Detect interactive ppt features #786
Commits on Nov 28, 2022
-
-
(new IDE complained about these)
-
ppt_record_parser: Add many types, parse CString
Parse more record types from [MS-PPT] and some more from [MS-ODRAW], show more info in __str__ for debugging and extending
-
olevba: Detect interactive record types in ppt
Old powerpoint files (.ppt) can contain links to webpages or programs that are neither ActiveX nor VBA nor other tested types. They are saved in regular ppt-specific records and allow powerpoint to start arbitrary commands upon click or hovering over some item. The tineout for "hovering" is pretty fast here, it is very likely that users trigger this without realizing it. Add detection for these items to olevba
-
record_base: Provide complete record data for testing
Expose existing param in record_base.test which is used to help extend and debug record-based streams (currently only ppt_record_parser).
-
record_base: Improve stability for real-word samples
(1) Do not parse all sub-records in a container when constructing it (2) Allow for stray bytes at end of container data
-
ppt_parser: Relax requirements
Had too harsh a requirement for ppt files, that it only contains root streams and no sub-streams. Not sure whether this theoretically should be true, but in any case it is not the case in real-world samples.
-
This is left-over from my initial attempt to parsing ppt documents. Never worked properly.
-
oleobj: Do not trust is_zipfile
This can easily be fooled as shown by some malware sample. So, do it the pythonic way: try treating it like a zip file and deal with the exceptions if it is not.
-
ppt_record_parser: Optimize data loading
Do not remember potentially huge blobs in memory, need that just for debugging.
-
tests: Add sample and test for interactive ppt
Self-made sample that triggers default browser with an URL upon clicking a shape, and that calls calc.exe upon hovering over another shape.
-
tests: Add helper to temporarily extract malware samples
When testing json-output we need to run samples through the "main" functions of modules, not just their "process_file" functions that would accept the extracted and decrypted data from the existing helper function "loop_over_files". They need a filename as input, so add helper to create a temp dir and extract&decrypt samples to that temporarily.
-
tests: Return path-part from loop_and_extract
When unzipping into temp dir, we often need to know the original sample name.
-
tests: Start test to run all tools on all data
In another branch I missed a bug that occurred in one of our test samples. Avoid this by running all tools over all data
