[Esd-l] macro scanning...

John D. Hardin jhardin at impsec.org
Fri Oct 31 06:03:47 PST 2003 

On Fri, 31 Oct 2003, Agung Kuswanto   NCS wrote:

> I am trying to make a script (perl) to detect office macro inside an
> attachment
> as an illustration, the script will be called like : 
> myscript <office_attachment>
>  
> result :
> 1. if contains macro
> 0. if not
>  
> Can I make use part of code of the sanitizer.pl to achive my purpose.
> below is part of the code I'd like to use.

The sanitizer is released with the GPL license, so you are welcome to
use parts of it in your projects. However, if you do directly copy
code into your program, it must also be released under the GPL as
well.If this presents a problem, you'll have to write the code from
scratch.

A suggestion: macro and VBA code is fairly easy to detect. Get a
document with macros or VBA and look at it with a binary editor.
You'll see the code is stored as "\000macro-command" so if you have a
list of macro commands you can detect them pretty easily. You may need
to do this if you want to detect any macro, vs. just dangerous ones.

The only problem is that text stored in spreadsheet cells can look the
same, so you may get false positives if your script is too sensitive.

> Has anyone tried before?

Not that I know of. You might try looking ad the code for OpenOffice,
because it knows how to detect macros by parsing the internal
structure of Office files rather than just looking for strings. There
may also be some Office objects in the Perl CPAN repository. The only
reason I did string comparison was it was computationally cheap and I 
was just looking for specific types of code.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "It seems that some companies in the industry would rather use
  deception rather than try and work things out diplomatically,
  one-to-one."
			-- Blake Stowell, SCO PR director, on RedHat
-----------------------------------------------------------------------
   6 days until Matrix Revolutions

More information about the esd-l mailing list