Oledump
Jump to navigation
Jump to search
Description
oledump.py is a program to analyze OLE files (Compound File Binary Format). These files contain streams of data. oledump allows you to analyze these streams.
Many applications use this file format, the best known is MS Office. .doc, .xls, .ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP).
Installation
Prerequisites
OleFileIO_PL
$ sudo pip install OleFileIO_PL
Yara (optional)
Refer to this page.
Installation of oledump
$ mkdir -p /data/tools/oledump/ $ cd /data/tools/oledump/ $ wget http://didierstevens.com/files/software/oledump_V0_0_16.zip $ unzip oledump_V0_0_16.zip
Usage
Syntax
Usage: oledump.py [options] [file]
Options
- --version
- show program's version number and exit
- -h, --help
- show this help message and exit
- -m, --man
- Print manual
- -s SELECT, --select=SELECT
- select item nr for dumping (a for all)
- -d, --dump
- perform dump
- -x, --hexdump
- perform hex dump
- -a, --asciidump
- perform ascii dump
- -v, --vbadecompress
- VBA decompression
- -r, --raw
- read raw file (use with options -v or -p
- -e, --extract
- extract OLE embedded file
- -i, --info
- print extra info for selected item
- -p PLUGINS, --plugins=PLUGINS
- plugins to load (separate plugins with a comma , ; @file supported)
- --pluginoptions=PLUGINOPTIONS
- options for the plugin
- -q, --quiet
- only print output from plugins
- -y YARA, --yara=YARA
- YARA rule-file, @file or directory to check streams (YARA search doesn't work with -s option)
- -D DECODERS, --decoders=DECODERS
- decoders to load (separate decoders with a comma , ; @file supported)
- --decoderoptions=DECODEROPTIONS
- options for the decoder
- --yarastrings
- Print YARA strings
- -M, --metadata
- Print metadata
- -c, --calc
- Add extra calculated data to output, like hashes
- --decompress
- Search for compressed data in the stream and decompress it
- --verbose
- verbose output for plugins and decoders
Use cases
List streams
$ ./oledump.py /data/tmp/3e2c3e6904dda6fb9174713a34f44126 1: 1376 'PROJECT' 2: 614 'PROJECTwm' 3: m 999 'VBA/Class1' 4: m 1000 'VBA/Class10' 5: m 1000 'VBA/Class11' 6: m 1000 'VBA/Class12' 7: m 1000 'VBA/Class13' 8: m 1000 'VBA/Class14' 9: m 1000 'VBA/Class15' 10: m 1000 'VBA/Class16' 11: m 1000 'VBA/Class17' 12: m 1000 'VBA/Class18' 13: m 1000 'VBA/Class19' 14: m 999 'VBA/Class2' 15: m 1000 'VBA/Class20' 16: m 1000 'VBA/Class21' 17: m 1000 'VBA/Class22' 18: m 1000 'VBA/Class23' 19: m 1000 'VBA/Class24' 20: m 999 'VBA/Class3' 21: m 999 'VBA/Class4' 22: m 999 'VBA/Class5' 23: m 999 'VBA/Class6' 24: m 999 'VBA/Class7' 25: m 999 'VBA/Class8' 26: m 999 'VBA/Class9' 27: M 13185 'VBA/Module1' 28: M 1384 'VBA/ThisDocument' 29: 6942 'VBA/_VBA_PROJECT' 30: 1154 'VBA/dir'
Comments
Keywords: oledump ole doc xls ppt macro