Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find office file entry points via callgraph #215

Merged
merged 15 commits into from
Sep 17, 2020
Merged

Find office file entry points via callgraph #215

merged 15 commits into from
Sep 17, 2020

Conversation

kscieslinski
Copy link
Contributor

The naive solution (just opening office document) might not be enough. This pull request introduces the approach to detect the non standard entry points of macro call chains. It uses Vba2Graph project to create a call graph and then finds the outer nodes. Finally it uses the /m flag to open the sample file and trigger all macros which belong to the outer nodes.

The pr. is in draft form as:

  1. The main library oletools has a bug but the PR fixing it is already waiting for review.
  2. Not sure about the license of Vba2Graph. The project doesn't seem to be active. I've reached out to author but I've received no response yet.

@kscieslinski kscieslinski changed the base branch from master to click August 20, 2020 07:50
@kscieslinski kscieslinski changed the base branch from click to master August 20, 2020 07:50
@kscieslinski kscieslinski marked this pull request as draft August 20, 2020 09:06
icedevml
icedevml reviewed Aug 25, 2020
View reviewed changes
drakrun/requirements.txt Outdated Show resolved Hide resolved
icedevml
icedevml reviewed Aug 25, 2020
View reviewed changes
Copy link
Contributor

@icedevml icedevml left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fingers crossed for this idea to work well, overall looks pretty interesting

drakrun/drakrun/main.py Outdated Show resolved Hide resolved
@kscieslinski kscieslinski marked this pull request as ready for review September 16, 2020 12:28
@icedevml icedevml self-requested a review September 16, 2020 14:38
@icedevml icedevml changed the title Find office file entry points via callgraph. Draft implementation. Find office file entry points via callgraph Sep 16, 2020
icedevml
icedevml reviewed Sep 16, 2020
View reviewed changes
README.md Outdated Show resolved Hide resolved
@icedevml
Copy link
Contributor

I'm testing this PR locally

icedevml
icedevml approved these changes Sep 17, 2020
View reviewed changes
Copy link
Contributor

@icedevml icedevml left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested locally on some emotet samples, seems to work fine, LGTM

README.md Outdated Show resolved Hide resolved
@icedevml
Update README.md
a465e4f 
Co-authored-by: Michał Leszczyński <[email protected]>
@kscieslinski kscieslinski merged commit 4a56dca into master Sep 17, 2020
@kscieslinski kscieslinski deleted the callgraph branch September 17, 2020 12:42
@decalage2 decalage2 mentioned this pull request Sep 17, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@icedevml icedevml icedevml approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kscieslinski @icedevml