Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do

Stars: ✭ 2,026 (+11155.56%)

Mutual labels: malware, malware-analysis

Malware-Sample-Sources

Malware Sample Sources

Stars: ✭ 214 (+1088.89%)

Mutual labels: malware, malware-analysis

Anti-Debugging

A collection of c++ programs that demonstrate common ways to detect the presence of an attached debugger.

Stars: ✭ 297 (+1550%)

Mutual labels: malware, malware-analysis

View All Similar Projects ➔

OLE Packager File Format

Research and documentation into the OLE Packager format.

The Packager format is a legacy of OLE1 and was designed as a generic OLE embedding server for inserting objects that don't an associated OLE server.

Packager objects will be embedded or linked using the class name Package (5061636b61676500).

OLE Packager Data Format



Name            Length      Description
-------------------------------------------------------------------------------
Header	        4           Stream Header always set to 0200
Label	        Variable    Label of embedded object defaulted to filename. (Null Terminated)
OrgPath	        Variable    Original path of embedded object. (Null Terminated)
UType	        8           Unknown – Possibly a FormatId
                                – Set to 00000300 for embedded objects
                                – Set to 00000100 for linked objects
DataPathLen     8           Length of DataPath
DataPath        Variable    Extract Path and file name defaulted to %localappdata%/Temp of the source system. (Null Terminated)
DataLen	        8           Length of embedded data.
Data	        Variable    Embedded Data
OrgPathWLen     8           Length of OrgFileW
OrgPathW        Variable    Original path of embedded object. (WChar)
LabelLen        8           Length of LabelW
LabelW	        Variable    Label of embedded object defaulted to filename. (WChar)
DefPathWLen     8           Length of OrgPathW
DefPathW        Variable    Original path of embedded object. (WChar)

Usage

The script can be run against Word documents (.doc), RTF files or carved OLE10Native streams. python psparser.py sample1.doc

 [*] Analyzing file....
 [*] File is an OLE file...
 [*] Processing Streams...
 [*] Found Ole10Native Stream...checking for packager data
 [*] Stream contains Packager Formatted data...
  Header:         0200
  Label:
  FormatId:       00000300
  OriginalPath:   C:\Aaa\exe\v21.exe
  Extract Path:   C:\Users\M\AppData\Local\Temp\v21.exe
  Data Size:      221696
  Data (SHA1):    c8671177cc462bdd6eb1a36935e885103283f7e1

Extracting Data

To extract data pass the --extract switch to extract the data stream to the current directory. The name of the file will be the MD5 hash of the embedded data

python psparser sample2.doc --extract
[*] Analyzing file....
 [*] File is an OLE file...
 [*] Processing Streams...
 [*] Found Ole10Native Stream...checking for packager data
 [*] Stream contains Packager Formatted data...
  Header:         0200
  Label:          krt21.exe
  FormatId:       00000300
  OriginalPath:   C:\Aaa\exe\krt21.exe
  Extract Path:   C:\Users\ADMINI~1\AppData\Local\Temp\krt21.exe
  Data Size:      281600
  Data (SHA1):    dbf612659710fa1e463693ec2cce157be9844a01
 Extracting embedded data as 7000ed249bbb16862e5e6f5af250faba

Future Research

Confirm UType field values

References

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

idiom / OLEPackagerFormat

Programming Languages

Labels

Projects that are alternatives of or similar to OLEPackagerFormat

OLE Packager File Format

OLE Packager Data Format

Usage

Extracting Data

Future Research

References