Giter VIP home page Giter VIP logo

officepurge's Introduction

OfficePurge

VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents. Documents that only contain source code and no compiled code are more likely to evade AV detection and YARA rules. Read more here.

OfficePurge supports VBA purging Microsoft Office Word (.doc), Excel (.xls), and Publisher (.pub) documents. Original and purged documents for each supported file type with a macro that will spawn calc.exe can be found in sample-data folder.

Author: Andrew Oliveau (@AndrewOliveau)

INSTALLATION/BUILDING

Pre-Compiled

  • Use the pre-compiled binary in the Releases section

Building Yourself

Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a couple of .NET libraries that can be installed from the NuGet package manager.

Libraries Used

The below 3rd party libraries are used in this project.

Library URL License
OpenMCDF https://github.com/ironfede/openmcdf MPL-2.0 License
Fody https://github.com/Fody/Fody MIT License
Kavod.Vba.Compression https://github.com/rossknudsen/Kavod.Vba.Compression MIT License

Steps to Build

  • This project requires .NET framework 4.7
  • Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
  • Go to "NuGet Package Manager" --> "Package Sources"
  • Add a package source with the URL "https://api.nuget.org/v3/index.json"
  • Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.
    • Install-Package Costura.Fody -Version 3.3.3
  • Install OpenMcdf to manipulate Microsoft Compound Document Files. OpenMcdf version (2.2.1.3) is needed so that the current code works correctly.
    • Install-Package OpenMcdf -Version 2.2.1.3
  • Install Fody
    • Install-Package Fody -Version 4.0.2
  • You can now modify and build the project yourself!

ARGUMENTS/OPTIONS

  • -d - Document type to VBA purge (word, excel, publisher)
  • -f - Document filename to VBA purge
  • -m - Module within document to VBA purge (ex. Module1)
  • -l - List modules in a document
  • -h - Show help menu

EXAMPLES

  • OfficePurge.exe -d word -f .\malicious.doc -m NewMacros
  • OfficePurge.exe -d excel -f .\payroll.xls -m Module1
  • OfficePurge.exe -d publisher -f .\donuts.pub -m ThisDocument
  • OfficePurge.exe -d word -f .\malicious.doc -l

REFERENCES

  • Didier Steven's VBA purging article here
  • EvilClippy for parts of code here

officepurge's People

Contributors

h4wkst3r avatar mikesiko avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.