Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

handle new record in new vbaproject.bin if present #819

Closed
wants to merge 1 commit into from
Closed

handle new record in new vbaproject.bin if present #819

wants to merge 1 commit into from

Conversation

beauvankirk
Copy link

In one of the recent updates to the MS-OVBA Office VBA File Format Structure specs, a new 10-byte CompatVersionRecord block was added to the PROJECTINFORMATION block:

image
image

The record is identified with id 0x004A:

image

The insertion of this new record leads to corrupt/failed parsing of the remainder of the PROJECTINFORMATION record. For my use case this was the source of this issue: #811.

Adding a conditional check to skip over this new 10-byte record if encountered resolved the issue for me. This is a pretty targeted/brittle solution...I'm not sure if there is a more robust route (this was my first time actually diving into the file format).

@decalage2 decalage2 self-requested a review July 20, 2023 19:26
@decalage2 decalage2 self-assigned this Jul 20, 2023
@decalage2 decalage2 added this to the Next Release milestone Jul 20, 2023
@DevDmitryHub
Copy link

DevDmitryHub commented Jul 27, 2023
edited
Loading

Similar PR #723
Faced with the same issue on the latest stable version (oletools-0.60.1) for excel worksheet in XLSM format, so hope for soon fix.

olevba 0.60.1 on Python 3.11.0 - http://decalage.info/python/oletools
===============================================================================
FILE: .\vbaProject.bin
Type: OLE
WARNING  invalid value for PROJECTLCID_Id expected 0002 got 004A
WARNING  invalid value for PROJECTLCID_Lcid expected 0409 got 0004
WARNING  invalid value for PROJECTLCIDINVOKE_Id expected 0014 got 0002
WARNING  invalid value for PROJECTCODEPAGE_Id expected 0003 got 0014
WARNING  invalid value for PROJECTCODEPAGE_Size expected 0002 got 0004
WARNING  invalid value for PROJECTNAME_Id expected 0004 got 0000
ERROR    PROJECTNAME_SizeOfProjectName value not in range [1-128]: 131075
ERROR    Error in _extract_vba
Traceback (most recent call last):
  File "C:\Python311\Lib\site-packages\oletools-0.60.1-py3.11.egg\oletools\olevba.py", line 3526, in extract_macros
    for stream_path, vba_filename, vba_code in \
  File "C:\Python311\Lib\site-packages\oletools-0.60.1-py3.11.egg\oletools\olevba.py", line 2094, in _extract_vba
    project = VBA_Project(ole, vba_root, project_path, dir_path, relaxed)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python311\Lib\site-packages\oletools-0.60.1-py3.11.egg\oletools\olevba.py", line 1752, in __init__
    projectdocstring_id = struct.unpack("<H", dir_stream.read(2))[0]
                          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

@beauvankirk
Copy link
Author

Apologies, I searched for prior issues, hence linking #811, and I thought PRs as well but I missed that preexisting PR.

@christian-intra2net
Copy link
Contributor

I reviewed #723 and this one and I suggest merging the other one as it includes test data and actually parses the record. Just needs a rebase onto main

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@decalage2 decalage2 Awaiting requested review from decalage2

Assignees

@decalage2 decalage2

Labels
🐛 bug olevba
Projects
None yet
Milestone
Next Release
Development

Successfully merging this pull request may close these issues.
4 participants
@beauvankirk @DevDmitryHub @christian-intra2net @decalage2