Skip to content

Commit

Permalink
updated doc for v0.55
Browse files Browse the repository at this point in the history
  • Loading branch information
decalage2 committed Dec 3, 2019
1 parent cd4b73d commit ae22ba6
Show file tree
Hide file tree
Showing 4 changed files with 69 additions and 39 deletions.
29 changes: 20 additions & 9 deletions oletools/README.html
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,25 @@ <h1 id="python-oletools">python-oletools</h1>
<p>Note: python-oletools is not related to OLETools published by BeCubed Software.</p>
<h2 id="news">News</h2>
<ul>
<li><strong>2019-12-03 v0.55</strong>:
<ul>
<li>olevba:
<ul>
<li>added support for SLK files and XLM macro extraction from SLK</li>
<li>VBA Stomping detection</li>
<li>integrated pcodedmp to extract and disassemble P-code</li>
<li>detection of suspicious keywords and IOCs in P-code</li>
<li>new option --pcode to display P-code disassembly</li>
<li>improved detection of auto execution triggers</li>
</ul></li>
<li>rtfobj: added URL carver for CVE-2017-0199</li>
<li>better handling of unicode for systems with locale that does not support UTF-8, e.g. LANG=C (PR #365)</li>
<li>tests:
<ul>
<li>test files can now be encrypted, to avoid antivirus alerts (PR #217, issue #215)</li>
<li>tests that trigger antivirus alerts have been temporarily disabled (issue #215)</li>
</ul></li>
</ul></li>
<li><strong>2019-05-22 v0.54.2</strong>:
<ul>
<li>bugfix release: fixed several issues related to encrypted documents and XLM/XLF Excel 4 macros</li>
Expand Down Expand Up @@ -56,14 +75,6 @@ <h2 id="news">News</h2>
<li>oleid now detects encrypted OpenXML files</li>
<li>fixed bugs in oleobj, rtfobj, oleid, olevba</li>
</ul></li>
<li>2018-02-18 v0.52:
<ul>
<li>New tool <a href="https://github.com/decalage2/oletools/wiki/msodde">msodde</a> to detect and extract DDE links from MS Office files, RTF and CSV;</li>
<li>Fixed bugs in olevba, rtfobj and olefile, to better handle malformed/obfuscated files;</li>
<li>Performance improvements in olevba and rtfobj;</li>
<li>VBA form parsing in olevba;</li>
<li>Office 2007+ support in oleobj.</li>
</ul></li>
</ul>
<p>See the <a href="https://github.com/decalage2/oletools/wiki/Changelog">full changelog</a> for more information.</p>
<h2 id="tools">Tools:</h2>
Expand All @@ -86,7 +97,7 @@ <h3 id="tools-to-analyze-the-structure-of-ole-files">Tools to analyze the struct
<li><a href="https://github.com/decalage2/oletools/wiki/olemap">olemap</a>: to display a map of all the sectors in an OLE file.</li>
</ul>
<h2 id="projects-using-oletools">Projects using oletools:</h2>
<p>oletools are used by a number of projects and online malware analysis services, including <a href="http://viper.li/">Viper</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
<p>oletools are used by a number of projects and online malware analysis services, including <a href="https://github.com/IntegralDefense/ACE">ACE</a>, <a href="https://sandbox.anlyz.io/">Anlyz.io</a>, <a href="https://www.cse-cst.gc.ca/en/assemblyline">AssemblyLine</a>, <a href="https://github.com/ctxis/CAPE">CAPE</a>, <a href="https://github.com/cuckoosandbox/cuckoo">Cuckoo Sandbox</a>, <a href="https://github.com/cryps1s/DARKSURGEON">DARKSURGEON</a>, <a href="https://sandbox.deepviz.com/">Deepviz</a>, <a href="https://dridex.malwareconfig.com">dridex.malwareconfig.com</a>, <a href="https://certsocietegenerale.github.io/fame/">FAME</a>, <a href="https://github.com/fireeye/flare-vm">FLARE-VM</a>, <a href="https://www.hybrid-analysis.com/">Hybrid-analysis.com</a>, <a href="https://www.document-analyzer.net/">Joe Sandbox</a>, <a href="https://github.com/lmco/laikaboss">Laika BOSS</a>, <a href="https://github.com/sbidy/MacroMilter">MacroMilter</a>, <a href="https://mailcow.email/">mailcow</a>, <a href="https://malshare.io">malshare.io</a>, <a href="https://github.com/Tigzy/malware-repo">malware-repo</a>, <a href="https://www.adlice.com/download/mrf/">Malware Repository Framework (MRF)</a>, <a href="https://github.com/HeinleinSupport/olefy">olefy</a>, <a href="https://github.com/scVENUS/PeekabooAV">PeekabooAV</a>, <a href="https://github.com/bontchev/pcodedmp">pcodedmp</a>, <a href="https://github.com/CIRCL/PyCIRCLean">PyCIRCLean</a>, <a href="https://remnux.org/">REMnux</a>, <a href="https://github.com/countercept/snake">Snake</a>, <a href="https://app.sndbox.com">SNDBOX</a>, <a href="https://github.com/target/strelka">Strelka</a>, <a href="https://stoq.punchcyber.com/">stoQ</a>, <a href="https://github.com/TheHive-Project/Cortex-Analyzers">TheHive/Cortex</a>, <a href="https://tsurugi-linux.org/">TSUGURI Linux</a>, <a href="https://github.com/MalwareCantFly/Vba2Graph">Vba2Graph</a>, <a href="http://viper.li/">Viper</a>, <a href="https://github.com/decalage2/ViperMonkey">ViperMonkey</a>, <a href="https://yomi.yoroi.company">YOMI</a>, and probably <a href="https://www.virustotal.com">VirusTotal</a>. And quite a few <a href="https://github.com/search?q=oletools&amp;type=Repositories">other projects on GitHub</a>. (Please <a href="(http://decalage.info/contact)">contact me</a> if you have or know a project using oletools)</p>
<h2 id="download-and-install">Download and Install:</h2>
<p>The recommended way to download and install/update the <strong>latest stable release</strong> of oletools is to use <a href="https://pip.pypa.io/en/stable/installing/">pip</a>:</p>
<ul>
Expand Down
75 changes: 47 additions & 28 deletions oletools/README.rst
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,27 @@ Software.
News
----

