Add oleobj arg to just find external relations #772
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
christian-intra2net
changed the title
(...and one typo in doc string)
Not needed any more when using log_helper
People (like me) might think that when they give "-r" as argument they could give a directory with samples as input, e.g. oleobj -r /path/to/samples when actually they need to specify that with a glob and -r is independent of that oleobj /path/to/samples\* Clarify that in the help-string of "-r". Also, giving a glob did result in an error saying that this is not an existing file. Fixed that.
Should not matter but this is safer and consistent with other tests.
When testing json-output we need to run samples through the "main" functions of modules, not just their "process_file" functions that would accept the extracted and decrypted data from the existing helper function "loop_over_files". They need a filename as input, so add helper to create a temp dir and extract&decrypt samples to that temporarily.
Since this test runs 3 scripts over all samples it takes pretty long. Therefore, disable it per default, enable with a environment variable OLETOOLS_TEST_JSON=1 Also, decrypting and extracting malware samples onto the disc might cause trouble, another reason for not enabling this test per default.
oleobj also serves as finder for external relationships. If users want just that behaviour and no dumping of embedded objects, give them the option to get that. Also clarify this double-purpose in the doc string. There is a TODO that might be aimed for exactly that, but I am uncertain whether I interpret it correctly
Do not just rely on return value. Also avoid dumping stuff when just checking links.
Do not abuse the "did dump"-flag for "did find external relationship", add an extra flag and return value for that
Branch that fixed this has been merged Oct 2019.
christian-intra2net
force-pushed
the
oleobj-only-external-relations
branch
from
baf311d
to
198b16c
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Analyses of the attacks using ms-msdt links show that there is a multitude of attack vectors based on links or general "external relations" in office documents. It is therefore prudent to check for these and there is code in oleobj that helps doing that.
However, oleobj also dumps embedded files to disc which may not be the intended behaviour when using it as "link finder". The commits in this PR therefore add an option to skip all dumping and just report what could be dumped and what external relations were found.
We could take an alternative approach and instead create a separate "link_finder.py", moving this functionality there, but since more and more people rely on oletools I did not want to break compatibility with existing behaviour. I can implement that as well if you wish.
This branch is based on one other branch, therefore the PR contains 10 commits from #771 (log-helper and json in oleobj) to avoid trouble when merging. Hope that is ok.