Snippets
Created by
Alexander Hanel
last modified
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 | """
Name: oleNativeCarve.py
Author: Alexander Hanel
Description: Extracts embedded objects from olenative records.
The extracted object will be saved as SHA256.bin with a corresponding file named
SHA256.json that contains information about the extracted
Example:
C:\Users\Admin\Desktop\examples>oleNativeCarve.py
520c8eabb1a5f0895cbe056dcf5d568c090c66100f15ccef5e55c4b3fd017684 not a valid zip
..
03/14/2017 10:06 AM 581,723 c5d19edc4187c936682e5ab45a2cb99724d447a1d68f914fce5ccfdd25c8e53f.bin
03/14/2017 10:06 AM 446 c5d19edc4187c936682e5ab45a2cb99724d447a1d68f914fce5ccfdd25c8e53f.json
03/10/2017 02:31 PM 580,359 e635400d56049f8ee3f26e372f87c90816c48f73d114cab1bef78a5ed2a1df3a
03/14/2017 10:05 AM 5,160 oleNativeCarve.py
Contents of SHA256.json
{"native_data_size": 581723, "parent_sha256": "e635400d56049f8ee3f26e372f87c90816c48f73d114cab1bef78a5ed2a1df3a",
"flags1": 2, "flags2": 0, "unknown": 0, "label": "www.revenueads.com", "unknown2": 3, "unknown3": null,
"command": "C:\\Users\\Admin\\AppData\\Local\\Temp\\www.revenueads.com",
"sha256": "c5d19edc4187c936682e5ab45a2cb99724d447a1d68f914fce5ccfdd25c8e53f",
"file_path": "C:\\Users\\Admin\\Desktop\\www.revenueads.com", "size": 582085}
"""
import hashlib
import os
import sys
import json
import hashlib
import olefile
import shutil
import struct
import tempfile
import zipfile
class olenative():
def __init__(self, data):
self.size = int
self.flags1 = None
self.label = str
self.file_path = str
self.flags2 = None
self.unknown = None
self.unknown2 = None
self.command = str
self.native_data_size = int
self.native_data = str
self.unknown3 = None
self.sha256 = None
self.parent_sha256 = None
self.parse_ole_native(data)
def return_dict(self):
"""populate temp dict that stores configurations"""
temp_dict = {}
temp_dict["size"] = self.size
temp_dict["flags1"] = self.flags1
temp_dict["label"] = self.label
temp_dict["file_path"] = self.file_path
temp_dict["flags2"] = self.flags2
temp_dict["unknown"] = self.unknown
temp_dict["unknown2"] = self.unknown2
temp_dict["command"] = self.command
temp_dict["native_data_size"] = self.native_data_size
# native data is saved as binary file of the sha256 name
temp_dict["unknown3"] = self.unknown3
temp_dict["sha256"] = self.sha256
temp_dict["parent_sha256"] = self.parent_sha256
return temp_dict
def parse_ole_native(self, data):
""" parses olenative structure"""
# get size
self.size = struct.unpack('<L', data[0:4])[0]
data = data[4:]
# get flag1, typically a hardcoded value of 02 00
self.flags1 = struct.unpack('<H', data[0:2])[0]
data = data[2:]
# get label aka name of the embedded file. label is a string of unknown length
self.label = data[:data.find('\0')]
# calculate length of string label1
data = data[len(self.label) + 1:]
# get file name
self.file_path = data[:data.find('\0')]
data = data[len(self.file_path):]
# get flag2
self.flags2 = struct.unpack('<H', data[0:2])[0]
data = data[2:]
self.unknown = struct.unpack('<B', data[0:1])[0]
data = data[1:]
self.unknown2 = struct.unpack('<B', data[0:1])[0]
# skipping four bytes not sure what they are
data = data[6:]
self.command = data[:data.find('\0')]
data = data[len(self.command) + 1:]
self.native_data_size = struct.unpack('<L', data[0:4])[0]
data = data[4:]
self.native_data = data[:self.native_data_size]
sha = hashlib.sha256()
sha.update(self.native_data)
self.sha256 = sha.hexdigest()
def carve_ole_native(file_path, debug=True):
"""Carves olenative embedded objects, saves a SHA256.bin & SHA256.json returns file names"""
hash_sha256 = hashlib.sha256()
# read file into chunks
with open(file_path, "rb") as f:
for chunk in iter(lambda: f.read(4096), b""):
hash_sha256.update(chunk)
dir_path = tempfile.mkdtemp()
try:
with zipfile.ZipFile(file_path, "r") as zip_ref:
zip_ref.extractall(dir_path)
except:
if debug:
print "%s not a valid zip" % (hash_sha256.hexdigest())
return
out_files = []
for root, dirs, files in os.walk(dir_path):
for name in files:
# Each OLEObject object represents an ActiveX control or a linked or embedded OLE object.
# can be "oleObjectX" where is X is an integer value
# location of oleObjectX /<application/embeddings/
if "oleObject" in name:
oledir = tempfile.mkdtemp()
olepath = os.path.join(root, name)
try:
ole = olefile.OleFileIO(olepath)
except:
if debug:
print "invalid OLE structure"
continue
# An Ole10Native record which is wrapped around certain binary files being embedded in OLE2 documents.
if ole.exists('\x01Ole10Native'):
ole_native = ole.openstream('\x01Ole10Native').read()
ole_class = olenative(ole_native)
ole_class.parent_sha256 = hash_sha256.hexdigest()
# write binary data
name_bin = ole_class.sha256 + ".bin"
with open(name_bin, "wb") as outfile:
outfile.write(ole_class.native_data)
# write JSON
name_json = ole_class.sha256 + ".json"
with open(name_json, "wb") as jsonout:
json.dump(ole_class.return_dict(), jsonout, encoding='latin1')
out_files.append((name_bin, name_json))
shutil.rmtree(oledir)
else:
if debug:
print "%s \x01Ole10Native is not present" % (hash_sha256.hexdigest())
continue
# deleting oledir path threw errors due to an open handle
try:
shutil.rmtree(dir_path)
except Exception as e:
if debug:
print e
return out_files
# debug
import glob
for name in glob.glob('*'):
carve_ole_native(name, debug=False)
|
Comments (1)
You can clone a snippet to your computer for local editing. Learn more.
TODO
VT search query: oleObject1.bin tag:docx