This new version of oledump.py brings some fixes and an update to plugin plugin_vbaproject to decode and display the password for plaintext passwords:
Someone asked me what the byte sequence is for an infinite loop in x86 machine code (it’s something you could use while debugging, for example).
That byte sequence is just 2 bytes long: EB FE.
It’s something you can check with nasm, for example.
File jump-infinite-loop.asm:
BITS 32
loop1:
jmp loop1
loop2:
jmp short loop2
jmp $
jmp short $
jmp short -2
nasm jump-infinite-loop.asm -l jump-infinite-loop.lst
File jump-infinite-loop.lst:
1 BITS 32
2
3 loop1:
4 00000000 EBFE jmp loop1
5 loop2:
6 00000002 EBFE jmp short loop2
7 00000004 EBFE jmp $
8 00000006 EBFE jmp short $
9 00000008 EB(FE) jmp short -2
This new version of oledump.py brings a new plugin (plugin_metadata) and Python 3 fixes for 2 plugins (plugin_msi and plugin_ppt).
The new plugin is actually an old unpublished plugin, that I updated recently.
This plugin parses Office document metadata as defined in document [MS-OLEPS].
I started to write this in 2015 to parse the metadata of Word documents, but soon I figured out that this functionality was already present in olefile, and I introduced option -M to call this functionality.
But recently, I had to parse metadata that isn’t (yet) parsed by olefile, so I updated and released plugin_metadata.
oledump_V0_0_65.zip (http)This is a Python3 stdin fix for re-search.py, my tool to search with regular expressions.
re-search_V0_0_19.zip (http)Here is a new tool I’m releasing as beta: pngdump.py.
It’s a tool to analyze PNG files. Unlike jpegdump, you can not yet select items for further analysis.
This new version of 1768.py brings option -H to include file hashes, introduces shellcode type detection and has updated statistics.
This new version of cut-bytes.py adds access to the read data for Python expressions in prefix and suffix options.
cut-bytes_V0_0_14.zip (http)A couple of my tools can produce JSON output, using my own format (myjson).
This output can then be piped into another tool, like strings.py or file-magic.py.
I’m now releasing a tool that can be put into a command pipe to filter the JSON data: myjson-filter.py
For example, here I use myjson-filter.py to remove all items that are XML files (based on the content: starting with <?xml) before strings are extracted with strings.py:
More info in this ISC diary entry I wrote: “Method For String Extraction Filtering“.
We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack.
One of the reasons to do this, is to evade “mark-of-web propagation”.
When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).
When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).
But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View. That is something I observed 5 years ago.
But this has changed recently. When exactly, I don’t know (update: August 2021).
But when I open an Office document stored inside an ISO file marked with a ZoneIdentifier ADS, Office 2021 will open the document in protected view:
With an unpatched version of Office 2019, that I installed a year ago, that same file is not opened in Protected View:
After updating Office:
Word’s behavior has changed:
The file is now opened in Protected View.
If you want to test this yourself, you can use my ZoneIdentifier tool to easily settings a “mark-of-web” without having to download your test file from the Internet:
Or you can just add the ZoneIdentifier ADS with notepad.
I did the same test with Office 2016, I updated an old version and: the document is not opened in Protected View.
I don’t know exactly when Microsoft Office 2019 was updated so that it would open documents in Protected View when they are inside an ISO file marked as originating from the Internet. But if you do know, please post a comment.
Update: this change happened in August 2021. See comments below. Thanks Philippe.
Didier Stevens 