NUL-Bytes in olevba output: Bug or Feature?

Question

NUL-Bytes in olevba output: Bug or Feature?

albrechtd opened this issue 2 years ago · 0 comments

Affected tool:
olevba version 0.60.1

Describe the bug
Running some malware files through olevba prints NUL bytes to the output which makes parsing it by other tools (where NUL terminates a string) difficult. E.g. for the attached sample olevba malware.xls produces (note offset 0x202):

[…]
000001e0  6b 73 68 65 65 74 20 6f  72 20 64 69 61 6c 6f 67  |ksheet or dialog|
000001f0  20 73 68 65 65 74 2c 20  76 69 73 69 62 6c 65 20  | sheet, visible |
00000200  2d 20 00 53 68 65 65 0a  27 20 30 30 38 35 20 20  |- .Shee.' 0085  |

I am not sure if this is actually correct, though, i.e. if the script actually contains these NUL bytes.

File/Malware sample to reproduce the bug
Sample: sample.zip
Password: InFeCtEd

How To Reproduce the bug
See above.

Expected behavior
If the NUL characters in the output are not a bug, it would be cool to have a command line option to replace them by something else (e.g. the Unicode character U+2400 SYMBOL FOR NULL) or to omit them completely.

Version information:

OS: Linux
OS Debian Bullseye/64
Python version: 3.9.2
oletools version: 0.60.1