Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Microsoft Publisher Support, TLSH Bug Fix, Exception Handling #319

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
phutelmyer merged 6 commits into from
Feb 10, 2023
Merged

Microsoft Publisher Support, TLSH Bug Fix, Exception Handling #319

phutelmyer merged 6 commits into from
Feb 10, 2023

Conversation

@phutelmyer
Copy link
Contributor

@phutelmyer phutelmyer commented Feb 10, 2023
edited
Loading

Describe the change
This PR is compiled of the following:

  • Adds VBMA macros extraction support for Microsoft Publisher files.
  • Fixes bug in ScanTlsh where first TLSH hash match is used even if subsequent match has lower score (higher confidence match)
  • Improves test for ScanTlsh to match above logic change
  • Improves exception handling in several scanners

Describe testing procedures

docker-compose -f build/docker-compose.yaml build --build-arg CONFIG_TESTS=true backend
...
 => [17/19] RUN echo '[+] Run build checks' &&     cd /strelka/strelka/ &&     python3 -m pytest -s tests/ &&     if true; then python3 -m pytest -s tests_configuration/; fi &&     echo '[+] Done'                                126.5s
 => [18/19] RUN cd /strelka/ &&     rm -rf /strelka/                                                                                                                                                                                  0.4s
 => [19/19] RUN rm -rf /etc/strelka/                                                                                                                                                                                                  0.4s
 => exporting to image                                                                                                                                                                                                               11.3s
 => => exporting layers                                                                                                                                                                                                              11.2s
 => => writing image sha256:6ea3c8b24728743fc75dc0ef1036b1898af8c1668321a42f460e46369b88c724                                                                                                                                          0.0s
 => => naming to docker.io/library/build-backend

Sample output
ScanVBA support for Microsoft Publisher files:

{
  "flavors": {
    "mime": [
      "application/vnd.ms-office"
    ],
    "yara": [
      "olecf_file"
    ]
  },
  "scanners": [
    "ScanEntropy",
    "ScanExiftool",
    "ScanFooter",
    "ScanHash",
    "ScanHeader",
    "ScanOle",
    "ScanTlsh",
    "ScanVba",
    "ScanYara"
  ],
...
  "vba": {
    "elapsed": 0.057557,
    "total": {
      "files": 1,
      "extracted": 1
    },
    "suspicious": [
      "GetObject",
      "Lib",
      "vmware",
      "Hex Strings",
      "Base64 Strings"
    ],
    "auto_exec": [
      "Document_Open"
    ]
  },
...
}

Checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of and tested my code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings

@phutelmyer phutelmyer added bug Something isn't working enhancement New feature or request labels Feb 10, 2023
@phutelmyer phutelmyer merged commit da56d08 into master Feb 10, 2023
@phutelmyer phutelmyer deleted the multiple-scanner-updates branch March 28, 2023 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phutelmyer