 92 119 105 110 100 111 119 115 112 111 119 101 114 115 104 101 108 108 92 92 118 49 46 48 92 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101 "  QUOTE 67 58 92 92 80 114 111 103 114 97 109 115 92 92 77 105 99 114 111 115 111 102 116 92 92 79 102 102 105 99 101 92 92 77 83 87 111 114 100 46 101 120 101 92 92 46 46 92 92 46 46 92 92 46 46 92 92 46 46 92 92 119 105 110 100 111 119 115 92 92 115 121 115 116 101 109 51 50 92 92 119 105 110 100 111 119 115 112 111 119 101 114 115 104 101 108 108 92 92 118 49 46 48 92 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101 
 DDEAUTO  REF C "a"

I'll make a second PR if you are happy to have these changes :)

Contributor

staaldraad commented Oct 24, 2017

If you are interested, I've started a branch on some of the TODO items, like tracking "begin" and "end" tags to group field codes: https://github.com/staaldraad/oletools/blob/ddedev/oletools/msodde.py

Also does auto unQUOTE if it finds a QUOTE field code:

Opening file: /tmp/dde_quoted.docx                             
DDE Links:                                                     
 SET C "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe      
 DDEAUTO  REF C "a"  

vs --nounquote

Opening file: /tmp/dde_quoted.docx
DDE Links:
 SET C " QUOTE 67 58 92 92 80 114 111 103 114 97 109 115 92 92 77 105 99 114 111 115 111 102 116 92 92 79 102 102 105 99 101 92 92 77 83 87 111 114 100 46 101 120 101 92 92 46 46 92 92 46 46 92 92 46 46 92 92 46 46 92 92 119 105 110 100 111 119 115 92 92 115 121 115 116 101 109 51 50 92 92 119 105 110 100 111 119 115 112 111 119 101 114 115 104 101 108 108 92 92 118 49 46 48 92 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101 "  QUOTE 67 58 92 92 80 114 111 103 114 97 109 115 92 92 77 105 99 114 111 115 111 102 116 92 92 79 102 102 105 99 101 92 92 77 83 87 111 114 100 46 101 120 101 92 92 46 46 92 92 46 46 92 92 46 46 92 92 46 46 92 92 119 105 110 100 111 119 115 92 92 115 121 115 116 101 109 51 50 92 92 119 105 110 100 111 119 115 112 111 119 101 114 115 104 101 108 108 92 92 118 49 46 48 92 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101 
 DDEAUTO  REF C "a"

I'll make a second PR if you are happy to have these changes :)

@decalage2 decalage2 merged commit 281a2e3 into decalage2:master Oct 24, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
@decalage2

This comment has been minimized.

Show comment
Hide comment
@decalage2

decalage2 Oct 24, 2017

Owner

Yes please, submit a PR with your other branch, it looks great.

Owner

decalage2 commented Oct 24, 2017

Yes please, submit a PR with your other branch, it looks great.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment