Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Oleobj preserve file extension #451

Merged
merged 3 commits into from
May 9, 2022
Merged

Oleobj preserve file extension #451

merged 3 commits into from
May 9, 2022

Conversation

christian-intra2net
Copy link
Contributor

Encountered malware samples where "Filename" of an embedded file was " " (just a space), but "Source Path" and "Temp Path" contained a proper filename. Seems to be enough for windows to recognize the file type. So extract file name (in particular: the file extension) from paths if "Filename" is not helpful.

Realized that lots of things can go wrong creating filenames: collisions with other files, extremely long names, different path separators ("/" vs ""). Address these issues, too.

@decalage2 decalage2 self-requested a review May 28, 2019 13:10
@decalage2 decalage2 added this to the oletools 0.55 milestone May 28, 2019
@christian-intra2net
Copy link
Contributor Author

Rebased onto current master

@christian-intra2net christian-intra2net force-pushed the oleobj-preserve-suffix branch 2 times, most recently from 446aa9b to 9334846 Compare July 9, 2019 14:22
@christian-intra2net
Copy link
Contributor Author

Rebased to keep up-to-date.

@christian-intra2net
Copy link
Contributor Author

Rebased onto current master

@christian-intra2net
tests: Treat xlsb properly in ftguess tests
2e67297
@christian-intra2net
oleobj: smarter way to create dump filename
f938a94 
Sofar we have only looked at the `filename` attribute but in malware
samples the path has been empty and windows used src_path or tmp_path
to determine dumped file type.

Look at all 3 filenames/paths, try to preserve suffix but still limit
length of resulting file name. Deal with multiple objects of same
resulting filename by offering random file names
@christian-intra2net
tests: create unittests for oleobj file name creation
eb0b509
@christian-intra2net
Copy link
Contributor Author

Rebased onto current master. Added the unittest fix commit from #761 so I can run branch unittests

@decalage2 decalage2 merged commit cb41b34 into decalage2:master May 9, 2022
@decalage2 decalage2 modified the milestones: oletools 0.55, oletools 0.60 May 9, 2022
@decalage2 decalage2 self-assigned this May 9, 2022
@christian-intra2net christian-intra2net deleted the oleobj-preserve-suffix branch May 25, 2022 07:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@decalage2 decalage2 decalage2 approved these changes

Assignees

@decalage2 decalage2

Labels
oleobj 👍 enhancement
Projects
None yet
Milestone
oletools 0.60
Development

Successfully merging this pull request may close these issues.
2 participants
@christian-intra2net @decalage2