[Esd-l] macro scanning...

John D. Hardin jhardin at impsec.org
Tue Nov 4 07:30:03 PST 2003

On Tue, 4 Nov 2003, Agung Kuswanto   NCS wrote:

> Btw, how's the content filtering program knows there's a macro
> inside office attachment regardless malicious or not.

Strictly speaking it does not. It's just looking for specific strings
and making a few assumptions.

Macro and VBA code is (thankfully) stored more-or-less in-the-clear as
source text, not tokenized or encrypted. Each keyword is ASCII started
by a zero byte.

Thus we can look for strings of the form (zero-byte)(dangerous
command) with a fairly high degree of reliability and with great
speed. The sanitizer's macro scanner is *extremely* simple-minded.

Unfortunately Excel also stores cell text starting with a zero byte,
so if somebody puts a string beginning with what we consider a
"dangerous" VBA or macro command into a cell, we will probably detect
it incorrectly. This is where it would be useful to be aware of the
internal structure of the file format, so that we can only search the
part of the file that contains macros and VBA code.

All of this was determined by poking at Excel files and Word documents
with vi.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   Tomorrow: Matrix Revolutions

More information about the esd-l mailing list