Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Pcode options + fixes #479

Merged
merged 10 commits into from
Sep 21, 2020
Merged

Conversation

christian-intra2net
Copy link
Contributor

@christian-intra2net christian-intra2net commented Aug 7, 2019

This PR adds an option to disable pcode-extraction and renames the existing "pcode" option.

During coding I found a few minor errors that I fixed right away, these are the commits in the beginning. The ppt_parser-commit was cherry-picked from another PR (#450), I needed it for testing. Feel free to just pick&merge part of these.

Rationale behind the main change:
contrary to its help string, option "pcode" does not (any more) determine whether pcode is extracted and analyzed or not. That happens always. It only determines whether the pcode is shown to the user in the normal "detailed" output mode. I also implemented pcode-output in "json" output-mode and added a warning if pcode should be shown in triage mode. I renamed it "show_pcode".

To bring back the original meaning of the pcode-option, I added an option "disable-pcode". As an alternative to this solution (having "show_pcode" and "disable_pcode"), I could implement an option "pcode" that has choices "OFF" (do not extract), "ANALYZE" (extract and analyze) and "SHOW" (also add it to output). Let me know if you prefer that.

Another py2/py3-error: returned data is str in py2, bytes in py3
When creating a sub-parser, should inherit all the options, not just
a few.

To avoid repeating this error, create method for sub-parser creation.
The pcode will be extracted irrespective of this arg in detect_vba_stomping().
Adjust help of argument accordingly.
Option show_pcode sofar only implemented for "normal" mode. For triage
it does not make sense to do this, but in json it might be useful
Also move this test below the point where final output mode is determined.
This could also be solved by creating just one single option
--pcode=[OFF|DETECT|SHOW] (possibly also with option 'SHOW-VBA-STOMPED'
for only showing if vba-stomping was detected).
@christian-intra2net
Copy link
Contributor Author

Required a rebase after merging #365

@decalage2 decalage2 self-requested a review September 21, 2020 21:02
@decalage2 decalage2 self-assigned this Sep 21, 2020
@decalage2 decalage2 merged commit 45aec6e into decalage2:master Sep 21, 2020
@christian-intra2net christian-intra2net deleted the pcode-options branch October 22, 2020 10:11
@christian-intra2net
Copy link
Contributor Author

Thanks for merging
(I am back, by the way)

@decalage2
Copy link
Owner

@christian-intra2net welcome back! :-)

# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants