VirusTotal · davidmagnotti · Jan 13, 2025 · Jan 13, 2025 · Jan 14, 2025 · Jan 14, 2025
diff --git a/cli/src/commands/dump.rs b/cli/src/commands/dump.rs
@@ -20,6 +20,8 @@ enum SupportedModules {
     Elf,
     Pe,
     Dotnet,
+    Olecf,
+    Vba,
 }
 
 #[derive(Debug, Clone, ValueEnum)]
@@ -111,6 +113,12 @@ pub fn exec_dump(args: &ArgMatches) -> anyhow::Result<()> {
         if !requested_modules.contains(&&SupportedModules::Pe) {
             module_output.pe = MessageField::none()
         }
+        if !requested_modules.contains(&&SupportedModules::Olecf) {
+            module_output.olecf = MessageField::none()
+        }
+        if !requested_modules.contains(&&SupportedModules::Vba) {
+            module_output.vba = MessageField::none()
+        }
     } else {
         // Module was not specified, only show those that produced meaningful
         // results, the rest are cleared out.
@@ -131,6 +139,12 @@ pub fn exec_dump(args: &ArgMatches) -> anyhow::Result<()> {
         if !module_output.pe.is_pe() {
             module_output.pe = MessageField::none()
         }
+        if !module_output.olecf.is_olecf() {
+            module_output.olecf = MessageField::none()
+        }
+        if !module_output.vba.has_macros() {
+            module_output.vba = MessageField::none()
+        }
     }
 
     match output_format {

diff --git a/lib/Cargo.toml b/lib/Cargo.toml
@@ -151,6 +151,9 @@ magic-module = [
 # The `math` module.
 math-module = []
 
+# The `olecf` module
+olecf-module = []
+
 # The `pe` module parses PE files.
 pe-module = [
     "dep:const-oid",
@@ -187,6 +190,9 @@ text-module = [
 # conditions of a rule to check against other epoch time.
 time-module = []
 
+# The `vba` module
+vba-module = []
+
 # The `vt` module is a VirusTotal-specific module that provides access to
 # the metadata that VirusTotal has about the scanned file.
 vt-module = [
@@ -206,10 +212,12 @@ default = [
     "macho-module",
     "math-module",
     "hash-module",
+    "olecf-module",
     "pe-module",
     "string-module",
     "time-module",
     "lnk-module",
+    "vba-module",
     "test_proto2-module",
     "test_proto3-module",
     "vt-module",
@@ -274,6 +282,7 @@ wasmtime = { workspace = true, default-features = false, features = [
 x509-parser = { workspace = true, optional = true }
 yara-x-macros = { workspace = true }
 yara-x-parser = { workspace = true, features = ["serde"] }
+zip = { workspace = true }
 
 lingua = { version = "1.6.2", optional = true, default-features = false, features = ["english", "german", "french", "spanish"] }
 

diff --git a/lib/fuzz/Cargo.toml b/lib/fuzz/Cargo.toml
@@ -47,6 +47,12 @@ path = "fuzz_targets/dotnet_parser.rs"
 test = false
 doc = false
 
+[[bin]]
+name = "vba_parser"
+path = "fuzz_targets/vba_parser.rs"
+test = false
+doc = false
+
 [[bin]]
 name = "rule_compiler"
 path = "fuzz_targets/rule_compiler.rs"

diff --git a/lib/fuzz/fuzz_targets/vba_parser.rs b/lib/fuzz/fuzz_targets/vba_parser.rs
@@ -0,0 +1,6 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+
+fuzz_target!(|data: &[u8]| {
+    let _ = yara_x::mods::invoke::<yara_x::mods::Vba>(data);
+});
diff --git a/lib/src/modules/add_modules.rs b/lib/src/modules/add_modules.rs
@@ -18,6 +18,8 @@ add_module!(modules, "macho", macho, "macho.Macho", Some("macho"), Some(macho::_
 add_module!(modules, "magic", magic, "magic.Magic", Some("magic"), Some(magic::__main__ as MainFn));
 #[cfg(feature = "math-module")]
 add_module!(modules, "math", math, "math.Math", Some("math"), Some(math::__main__ as MainFn));
+#[cfg(feature = "olecf-module")]
+add_module!(modules, "olecf", olecf, "olecf.Olecf", Some("olecf"), Some(olecf::__main__ as MainFn));
 #[cfg(feature = "pe-module")]
 add_module!(modules, "pe", pe, "pe.PE", Some("pe"), Some(pe::__main__ as MainFn));
 #[cfg(feature = "string-module")]
@@ -30,6 +32,8 @@ add_module!(modules, "test_proto3", test_proto3, "test_proto3.TestProto3", Some(
 add_module!(modules, "text", text, "text.Text", Some("text"), Some(text::__main__ as MainFn));
 #[cfg(feature = "time-module")]
 add_module!(modules, "time", time, "time.Time", Some("time"), Some(time::__main__ as MainFn));
+#[cfg(feature = "vba-module")]
+add_module!(modules, "vba", vba, "vba.Vba", Some("vba"), Some(vba::__main__ as MainFn));
 #[cfg(feature = "vt-module")]
 add_module!(modules, "vt", titan, "vt.titan.LiveHuntData", Some("vt"), Some(vt::__main__ as MainFn));
 }
diff --git a/lib/src/modules/mod.rs b/lib/src/modules/mod.rs
@@ -197,6 +197,24 @@ pub mod mods {
     /// Data structure returned by the `macho` module.
     pub use super::protos::macho::Macho;
 
