feat: OLE CF and VBA modules implemented #274
Conversation
- Added support for parsing OLE CF and VBA (macro-enabled Office) files.
There was a problem hiding this comment.
Good work. This goes in the right direction, but I think it requires a bit of rewrite to make it more similar to other existing modules that use the nom crate for parsing binary files. The nom crate makes parsing complex data strucuture easier, and removes boilerplate code like the read_u32 and read_u16 functions.
| repeated string module_names = 2; | ||
|
|
||
| // Type of each module (standard, class, form) | ||
| repeated string module_types = 3; |
There was a problem hiding this comment.
Instead of using constant strings use enums.
There was a problem hiding this comment.
This is actually consistent with existing modules like Lnk. We're not using an enum because it's just integer typing for metadata.
There was a problem hiding this comment.
I looked for this pattern in the lnk module and didn't find it. In most cases, fields that have a value from a pre-defined set of possible values, are expressed as enums instead of strings. Using strings have the downside that you must remember which are the possible values. In this case the possible values are: "Standard", "Class" and "Unknown". If you forget that they start with a capital letter you can end writing a rule like module_type == "standard" which won't match.
In the other hand, enums allow using the constants defined by the module itself (as in module_type == vbs.ModuleType.Standard), which reduce errors.
| repeated string module_types = 3; | ||
|
|
||
| // The actual VBA code for each module | ||
| repeated string module_code = 4; |
There was a problem hiding this comment.
Is this actually repeated? If so, the name is a bit misleading considering that module_names and module_types are in plural form and this is singular.
There was a problem hiding this comment.
After looking more carefully at the code, it looks like module_code (now module_codes) is actually an array where each item is a line of code. IMHO the module's code should be all together in a single string with newlines. Having the code separated in lines make harder to work with it. For instance, if you want to search for some pattern in the code you will need a loop that looks for the pattern one line at a time. I don't see any benefit in having the code split in lines.
|
Thank you. While I can address most of the comments in another revision soon, I've been experimenting with using |
|
I prefer to maintain a separate development branch until the |
- Adjusted modules to use `nom`. - Added links to specifications. - Fixed issue with copying entire input data in the VBA module.
I (unexpectedly) found some more time to put into this :-) does the re-work match your expectations? |
|
Oops, I made a mistake and merged this PR inadvertenly and then restored the main branch to its previous state. Now I can't re-open this PR, can you crate a new PR with the canges? |
|
Oops, yes can do. |
|
Done: #285 |
|
Thanks! |
OLE CF (Object Linking and Embedding Compound File) format is a file format used for legacy Microsoft Office files, such as documents, workbooks, presentations, and others. It's also used with Visual Basic for Applications (VBA) which is known more commonly as Office macros.
I've implemented two modules for parsing OLE CF files and VBA. I've also expanded the
dumpcommand to allow dumping of file metadata such as stream metadata (OLE CF) and macros (VBA).An example of how you could use this to identify the use of auto-execute macro method names like "Document_New":