updated findSymbols.py
This commit is contained in:
parent
a2fa85596c
commit
dcadb41749
|
@ -49,15 +49,12 @@ Output filtering:
|
||||||
|
|
||||||
Example run:
|
Example run:
|
||||||
```
|
```
|
||||||
cmd> py findSymbols.py "c:\Program Files\Microsoft Office" -r -u -s exec -s launch -s run -s process -s eval
|
cmd> py findSymbols.py "c:\Program Files\Microsoft Office" -e -r -u -s exec -s launch -s run -s process -s eval -s dcom -s dde -s pipe
|
||||||
```
|
```
|
||||||
|
|
||||||
Searches for imports and exports in MS Office PE executables matching any of `'exec','launch','run','process','eval'` regular expressions.
|
Searches for unique exports in MS Office PE executables matching any of `'exec','launch','run','process','eval','dcom','dde','pipe'` regular expressions in their names.
|
||||||
|
|
||||||
```
|
```
|
||||||
| 562 | AppvIsvSubsystems64.dll | import | rpcrt4.dll | RpcServerUnregisterIf | 2004368 | c:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll |
|
|
||||||
| 563 | DBGCORE.DLL | import | ntdll.dll | RtlRunOnceExecuteOnce | 175056 | c:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL |
|
|
||||||
| 564 | mscss7ge.dll | export | mscss7ge.dll | RunCssWordBreaker | 556488 | c:\Program Files\Microsoft Office\root\Office16\mscss7ge.dll |
|
|
||||||
| 565 | PRIVATE_ODBC32.dll | export | PRIVATE_ODBC32.dll | SQLExecDirect | 734088 | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for |
|
| 565 | PRIVATE_ODBC32.dll | export | PRIVATE_ODBC32.dll | SQLExecDirect | 734088 | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for |
|
||||||
| | | | | | | Excel Integrated\bin\PRIVATE_ODBC32.dll |
|
| | | | | | | Excel Integrated\bin\PRIVATE_ODBC32.dll |
|
||||||
| 566 | PRIVATE_ODBC32.dll | export | PRIVATE_ODBC32.dll | SQLExecDirectA | 734088 | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for |
|
| 566 | PRIVATE_ODBC32.dll | export | PRIVATE_ODBC32.dll | SQLExecDirectA | 734088 | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for |
|
||||||
|
|
|
@ -108,36 +108,36 @@ def verifyCriterias(args, regexes, infos, uniqueSymbols):
|
||||||
|
|
||||||
regexesVerified = sum([len(v) for k, v in regexes.items()])
|
regexesVerified = sum([len(v) for k, v in regexes.items()])
|
||||||
|
|
||||||
for rex in regexes['not-name']:
|
for name, rex in regexes['not-name']:
|
||||||
match = rex.search(infos['symbol'])
|
match = rex.search(infos['symbol'])
|
||||||
if match:
|
if match:
|
||||||
verbose(args, f'(-) Skipping symbol {infos["module"]}.{infos["symbol"]} as it DID satisfy not-name regex.')
|
verbose(args, f'(-) Skipping symbol {infos["module"]}.{infos["symbol"]} as it DID satisfy not-name ({name}) regex.')
|
||||||
return False
|
return False
|
||||||
|
|
||||||
for rex in regexes['not-module']:
|
for name, rex in regexes['not-module']:
|
||||||
match = rex.search(infos['module'])
|
match = rex.search(infos['module'])
|
||||||
if match:
|
if match:
|
||||||
verbose(args, f'(-) Skipping symbol\'s module {infos["module"]}.{infos["symbol"]} as it DID satisfy not-module regex.')
|
verbose(args, f'(-) Skipping symbol\'s module {infos["module"]}.{infos["symbol"]} as it DID satisfy not-module ({name}) regex.')
|
||||||
return False
|
return False
|
||||||
|
|
||||||
satisifed = False
|
satisifed = False
|
||||||
carryOn = False
|
carryOn = False
|
||||||
|
|
||||||
if len(regexes['module']) > 0:
|
if len(regexes['module']) > 0:
|
||||||
for rex in regexes['module']:
|
for name, rex in regexes['module']:
|
||||||
match = rex.search(infos['module'])
|
match = rex.search(infos['module'])
|
||||||
if match:
|
if match:
|
||||||
verbose(args, f'(+) Symbol\'s module {infos["module"]}.{infos["symbol"]} satisfied module regex.')
|
verbose(args, f'(+) Symbol\'s module {infos["module"]}.{infos["symbol"]} satisfied module ({name}) regex.')
|
||||||
carryOn = True
|
carryOn = True
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
carryOn = True
|
carryOn = True
|
||||||
|
|
||||||
if carryOn:
|
if carryOn:
|
||||||
for rex in regexes['name']:
|
for name, rex in regexes['name']:
|
||||||
match = rex.search(infos['symbol'])
|
match = rex.search(infos['symbol'])
|
||||||
if match:
|
if match:
|
||||||
verbose(args, f'(+) Symbol {infos["module"]}.{infos["symbol"]} satisfied name regex.')
|
verbose(args, f'(+) Symbol {infos["module"]}.{infos["symbol"]} satisfied name ({name}) regex.')
|
||||||
satisifed = True
|
satisifed = True
|
||||||
break
|
break
|
||||||
|
|
||||||
|
@ -312,16 +312,16 @@ def opts(argv):
|
||||||
}
|
}
|
||||||
|
|
||||||
for name in args.name:
|
for name in args.name:
|
||||||
regexes['name'].append(re.compile(accomodate_rex(name), re.I))
|
regexes['name'].append((name, re.compile(accomodate_rex(name), re.I)))
|
||||||
|
|
||||||
for not_name in args.not_name:
|
for not_name in args.not_name:
|
||||||
regexes['not-name'].append(re.compile(accomodate_rex(not_name), re.I))
|
regexes['not-name'].append((not_name, re.compile(accomodate_rex(not_name), re.I)))
|
||||||
|
|
||||||
for module in args.module:
|
for module in args.module:
|
||||||
regexes['module'].append(re.compile(accomodate_rex(module), re.I))
|
regexes['module'].append((module, re.compile(accomodate_rex(module), re.I)))
|
||||||
|
|
||||||
for not_module in args.not_module:
|
for not_module in args.not_module:
|
||||||
regexes['not-module'].append(re.compile(accomodate_rex(not_module), re.I))
|
regexes['not-module'].append((not_module, re.compile(accomodate_rex(not_module), re.I)))
|
||||||
|
|
||||||
return args, regexes
|
return args, regexes
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue