Module refinery.units.formats.office.vbapc
Expand source code Browse git
from __future__ import annotations
from refinery.lib.types import Param
from refinery.units import Arg
from refinery.units.formats import PathExtractorUnit, UnpackResult
class vbapc(PathExtractorUnit):
"""
Extract and decompile VBA macro p-code from Office documents.
This unit is specifically useful for macro documents that use VBA code stomping, i.e.
the embedded macro source code is stomped and does not represent the p-code
functionality that the document will actually execute. Use the -R flag to get raw
disassembled p-code instead of decompiled output.
"""
@classmethod
def handles(cls, data) -> bool:
return data[:4] == B'\xD0\xCF\x11\xE0'
def __init__(
self,
*paths,
raw: Param[bool, Arg.Switch('-R', help='Return disassembled p-code, do not try to decompile.')] = False,
**keywords,
):
super().__init__(*paths, raw=raw, **keywords)
def unpack(self, data):
from refinery.lib.ole.pcode import PCodeDisassembler, format_pcode_text
disassembler = PCodeDisassembler(data)
for module in disassembler.iter_modules():
if self.args.raw:
code = format_pcode_text(module.path, 0, module.lines)
else:
from refinery.lib.ole.decompiler import PCodeParser
parser = PCodeParser()
code = parser.decompile_module(module)
if not code.strip():
continue
yield UnpackResult(module.path, code.encode(self.codec))Classes
class vbapc (*paths, raw=False, path=b'path', regex=False, exact=False, fuzzy=0, drop_path=False, join_path=False, list=False)-
Extract and decompile VBA macro p-code from Office documents.
This unit is specifically useful for macro documents that use VBA code stomping, i.e. the embedded macro source code is stomped and does not represent the p-code functionality that the document will actually execute. Use the -R flag to get raw disassembled p-code instead of decompiled output.
Expand source code Browse git
class vbapc(PathExtractorUnit): """ Extract and decompile VBA macro p-code from Office documents. This unit is specifically useful for macro documents that use VBA code stomping, i.e. the embedded macro source code is stomped and does not represent the p-code functionality that the document will actually execute. Use the -R flag to get raw disassembled p-code instead of decompiled output. """ @classmethod def handles(cls, data) -> bool: return data[:4] == B'\xD0\xCF\x11\xE0' def __init__( self, *paths, raw: Param[bool, Arg.Switch('-R', help='Return disassembled p-code, do not try to decompile.')] = False, **keywords, ): super().__init__(*paths, raw=raw, **keywords) def unpack(self, data): from refinery.lib.ole.pcode import PCodeDisassembler, format_pcode_text disassembler = PCodeDisassembler(data) for module in disassembler.iter_modules(): if self.args.raw: code = format_pcode_text(module.path, 0, module.lines) else: from refinery.lib.ole.decompiler import PCodeParser parser = PCodeParser() code = parser.decompile_module(module) if not code.strip(): continue yield UnpackResult(module.path, code.encode(self.codec))Ancestors
Subclasses
Class variables
var reverse-
The type of the None singleton.
Methods
def unpack(self, data)-
Expand source code Browse git
def unpack(self, data): from refinery.lib.ole.pcode import PCodeDisassembler, format_pcode_text disassembler = PCodeDisassembler(data) for module in disassembler.iter_modules(): if self.args.raw: code = format_pcode_text(module.path, 0, module.lines) else: from refinery.lib.ole.decompiler import PCodeParser parser = PCodeParser() code = parser.decompile_module(module) if not code.strip(): continue yield UnpackResult(module.path, code.encode(self.codec))
Inherited members
PathExtractorUnit:CustomJoinBehaviourCustomPathSeparatorFilterEverythingRequiresactassemblecodecconsolefilterfinishhandlesis_quietis_reversibleisattylabelledleniencylog_alwayslog_debuglog_detachlog_faillog_infolog_levellog_warnloggernamenozzleoptional_dependenciesreadread1required_dependenciesresetrunsourcesuperinit
UnitBase: