Skip to content

Commit

Permalink
Edit regex to exclude comments
Browse files Browse the repository at this point in the history
  • Loading branch information
@DecimalTurn
DecimalTurn authored Jun 7, 2024
1 parent 951b436 commit 0f33bd4
Showing 1 changed file with 4 additions and 4 deletions.
8 changes: 4 additions & 4 deletions oletools/olevba.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2183,7 +2183,7 @@ def detect_autoexec(vba_code, obfuscation=None):
for keyword in keywords:
#TODO: if keyword is already a compiled regex, use it as-is
# search using regex to detect word boundaries:
match = re.search(r'(?i)\b' + re.escape(keyword) + r'\b', vba_code)
match = re.search(r'(?i)^(?:[^\']|\b).*\b' + re.escape(keyword) + r'\b', vba_code)
if match:
found_keyword = match.group()
results.append((found_keyword, description + obf_text))
Expand All @@ -2192,7 +2192,7 @@ def detect_autoexec(vba_code, obfuscation=None):
for keyword in keywords:
#TODO: if keyword is already a compiled regex, use it as-is
# search using regex to detect word boundaries:
match = re.search(r'(?i)\b' + keyword + r'\b', vba_code)
match = re.search(r'(?i)^(?:[^\']|\b).*\b' + keyword + r'\b', vba_code)
if match:
found_keyword = match.group()
results.append((found_keyword, description + obf_text))
Expand All @@ -2218,15 +2218,15 @@ def detect_suspicious(vba_code, obfuscation=None):
for keyword in keywords:
# search using regex to detect word boundaries:
# note: each keyword must be escaped if it contains special chars such as '\'
match = re.search(r'(?i)\b' + re.escape(keyword) + r'\b', vba_code)
match = re.search(r'(?i)^(?:[^\']|\b).*\b' + re.escape(keyword) + r'\b', vba_code)
if match:
found_keyword = match.group()
results.append((found_keyword, description + obf_text))
for description, keywords in SUSPICIOUS_KEYWORDS_REGEX.items():
for keyword in keywords:
# search using regex to detect word boundaries:
# note: each keyword must NOT be escaped because it is an actual regex
match = re.search(r'(?i)\b' + keyword + r'\b', vba_code)
match = re.search(r'(?i)^(?:[^\']|\b).*\b' + keyword + r'\b', vba_code)
if match:
found_keyword = match.group()
results.append((found_keyword, description + obf_text))
Expand Down

0 comments on commit 0f33bd4

Please sign in to comment.