Philippe Lagadec
Philippe Lagadec
Hi, just discovered Zeal and it's really great. :-) A suggestion: I have loaded both Python 2 and 3 docsets (because I use both in different projects). When I look...
See https://twitter.com/InQuest/status/1555145408342622209
- report OLE2Link objects from rtfobj - report LINK htmlfile from msodde For example this could be used to detect Follina samples.
When the code of a VBA macro contains non-ASCII characters, olevba triggers a UnicodeEncodeError when the console output is redirected to a file, on Windows 10 with Python 3. The...
Currently running pip install oletools[full] on Python 2.x fails, because XLMMacroDeobfuscator only supports Python 3.x.
See https://blog.didierstevens.com/2022/05/05/update-oledump-py-version-0-0-66/
VSDM and VSDX have a relationship type different from other Office formats: `http://schemas.microsoft.com/visio/2010/relationships/document` ``` ftguess.py nomacro.vsdx -l debug ftguess 0.60.1.dev8 on Python 3.9.0 - http://decalage.info/python/oletools THIS IS WORK IN PROGRESS...
See https://www.x33fcon.com/archive/2018/slides/x33fcon18_SandboxEvasionUsingVBAReferencing_ADori_AGrafi.pdf
This technique can be used to detect sandboxing: https://conference.hitb.org/hitbsecconf2018ams/materials/D2T1%20-%20Aviv%20Grafi%20&%20Amit%20Dori%20-%20Sandbox%20Evasion%20Using%20VBA%20Referencing.pdf The VBA code could also check if Protected View is disabled, probably by looking at the registry.