[Esd-l] macro scanning...

Agung Kuswanto NCS kagung at ncs.com.sg
Thu Nov 6 19:46:04 PST 2003

Thanks John for all your helps.

I finally found a docFile api 
This api can read the word binary and can be easily detect macro inside(any

Thanks & Best Regards
Agung K

-----Original Message-----
From: John D. Hardin [mailto:jhardin at impsec.org] 
Sent: Tuesday, November 04, 2003 11:30 PM
To: Agung Kuswanto NCS
Cc: ''esd-l at spconnect.com' '
Subject: RE: [Esd-l] macro scanning...

On Tue, 4 Nov 2003, Agung Kuswanto   NCS wrote:

> Btw, how's the content filtering program knows there's a macro inside 
> office attachment regardless malicious or not.

Strictly speaking it does not. It's just looking for specific strings and
making a few assumptions.

Macro and VBA code is (thankfully) stored more-or-less in-the-clear as
source text, not tokenized or encrypted. Each keyword is ASCII started by a
zero byte.

Thus we can look for strings of the form (zero-byte)(dangerous
command) with a fairly high degree of reliability and with great speed. The
sanitizer's macro scanner is *extremely* simple-minded.

Unfortunately Excel also stores cell text starting with a zero byte, so if
somebody puts a string beginning with what we consider a "dangerous" VBA or
macro command into a cell, we will probably detect it incorrectly. This is
where it would be useful to be aware of the internal structure of the file
format, so that we can only search the part of the file that contains macros
and VBA code.

All of this was determined by poking at Excel files and Word documents with

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   Tomorrow: Matrix Revolutions

More information about the esd-l mailing list