Skip to content
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

VBASeismograph

VBA Seismograph is a tool for detecting VBA stomping. It has been developed and tested under Ubuntu 16.04. This is done by checking for:

  • Functions and variables that are defined in the compiled p-code that do not appear in the VBA source code.
  • String literals that are used in the compiled p-code that do not appear in the VBA source code.
  • Comments that appear in the compiled p-code that do not appear in the VBA source code.

Installation

VBA Seismograph makes use of two external packages, pcodedmp and olevba. To install these (under Ubuntu):

Install pcodedmp

pcodemp.py is a p-code disassembler. To install it do the following:

git clone https://github.com/bontchev/pcodedmp.git

Install olevba

olevba is a tool for dumping the compressed VBA source code from an Office file. To install olevba under Ubuntu do the following:

sudo pip install oletools

PCODEDMP_DIR Environment Variable

VBA Seismograph reads the install directory for pcodedmp from the PCODEDMP_DIR environment variable. To set this under csh add something like the following (modified for where you installed pcodedmp) to your .cshrc file:

setenv PCODEDMP_DIR /home/sayre/Software/pcodedmp

To set this under bash add something like the following (modified for where you installed pcodedmp) to your .bashrc file:

export PCODEDMP_DIR=/home/sayre/Software/pcodedmp

Usage

To get help run:

vba_seismograph.py -h

To check the Office file FOO (Excel or Word file) run:

vba_seismograph.py FOO

To get details about differences between the p-code and the VBA source code run:

vba_seismograph.py -v FOO

About

A tool for detecting VBA stomping.

Resources

License

Releases

No releases published

Packages

No packages published

Languages