updated doc folder

decalage2 · Jul 2, 2024 · 82b53b3 · 82b53b3
1 parent e70b9d8
commit 82b53b3
Show file tree

Hide file tree

Showing 21 changed files with 3,663 additions and 906 deletions.
diff --git a/oletools/README.html b/oletools/README.html
diff --git a/oletools/README.rst b/oletools/README.rst
@@ -7,10 +7,19 @@ python-oletools
 python tools to analyze `Microsoft OLE2
 files <http://en.wikipedia.org/wiki/Compound_File_Binary_Format>`__
 (also called Structured Storage, Compound File Binary Format or Compound
-Document File Format), such as Microsoft Office documents or Outlook
-messages, mainly for malware analysis, forensics and debugging. It is
-based on the `olefile <http://www.decalage.info/olefile>`__ parser. See
-http://www.decalage.info/python/oletools for more info.
+Document File Format), such as Microsoft Office 97-2003 documents, MSI
+files or Outlook messages, mainly for malware analysis, forensics and
+debugging. It is based on the
+`olefile <http://www.decalage.info/olefile>`__ parser.
+
+It also provides tools to analyze RTF files and files based on the
+`OpenXML format <https://en.wikipedia.org/wiki/Office_Open_XML>`__ (aka
+OOXML) such as MS Office 2007+ documents, XPS or MSIX files.
+
+For example, oletools can detect, extract and analyse VBA macros, OLE
+objects, Excel 4 macros (XLM) and DDE links.
+
+See http://www.decalage.info/python/oletools for more info.
 
 **Quick links:** `Home
 page <http://www.decalage.info/python/oletools>`__ -
@@ -29,6 +38,24 @@ Software.
 News
 ----
 
+-  **2024-06-27 v0.60.2**:
+
+   -  olevba:
+
+      -  fixed a bug in open_slk (issue #797, PR #769)
+      -  fixed a bug due to new PROJECTCOMPATVERSION record in dir
+         stream (PR #723, issues #700, #701, #725, #791, #808, #811,
+         #833)
+
+   -  oleobj: fixed SyntaxError with Python 3.12 (PR #855),
+      SyntaxWarning (PR #774)
+   -  rtfobj: fixed SyntaxError with Python 3.12 (PR #854)
+   -  clsid: added CLSIDs for MSI, Zed
+   -  ftguess: added MSI, PNG and OneNote formats
+   -  pyxswf: fixed python 3.12 compatibility (PR #841, issue #813)
+   -  setup/requirements: allow pyparsing 3 to solve install issues (PR
+      #812, issue #762)
+
 -  **2022-05-09 v0.60.1**:
 
    -  olevba:
@@ -79,104 +106,6 @@ News
    -  setup: XLMMacroDeobfuscator, xlrd2 and pyxlsb2 added as optional
       dependencies
 
--  **2021-05-07 v0.56.2**:
-
-   -  olevba:
-
-      -  updated plugin_biff to v0.0.22 to fix a bug (issues #647, #674)
-
-   -  olevba, mraptor:
-
-      -  added detection of Workbook_BeforeClose (issue #518)
-
-   -  rtfobj:
-
-      -  fixed bug when OLE package class name ends with null characters
-         (issue #507, PR #648)
-
-   -  oleid:
-
-      -  fixed bug in check_excel (issue #584, PR #585)
-
-   -  clsid:
-
-      -  added several CLSIDs related to MS Office click-to-run issue
-         CVE-2021-27058
-      -  added checks to ensure that all CLSIDs are uppercase (PR #678)
-
--  **2021-04-02 v0.56.1**:
-
-   -  olevba:
-
-      -  fixed bug when parsing some malformed files (issue #629)
-
-   -  oleobj:
-
-      -  fixed bug preventing detection of links 'externalReference',
-         'frame', 'hyperlink' (issue #641, PR #670)
-
-   -  setup:
-
-      -  avoid installing msoffcrypto-tool when platform is PyPy+Windows
-         (issue #473)
-      -  PyPI version is now a wheel package to improve installation and
-         avoid antivirus false positives due to test files (issues #215,
-         #398)
-
--  **2020-09-28 v0.56**:
-
-   -  olevba/mraptor:
-
-      -  added detection of trigger \_OnConnecting
-
-   -  olevba:
-
-      -  updated plugin_biff to v0.0.17 to improve Excel 4/XLM macros
-         parsing
-      -  added simple analysis of Excel 4/XLM macros in XLSM files (PR
-         #569)
-      -  added detection of template injection (PR #569)
-      -  added detection of many suspicious keywords (PR #591 and #569,
-         see https://www.certego.net/en/news/advanced-vba-macros/)
-      -  improved MHT detection (PR #532)
-      -  added --no-xlm option to disable Excel 4/XLM macros parsing (PR
-         #532)
-      -  fixed bug when decompressing raw chunks in VBA (issue #575)
-      -  fixed bug with email package due to monkeypatch for MHT parsing
-         (issue #602, PR #604)
-      -  fixed option --relaxed (issue #596, PR #595)
-      -  enabled relaxed mode by default (issues #477, #593)
-      -  fixed detect_vba_macros to always return VBA code as unicode on
-         Python 3 (issues #455, #477, #587, #593)
-      -  replaced option --pcode by --show-pcode and --no-pcode,
-         replaced optparse by argparse (PR #479)
-
-   -  oleform: improved form parsing (PR #532)
-   -  oleobj: "Ole10Native" is now case insensitive (issue #541)
-   -  clsid: added PDF (issue #552), Microsoft Word Picture (issue #571)
-   -  ppt_parser: fixed bug on Python 3 (issues #177, #607, PR #450)
-
--  **2019-12-03 v0.55**:
-
-   -  olevba:
-
-      -  added support for SLK files and XLM macro extraction from SLK
-      -  VBA Stomping detection
-      -  integrated pcodedmp to extract and disassemble P-code
-      -  detection of suspicious keywords and IOCs in P-code
-      -  new option --pcode to display P-code disassembly
-      -  improved detection of auto execution triggers
-
-   -  rtfobj: added URL carver for CVE-2017-0199
-   -  better handling of unicode for systems with locale that does not
-      support UTF-8, e.g. LANG=C (PR #365)
-   -  tests:
-
-      -  test files can now be encrypted, to avoid antivirus alerts (PR
-         #217, issue #215)
-      -  tests that trigger antivirus alerts have been temporarily
-         disabled (issue #215)
-
 See the `full
 changelog <https://github.com/decalage2/oletools/wiki/Changelog>`__ for
 more information.
@@ -229,19 +158,25 @@ Projects using oletools:
 
