Didier Stevens

Tuesday 3 June 2025

Update: search-for-compression.py Version 0.0.4

Filed under: Beta,My Software,Update — Didier Stevens @ 0:00

This tool is still beta.

VBA compression is now supported, besides zlib compression. Option -t (–type) was added so that one can choose the compression type to search for. Possible values are zlib (default) or vba.

And shortcut #p# was added to the yara option, to predefine these rules:

rule attribute_vb_name {
    strings:
        $a = "Attribute VB_Name = "
    condition:
        $a
}

rule dir {
    strings:
        $a = { 01 00 04 }
    condition:
        $a at 0
}

I’ll explain in another blog post how these features can be used to analyze MS Access databases with VBA project.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.