- **2019-12-03 v0.55**:

- olevba:

- added support for SLK files and XLM macro extraction from SLK
- VBA Stomping detection
- integrated pcodedmp to extract and disassemble P-code
- detection of suspicious keywords and IOCs in P-code
- new option --pcode to display P-code disassembly
- improved detection of auto execution triggers

- rtfobj: added URL carver for CVE-2017-0199
- better handling of unicode for systems with locale that does not
support UTF-8, e.g. LANG=C (PR #365)
- tests:

- test files can now be encrypted, to avoid antivirus alerts (PR
#217, issue #215)
- tests that trigger antivirus alerts have been temporarily
disabled (issue #215)

- **2019-05-22 v0.54.2**:

- bugfix release: fixed several issues related to encrypted
Expand Down Expand Up @@ -79,17 +100,6 @@ News
- oleid now detects encrypted OpenXML files
- fixed bugs in oleobj, rtfobj, oleid, olevba

- 2018-02-18 v0.52:

- New tool
`msodde <https://github.com/decalage2/oletools/wiki/msodde>`__ to
detect and extract DDE links from MS Office files, RTF and CSV;
- Fixed bugs in olevba, rtfobj and olefile, to better handle
malformed/obfuscated files;
- Performance improvements in olevba and rtfobj;
- VBA form parsing in olevba;
- Office 2007+ support in oleobj.

See the `full
changelog <https://github.com/decalage2/oletools/wiki/Changelog>`__ for
more information.
Expand Down Expand Up @@ -141,29 +151,38 @@ Projects using oletools:
------------------------

