Kirk Sayre

icon indicating an email [email protected]

icon company Walmart icon location I do cyber security work for Walmart.

Results 5 issues of Kirk Sayre

Include sheet names in olevba XLM output.

3 comment

**Is your feature request related to a problem? Please describe.** The most recent version of olevba looks like it includes the most of the XLM macro information needed to analyze/emulate...

:+1: enhancement
plugin_biff
XLM

XLM Formula Improperly Decoded

**Affected tool:** olevba **Describe the bug** olevba is improperly decoding the arguments to a XLM 4.0 RUN() macro call. olevba is decoding the formula as: RUN(-B0=83) The formula (as decoded...

:bug: bug
olevba
plugin_biff
XLM

Break infinite loops by limiting the # of iterations of a while loop.

4 comment

Current SLoad Excel XLM samples contain several while loops which never terminate during XLMMacroDeobfuscator emulation (ex. https://www.virustotal.com/gui/file/f7c577d377eae268913717937f792cca3f5bf7a802559f146ef5fba45f3f4605/detection). This pull request contains one potential method for handling infinite while loops. It...

Handle user defined classes better.

Example doc: f9c853989e336d614594f0f1fe017d4e58c7d0000a74c1d6a301fc2cb69be1a5 Need to handle multiple user defined classes with methods that have the same name. Probably need to implement name mangling in ViperMonkey to tell the methods from...

Possible fix for extended ASCII issue (#490)

3 comment

This is a potential fix for https://github.com/decalage2/oletools/issues/490 . Based on the behavior of oledump and some VBA payload decoders that decode extended ASCII strings it looks like VBA code bytes...

:bug: bug
olevba