Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mandiant/OfficePurge

Last synced: 3 months ago
JSON representation

Host: GitHub
URL: https://github.com/mandiant/OfficePurge
Owner: mandiant
License: apache-2.0
Created: 2020-11-18T22:08:28.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2023-04-10T00:54:18.000Z (over 1 year ago)
Last Synced: 2024-05-14T19:06:11.665Z (6 months ago)
Language: C#
Size: 57.6 KB
Stars: 256
Watchers: 11
Forks: 68
Open Issues: 2
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

awesome-hacking-lists - mandiant/OfficePurge - (C# #)

README

# OfficePurge

VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents. Documents that only contain source code and no compiled code are more likely to evade AV detection and YARA rules.
Read more here.

OfficePurge supports VBA purging Microsoft Office Word (.doc), Excel (.xls), and Publisher (.pub) documents. Original and purged documents for each supported file type with a macro that will spawn calc.exe can be found in `sample-data` folder.

Author: Andrew Oliveau (@AndrewOliveau)

# INSTALLATION/BUILDING

## Pre-Compiled

* Use the pre-compiled binary in the Releases section

## Building Yourself

Take the below steps to setup Visual Studio in order to compile the project yourself. This requires a couple of .NET libraries that can be installed from the NuGet package manager.

### Libraries Used
The below 3rd party libraries are used in this project.

| Library | URL | License |
| ------------- | ------------- | ------------- |
| OpenMCDF | [https://github.com/ironfede/openmcdf](https://github.com/ironfede/openmcdf) | MPL-2.0 License |
| Fody | [https://github.com/Fody/Fody](https://github.com/Fody/Fody) | MIT License |
| Kavod.Vba.Compression | [https://github.com/rossknudsen/Kavod.Vba.Compression](https://github.com/rossknudsen/Kavod.Vba.Compression) | MIT License |

### Steps to Build
* This project requires .NET framework 4.7
* Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
* Go to "NuGet Package Manager" --> "Package Sources"
* Add a package source with the URL "https://api.nuget.org/v3/index.json"
* Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.
* `Install-Package Costura.Fody -Version 3.3.3`
* Install OpenMcdf to manipulate Microsoft Compound Document Files. OpenMcdf version (2.2.1.3) is needed so that the current code works correctly.
* `Install-Package OpenMcdf -Version 2.2.1.3`
* Install Fody
* `Install-Package Fody -Version 4.0.2`
* You can now modify and build the project yourself!

# ARGUMENTS/OPTIONS
* -d - Document type to VBA purge (word, excel, publisher)
* -f - Document filename to VBA purge
* -m - Module within document to VBA purge (ex. Module1)
* -l - List modules in a document
* -h - Show help menu

# EXAMPLES

* `OfficePurge.exe -d word -f .\malicious.doc -m NewMacros`
* `OfficePurge.exe -d excel -f .\payroll.xls -m Module1`
* `OfficePurge.exe -d publisher -f .\donuts.pub -m ThisDocument`
* `OfficePurge.exe -d word -f .\malicious.doc -l`

# REFERENCES
* Didier Steven's VBA purging article here
* EvilClippy for parts of code here