updated findSymbols.py

2021-10-22 20:28:44 +02:00 · 2021-10-22 20:28:44 +02:00 · dcadb41749
parent a2fa85596c
commit dcadb41749
2 changed files with 14 additions and 17 deletions
--- a/windows/README.md
+++ b/windows/README.md
@ -49,15 +49,12 @@ Output filtering:
  
  Example run:
 ```
-cmd> py findSymbols.py "c:\Program Files\Microsoft Office" -r -u -s exec -s launch -s run -s process -s eval
+cmd> py findSymbols.py "c:\Program Files\Microsoft Office" -e -r -u -s exec -s launch -s run -s process -s eval -s dcom -s dde -s pipe
 ```

-  Searches for imports and exports in MS Office PE executables matching any of `'exec','launch','run','process','eval'` regular expressions.
+  Searches for unique exports in MS Office PE executables matching any of `'exec','launch','run','process','eval','dcom','dde','pipe'` regular expressions in their names.

 ```
-| 562 |  AppvIsvSubsystems64.dll | import |     rpcrt4.dll      |  RpcServerUnregisterIf  |  2004368  |     c:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll      |
-| 563 |        DBGCORE.DLL       | import |      ntdll.dll      |  RtlRunOnceExecuteOnce  |  175056   |           c:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL            |
-| 564 |       mscss7ge.dll       | export |    mscss7ge.dll     |    RunCssWordBreaker    |  556488   |           c:\Program Files\Microsoft Office\root\Office16\mscss7ge.dll           |
 | 565 |    PRIVATE_ODBC32.dll    | export | PRIVATE_ODBC32.dll  |      SQLExecDirect      |  734088   | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for |
 |     |                          |        |                     |                         |           |                     Excel Integrated\bin\PRIVATE_ODBC32.dll                      |
 | 566 |    PRIVATE_ODBC32.dll    | export | PRIVATE_ODBC32.dll  |      SQLExecDirectA     |  734088   | c:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for |
--- a/windows/findSymbols.py
+++ b/windows/findSymbols.py
@ -108,36 +108,36 @@ def verifyCriterias(args, regexes, infos, uniqueSymbols):

    regexesVerified = sum([len(v) for k, v in regexes.items()])

-    for rex in regexes['not-name']:
+    for name, rex in regexes['not-name']:
        match = rex.search(infos['symbol'])
        if match:
-            verbose(args, f'(-) Skipping symbol {infos["module"]}.{infos["symbol"]} as it DID satisfy not-name regex.')
+            verbose(args, f'(-) Skipping symbol {infos["module"]}.{infos["symbol"]} as it DID satisfy not-name ({name}) regex.')
            return False

-    for rex in regexes['not-module']:
+    for name, rex in regexes['not-module']:
        match = rex.search(infos['module'])
        if match:
-            verbose(args, f'(-) Skipping symbol\'s module {infos["module"]}.{infos["symbol"]} as it DID satisfy not-module regex.')
+            verbose(args, f'(-) Skipping symbol\'s module {infos["module"]}.{infos["symbol"]} as it DID satisfy not-module ({name}) regex.')
            return False

    satisifed = False
    carryOn = False

    if len(regexes['module']) > 0:
-        for rex in regexes['module']:
+        for name, rex in regexes['module']:
            match = rex.search(infos['module'])
            if match:
-                verbose(args, f'(+) Symbol\'s module {infos["module"]}.{infos["symbol"]} satisfied module regex.')
+                verbose(args, f'(+) Symbol\'s module {infos["module"]}.{infos["symbol"]} satisfied module ({name}) regex.')
                carryOn = True
                break
    else:
        carryOn = True

    if carryOn:
-        for rex in regexes['name']:
+        for name, rex in regexes['name']:
            match = rex.search(infos['symbol'])
            if match:
-                verbose(args, f'(+) Symbol {infos["module"]}.{infos["symbol"]} satisfied name regex.')
+                verbose(args, f'(+) Symbol {infos["module"]}.{infos["symbol"]} satisfied name ({name}) regex.')
                satisifed = True
                break

@ -312,16 +312,16 @@ def opts(argv):
    }

    for name in args.name:
-        regexes['name'].append(re.compile(accomodate_rex(name), re.I))
+        regexes['name'].append((name, re.compile(accomodate_rex(name), re.I)))

    for not_name in args.not_name:
-        regexes['not-name'].append(re.compile(accomodate_rex(not_name), re.I))
+        regexes['not-name'].append((not_name, re.compile(accomodate_rex(not_name), re.I)))

    for module in args.module:
-        regexes['module'].append(re.compile(accomodate_rex(module), re.I))
+        regexes['module'].append((module, re.compile(accomodate_rex(module), re.I)))

    for not_module in args.not_module:
-        regexes['not-module'].append(re.compile(accomodate_rex(not_module), re.I))
+        regexes['not-module'].append((not_module, re.compile(accomodate_rex(not_module), re.I)))

    return args, regexes