Skip to content

Clam 571 sigtool vba extraction improvements#852

Merged
val-ms merged 1 commit intoCisco-Talos:mainfrom
ragusaa:CLAM-571-ThisProbablyWontWork
Mar 30, 2023
Merged

Clam 571 sigtool vba extraction improvements#852
val-ms merged 1 commit intoCisco-Talos:mainfrom
ragusaa:CLAM-571-ThisProbablyWontWork

Conversation

@ragusaa
Copy link
Contributor

@ragusaa ragusaa commented Mar 6, 2023
edited by val-ms
Loading

This PR deduplicates some vba extraction logic so sigtool works the same way libclamav does, and so it can extract more things.

@ragusaa ragusaa force-pushed the CLAM-571-ThisProbablyWontWork branch 9 times, most recently from e372a80 to 06cdd46 Compare March 10, 2023 22:37
@val-ms val-ms changed the title Clam 571 this probably wont work Clam 571 sigtool vba extraction improvements Mar 20, 2023
@val-ms
Copy link
Contributor

val-ms commented Mar 21, 2023

In testing I tried using the --vba-hex=FILE option and it failed:


❯ ./install/bin/sigtool --vba-hex=$HOME/Downloads/1b96c0ad7ce83a573ec7770435655fa2c82c42ea43bd012dd0b64444941c9432
scanfile: Invalid args.

@ragusaa ragusaa force-pushed the CLAM-571-ThisProbablyWontWork branch from c000ec8 to aed8895 Compare March 21, 2023 15:58
@ragusaa
Copy link
Contributor Author

ragusaa commented Mar 21, 2023

Good catch, just pushed an update

@ragusaa ragusaa force-pushed the CLAM-571-ThisProbablyWontWork branch 2 times, most recently from 070fabc to 67ddb36 Compare March 22, 2023 19:32
val-ms
val-ms requested changes Mar 22, 2023
View reviewed changes
@ragusaa ragusaa force-pushed the CLAM-571-ThisProbablyWontWork branch from 32b4737 to 5801dfb Compare March 23, 2023 18:03
ragusaa
ragusaa commented Mar 23, 2023
View reviewed changes
val-ms
val-ms requested changes Mar 23, 2023
View reviewed changes
@ragusaa ragusaa force-pushed the CLAM-571-ThisProbablyWontWork branch from 258ac87 to 49592f1 Compare March 28, 2023 04:23
@val-ms val-ms mentioned this pull request Mar 28, 2023
Merged
@ragusaa ragusaa force-pushed the CLAM-571-ThisProbablyWontWork branch 4 times, most recently from 9314e36 to f4c21fb Compare March 29, 2023 23:17
@val-ms val-ms force-pushed the CLAM-571-ThisProbablyWontWork branch 2 times, most recently from 53db585 to d6796d0 Compare March 30, 2023 04:25
@ragusaa @val-ms
Sigtool: Add vba macro support for OOXML files
4747786 
Add a new cl_engine_set_clcb_vba() function to set a cb_vba callback
function and add clcb_generic_data handler prototype to the clamav.h
public API.

The cb_vba callback function will be run whenever VBA is extracted from
office documents. The provided data will be a normalized copy of the
original VBA. This callback is added to support Sigtool so it can use
the same VBA extraction logic as when scanning documents.

Change the Sigtool temp directory creation for any commands that use
temp directories so that you can select a custom temp directory with the
`--tempdir=PATH` option, and can retain the temp files with the
`--leave-temps` option.

Added `--tempdir` and `--leave-temps` to the Sigtool `--help` output.
Added `--tempdir` and `--leave-temps` to the Sigtool manpage.
@val-ms val-ms force-pushed the CLAM-571-ThisProbablyWontWork branch from d6796d0 to 4747786 Compare March 30, 2023 04:29
@val-ms val-ms merged commit f683571 into Cisco-Talos:main Mar 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@val-ms val-ms val-ms approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ragusaa @val-ms