Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dir stream parsing is too strict #863

Open
peterferrie opened this issue Jul 11, 2024 · 0 comments
Open

dir stream parsing is too strict #863

peterferrie opened this issue Jul 11, 2024 · 0 comments
Assignees
@decalage2
Labels
🐛 bug olevba
Milestone
oletools 0.60

Comments

@peterferrie
Copy link

Affected tool:
olevba

Describe the bug
sig_byte and chunk_signature compare exact byte-values. Office only checks individual bits, not the entire byte.
For sig_byte, only bits 0-1 are checked, bits 2-7 are not checked.
For chunk_signature, only bit 15 is checked, bits 12-24 are not checked.

File/Malware sample to reproduce the bug
pw_clean.zip

How To Reproduce the bug
olevba doc1.doc

Expected behavior
dir stream should be parsed correctly, no error from _extract_vba

Console output / Screenshots
If applicable, add screenshots to help explain your problem.
Use the option "-l debug" to add debugging information, if possible.

Version information:

  • OS: Windows
  • OS version: 10.0.19045 - 64 bits
  • Python version: 3.8.5 - 64 bits
  • oletools version: 0.60.2

Additional context
In the sample file, the sig_byte is changed from 01 to 05; chunk_signature is changed from B2 to 82.
The file opens correctly in Word 2019.
@decalage2 decalage2 self-assigned this Jul 29, 2024
@decalage2 decalage2 added this to the oletools 0.60 milestone Jul 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
oletools 0.60
Development

No branches or pull requests
2 participants
@decalage2 @peterferrie