NUL-Bytes in olevba output: Bug or Feature?
albrechtd opened this issue · 0 comments
Affected tool:
olevba version 0.60.1
Describe the bug
Running some malware files through olevba
prints NUL
bytes to the output which makes parsing it by other tools (where NUL
terminates a string) difficult. E.g. for the attached sample olevba malware.xls
produces (note offset 0x202):
[…]
000001e0 6b 73 68 65 65 74 20 6f 72 20 64 69 61 6c 6f 67 |ksheet or dialog|
000001f0 20 73 68 65 65 74 2c 20 76 69 73 69 62 6c 65 20 | sheet, visible |
00000200 2d 20 00 53 68 65 65 0a 27 20 30 30 38 35 20 20 |- .Shee.' 0085 |
I am not sure if this is actually correct, though, i.e. if the script actually contains these NUL
bytes.
File/Malware sample to reproduce the bug
Sample: sample.zip
Password: InFeCtEd
How To Reproduce the bug
See above.
Expected behavior
If the NUL
characters in the output are not a bug, it would be cool to have a command line option to replace them by something else (e.g. the Unicode character U+2400 SYMBOL FOR NULL) or to omit them completely.
Version information:
- OS: Linux
- OS Debian Bullseye/64
- Python version: 3.9.2
- oletools version: 0.60.1