[Esd-l] macro scanning...

Simon Matthews simon at paxonet.com
Fri Oct 31 12:31:19 PST 2003

John and Agung,

One thing to consider: the scanner seems to detect deleted macros. Or at 
least macros in files that  have been "cleaned" by commercial anti-virus tools.


At 06:03 AM 10/31/03 -0800, John D. Hardin wrote:
>On Fri, 31 Oct 2003, Agung Kuswanto   NCS wrote:
> > I am trying to make a script (perl) to detect office macro inside an
> > attachment
> > as an illustration, the script will be called like :
> > myscript <office_attachment>
> >
> > result :
> > 1. if contains macro
> > 0. if not
> >
> > Can I make use part of code of the sanitizer.pl to achive my purpose.
> > below is part of the code I'd like to use.
>The sanitizer is released with the GPL license, so you are welcome to
>use parts of it in your projects. However, if you do directly copy
>code into your program, it must also be released under the GPL as
>well.If this presents a problem, you'll have to write the code from
>A suggestion: macro and VBA code is fairly easy to detect. Get a
>document with macros or VBA and look at it with a binary editor.
>You'll see the code is stored as "\000macro-command" so if you have a
>list of macro commands you can detect them pretty easily. You may need
>to do this if you want to detect any macro, vs. just dangerous ones.
>The only problem is that text stored in spreadsheet cells can look the
>same, so you may get false positives if your script is too sensitive.
> > Has anyone tried before?
>Not that I know of. You might try looking ad the code for OpenOffice,
>because it knows how to detect macros by parsing the internal
>structure of Office files rather than just looking for strings. There
>may also be some Office objects in the Perl CPAN repository. The only
>reason I did string comparison was it was computationally cheap and I
>was just looking for specific types of code.
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org                        pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
>   "It seems that some companies in the industry would rather use
>   deception rather than try and work things out diplomatically,
>   one-to-one."
>                         -- Blake Stowell, SCO PR director, on RedHat
>    6 days until Matrix Revolutions
>Esd-l mailing list
>Esd-l at spconnect.com

More information about the esd-l mailing list