 oletools are used by a number of projects and online malware analysis
 services, including `ACE <https://github.com/IntegralDefense/ACE>`__,
+`ADAPT <https://www.blackhat.com/eu-23/briefings/schedule/index.html#unmasking-apts-an-automated-approach-for-real-world-threat-attribution-35162>`__,
 `Anlyz.io <https://sandbox.anlyz.io/>`__,
-`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__,
+`AssemblyLine <https://www.cse-cst.gc.ca/en/assemblyline>`__, `Binary
+Refinery <https://github.com/binref/refinery>`__,
 `CAPE <https://github.com/ctxis/CAPE>`__,
-`CinCan <https://cincan.io>`__, `Cuckoo
-Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
+`CinCan <https://cincan.io>`__, `Cortex XSOAR (Palo
+Alto) <https://cortex.marketplace.pan.dev/marketplace/details/Oletools/>`__,
+`Cuckoo Sandbox <https://github.com/cuckoosandbox/cuckoo>`__,
 `DARKSURGEON <https://github.com/cryps1s/DARKSURGEON>`__,
 `Deepviz <https://sandbox.deepviz.com/>`__,
 `DIARIO <https://diario.elevenpaths.com/>`__,
 `dridex.malwareconfig.com <https://dridex.malwareconfig.com>`__, `EML
 Analyzer <https://github.com/ninoseki/eml_analyzer>`__,
+`EXPMON <https://pub.expmon.com/>`__,
 `FAME <https://certsocietegenerale.github.io/fame/>`__,
-`FLARE-VM <https://github.com/fireeye/flare-vm>`__,
-`Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__,
+`FLARE-VM <https://github.com/fireeye/flare-vm>`__, `GLIMPS
+Malware <https://www.glimps.fr/en/glimps-malware-2/>`__,
+`Hybrid-analysis.com <https://www.hybrid-analysis.com/>`__, `InQuest
+Labs <https://labs.inquest.net/>`__,
 `IntelOwl <https://github.com/certego/IntelOwl>`__, `Joe
 Sandbox <https://www.document-analyzer.net/>`__, `Laika
 BOSS <https://github.com/lmco/laikaboss>`__,
@@ -256,6 +191,9 @@ Repository Framework (MRF) <https://www.adlice.com/download/mrf/>`__,
 `PeekabooAV <https://github.com/scVENUS/PeekabooAV>`__,
 `pcodedmp <https://github.com/bontchev/pcodedmp>`__,
 `PyCIRCLean <https://github.com/CIRCL/PyCIRCLean>`__,
+`QFlow <https://www.quarkslab.com/products-qflow/>`__,
+`Qu1cksc0pe <https://github.com/CYB3RMX/Qu1cksc0pe>`__, `Tylabs
+QuickSand <https://github.com/tylabs/quicksand>`__,
 `REMnux <https://remnux.org/>`__,
 `Snake <https://github.com/countercept/snake>`__,
 `SNDBOX <https://app.sndbox.com>`__, `Splunk add-on for MS O365
@@ -264,8 +202,10 @@ Email <https://splunkbase.splunk.com/app/5365/>`__,
 `Strelka <https://github.com/target/strelka>`__,
 `stoQ <https://stoq.punchcyber.com/>`__, `Sublime
 Platform/MQL <https://docs.sublimesecurity.com/docs/enrichment-functions>`__,
+`Subparse <https://github.com/jstrosch/subparse>`__,
 `TheHive/Cortex <https://github.com/TheHive-Project/Cortex-Analyzers>`__,
-`TSUGURI Linux <https://tsurugi-linux.org/>`__,
+`ThreatBoook <https://s.threatbook.com/>`__, `TSUGURI
+Linux <https://tsurugi-linux.org/>`__,
 `Vba2Graph <https://github.com/MalwareCantFly/Vba2Graph>`__,
 `Viper <http://viper.li/>`__,
 `ViperMonkey <https://github.com/decalage2/ViperMonkey>`__,
@@ -337,7 +277,7 @@ This license applies to the python-oletools package, apart from the
 thirdparty folder which contains third-party files published with their
 own license.
 
-The python-oletools package is copyright (c) 2012-2022 Philippe Lagadec
+The python-oletools package is copyright (c) 2012-2024 Philippe Lagadec
 (http://www.decalage.info)
 
 All rights reserved.