oletools are used by a number of projects and online malware analysis
services, including `Viper <http://viper.li/>`__,
`REMnux <https://remnux.org/>`__,
`FLARE-VM <https://github.com/fireeye/flare-vm>`__,
services, including `ACE <https://github.com/IntegralDefense/ACE>`__,
`Anlyz.io <https://sandbox.anlyz.io/>`__,
`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__,
`CAPE <https://github.com/ctxis/CAPE>`__, `Cuckoo
Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
`DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__,
`Deepviz <https://sandbox.deepviz.com/>`__,
`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__,
`FAME <https://certsocietegenerale.github.io/fame/>`__,
`FLARE-VM <https://github.com/fireeye/flare-vm>`__,
`Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__, `Joe
Sandbox <https://www.document-analyzer.net/>`__,
`Deepviz <https://sandbox.deepviz.com/>`__, `Laika
BOSS <https://github.com/lmco/laikaboss>`__, `Cuckoo
Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
`Anlyz.io <https://sandbox.anlyz.io/>`__,
`ViperMonkey <https://github.com/decalage2/ViperMonkey>`__,
Sandbox <https://www.document-analyzer.net/>`__, `Laika
BOSS <https://github.com/lmco/laikaboss>`__,
`MacroMilter <https://github.com/sbidy/MacroMilter>`__,
`mailcow <https://mailcow.email/>`__,
`malshare.io <https://malshare.io>`__,
`malware-repo <https://github.com/Tigzy/malware-repo>`__, `Malware
Repository Framework (MRF) <https://www.adlice.com/download/mrf/>`__,
`olefy <https://github.com/HeinleinSupport/olefy>`__,
`PeekabooAV <https://github.com/scVENUS/PeekabooAV>`__,
`pcodedmp <https://github.com/bontchev/pcodedmp>`__,
`dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__,
`PyCIRCLean <https://github.com/CIRCL/PyCIRCLean>`__,
`REMnux <https://remnux.org/>`__,
`Snake <https://github.com/countercept/snake>`__,
`DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__,
`CAPE <https://github.com/ctxis/CAPE>`__,
`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__,
`malshare.io <https://malshare.io>`__, `Malware Repository Framework
(MRF) <https://www.adlice.com/download/mrf/>`__,
`malware-repo <https://github.com/Tigzy/malware-repo>`__,
`Vba2Graph <https://github.com/MalwareCantFly/Vba2Graph>`__,
`SNDBOX <https://app.sndbox.com>`__,
`Strelka <https://github.com/target/strelka>`__,
`stoQ <https://stoq.punchcyber.com/>`__,
`TheHive/Cortex <https://github.com/TheHive-Project/Cortex-Analyzers>`__,
`TSUGURI Linux <https://tsurugi-linux.org/>`__,
`Vba2Graph <https://github.com/MalwareCantFly/Vba2Graph>`__,
`Viper <http://viper.li/>`__,
`ViperMonkey <https://github.com/decalage2/ViperMonkey>`__,
`YOMI <https://yomi.yoroi.company>`__, and probably
`VirusTotal <https://www.virustotal.com>`__. And quite a few `other
projects on
Expand Down
2 changes: 1 addition & 1 deletion oletools/doc/Home.html
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@
<![endif]-->
</head>
<body>
<h1 id="python-oletools-v0.54-documentation">python-oletools v0.54 documentation</h1>
<h1 id="python-oletools-v0.55-documentation">python-oletools v0.55 documentation</h1>
<p>This is the home page of the documentation for python-oletools. The latest version can be found <a href="https://github.com/decalage2/oletools/wiki">online</a>, otherwise a copy is provided in the doc subfolder of the package.</p>
<p><a href="http://www.decalage.info/python/oletools">python-oletools</a> is a package of python tools to analyze <a href="http://en.wikipedia.org/wiki/Compound_File_Binary_Format">Microsoft OLE2 files</a> (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the <a href="http://www.decalage.info/olefile">olefile</a> parser. See <a href="http://www.decalage.info/python/oletools" class="uri">http://www.decalage.info/python/oletools</a> for more info.</p>
<p><strong>Quick links:</strong> <a href="http://www.decalage.info/python/oletools">Home page</a> - <a href="https://github.com/decalage2/oletools/wiki/Install">Download/Install</a> - <a href="https://github.com/decalage2/oletools/wiki">Documentation</a> - <a href="https://github.com/decalage2/oletools/issues">Report Issues/Suggestions/Questions</a> - <a href="http://decalage.info/contact">Contact the Author</a> - <a href="https://github.com/decalage2/oletools">Repository</a> - <a href="https://twitter.com/decalage2">Updates on Twitter</a></p>
Expand Down
2 changes: 1 addition & 1 deletion oletools/doc/Home.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
python-oletools v0.54 documentation
python-oletools v0.55 documentation
===================================

This is the home page of the documentation for python-oletools. The latest version can be found
Expand Down

0 comments on commit ae22ba6

Please sign in to comment.