32일차 파이썬 백신개발 -7

OLE 위치를 찾고 파싱하기 위해서 한참을 찾아다니면서 결국 찾아냈다.

그건 바로 파이썬에는 olefile이라는 모듈이 존재한다는 사실이었다! 

olefile을 통해 파일에 존재하는 스토리지와 스트림의 목록을 알 수 있었다.

 

그리고 hexdump라는 모듈도 발견했는데, 이 모듈은 파일의 hex값을 보여주는 모듈이다.

 

==============================================

olefile 외에도 아래와 같은 포렌식 모듈이 존재한다.

• python-oletools: a package of python tools to analyze OLE files and MS Office documents, mainly for malware analysis and debugging. It includes olebrowse, a graphical tool to browse and extract OLE streams, oleid to quickly identify characteristics of malicious documents, olevba to detect/extract/analyze VBA macros, and pyxswf to extract Flash objects (SWF) from OLE files.
• oledump: a tool to analyze malicious MS Office documents and extract VBA macros
• ExeFilter: to scan and clean active content in file formats (e.g. MS Office VBA macros)
• py-office-tools:  to display records inside Excel and PowerPoint files
• pyew: a malware analysis tool
• pyOLEscanner: a malware analysis tool
• PPTExtractor: to extract images from PowerPoint presentations
• msg-extractor: to parse MS Outlook MSG files
• pyhwp: hwp file format python parser
• RC4-40-brute-office: a tool to crack MS Office files using RC4 40-bit encryption
• punbup: a tool to extract files from McAfee antivirus quarantine files (.bup)
• Viper: a framework to store, classify and investigate binary files of any sort for malware analysis (also includes code from oleid)
• Pillow: the friendly fork of PIL, the Python Image Library
• Ghiro: a digital image forensics tool
• Nightmare: A distributed fuzzing testing suite, using olefile to fuzz OLE streams and write them back to OLE files.