[Esd-l] macro scanning...
John D. Hardin
jhardin at impsec.org
Tue Nov 4 07:30:03 PST 2003
On Tue, 4 Nov 2003, Agung Kuswanto NCS wrote:
> Btw, how's the content filtering program knows there's a macro
> inside office attachment regardless malicious or not.
Strictly speaking it does not. It's just looking for specific strings
and making a few assumptions.
Macro and VBA code is (thankfully) stored more-or-less in-the-clear as
source text, not tokenized or encrypted. Each keyword is ASCII started
by a zero byte.
Thus we can look for strings of the form (zero-byte)(dangerous
command) with a fairly high degree of reliability and with great
speed. The sanitizer's macro scanner is *extremely* simple-minded.
Unfortunately Excel also stores cell text starting with a zero byte,
so if somebody puts a string beginning with what we consider a
"dangerous" VBA or macro command into a cell, we will probably detect
it incorrectly. This is where it would be useful to be aware of the
internal structure of the file format, so that we can only search the
part of the file that contains macros and VBA code.
All of this was determined by poking at Excel files and Word documents
with vi.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
Tomorrow: Matrix Revolutions
More information about the esd-l
mailing list