+    /// Data structures defined by the `olecf` module.
+    ///
+    /// The main structure produced by the module is [`olecf:Olecf`]. The rest
+    /// of them are used by one or more fields in the main structure.
+    ///
+    pub use super::protos::olecf;
+    /// Data structure returned by the `olecf` module.
+    pub use super::protos::olecf::Olecf;
+
+    /// Data structures defined by the `vba` module.
+    ///
+    /// The main structure produced by the module is [`vba::Vba`]. The rest
+    /// of them are used by one or more fields in the main structure.
+    ///
+    pub use super::protos::vba;
+    /// Data structure returned by the `macho` module.
+    pub use super::protos::vba::Vba;
+
     /// Data structures defined by the `pe` module.
     ///
     /// The main structure produced by the module is [`pe::PE`]. The rest
@@ -291,6 +309,8 @@ pub mod mods {
         info.dotnet = protobuf::MessageField(invoke::<Dotnet>(data));
         info.macho = protobuf::MessageField(invoke::<Macho>(data));
         info.lnk = protobuf::MessageField(invoke::<Lnk>(data));
+        info.olecf = protobuf::MessageField(invoke::<Olecf>(data));
+        info.vba = protobuf::MessageField(invoke::<Vba>(data));
         info
     }
 

diff --git a/lib/src/modules/modules.rs b/lib/src/modules/modules.rs
@@ -17,6 +17,8 @@ mod macho;
 mod magic;
 #[cfg(feature = "math-module")]
 mod math;
+#[cfg(feature = "olecf-module")]
+mod olecf;
 #[cfg(feature = "pe-module")]
 mod pe;
 #[cfg(feature = "string-module")]
@@ -29,5 +31,7 @@ mod test_proto3;
 mod text;
 #[cfg(feature = "time-module")]
 mod time;
+#[cfg(feature = "vba-module")]
+mod vba;
 #[cfg(feature = "vt-module")]
-mod vt;
+mod vt;
diff --git a/lib/src/modules/olecf/mod.rs b/lib/src/modules/olecf/mod.rs
@@ -0,0 +1,40 @@
+/*! YARA module that parses OLE Compound File Binary Format files.
+
+The OLE CF format (also known as Compound File Binary Format or CFBF) is a
+container format used by many Microsoft file formats including DOC, XLS, PPT,
+and MSI. This module specializes in parsing OLE CF files and extracting
+metadata about their structure and contents.
+
+Read more about the Compound File Binary File format here:
+https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-cfb/53989ce4-7b05-4f8d-829b-d08d6148375b
+*/
+
+use crate::modules::prelude::*;
+use crate::modules::protos::olecf::*;
+
+pub mod parser;
+
+#[module_main]
+fn main(data: &[u8], _meta: Option<&[u8]>) -> Olecf {
+    let mut olecf = Olecf::new();
+
+    match parser::OLECFParser::new(data) {
+        Ok(parser) => {
+            olecf.set_is_olecf(parser.is_valid_header());
+            olecf.streams = parser
+                .get_streams()
+                .map(|(name, entry)| {
+                    let mut s = Stream::new();
+                    s.set_name(name.to_string());
+                    s.set_size(entry.size);
+                    s
+                })
+                .collect();
+        }
+        Err(_) => {
+            olecf.set_is_olecf(false);
+        }
+    }
+
+    olecf
+}