olevba: add projectcompatversion record #723
Conversation
kijeong
changed the title
|
I have just encountered a sample with the same problem and searching for clues found this PR. Reviewed the code here and tested it and everything checks out. Also includes a test sample and adjustments to the other tests, so I'm all in favour of merging this. Just needs a very simple rebase because of another unittest that has been added to master branch in the meantime. Thanks at @kijeong , excellent work 👍 |
|
Just checked different versions of MS-OVBA, and indeed PROJECTCOMPATVERSION was added in v11 published on the 17/08/2021. |
|
I had the bug, tried this branch and it worked for me. |
|
For some reason one change introduced here make one unittest fail. On my machine and on github's automated unittests the sample "olevba/sample_with_vba.ppt" olevba detects vba in this sample. However, the author of this PR seems to not have found VBA in this sample. Is it possible that system encoding plays a role here? Could you maybe re-check, @kijeong by running python3 -m unittest tests.oleid.test_basic.TestOleIDBasic.test_macros ? |
Just checked. I'm sorry. |
Hello @decalage2,
Recently, while analyzing the PowerPoint document containing VBAs, I found that some errors were outputted in the olevba output result.
The error was better revealed by activating the oletools debug option(--loglevel debug).
It was, I think, due to the newly added PROJECTCOMPATVERSION Record on dir Stream.
So I added the PROJECTCOMPATVERSION processing code to olevba.py.
If this is okay, I hope it merges.
Tested PowerPoint Application version:
Microsoft® PowerPoint® Microsoft 365 MSO(version 2110 build 16.0.14527.20234) 64bit
Refs:
2.3.4.2.1.2 PROJECTCOMPATVERSION Record, https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ed5d7ede-5d7d-4645-bba3-ddfd9bdc76ed, Perhaps this was issued in 2021-08-17.
Thank you for your work.😀
Best,
Kijeong