You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: README.md
+21-1
Original file line number
Diff line number
Diff line change
@@ -14,10 +14,14 @@ Since most of the time it is the p-code that determines what exactly a macro wou
14
14
15
15
## Installation
16
16
17
-
The script will work only in Python version 2.6 or higher. It won't work in Python 3.x, because one of the imported modules (`oletools`) does not support Python 3.x. It depends on Philippe Lagadec's package [oletools](https://github.com/decalage2/oletools), so this package has to be installed before using the script. It can be installed with the command
17
+
The script will work both in Python version 2.6+ and in Python 3.x. It depends on Philippe Lagadec's package [oletools](https://github.com/decalage2/oletools), so this package has to be installed before using the script. It can be installed with the command
18
18
19
19
pip install oletools
20
20
21
+
Make sure you have a fairly recent version of it, as the versions before 0.50 do not support Python 3.x. If you have an older version of the module, upgrade it to the latest one with the command
22
+
23
+
pip install oletools --upgrade
24
+
21
25
## Usage
22
26
23
27
The script takes as a command-line argument a list of one or more names of files or directories. If the name is an OLE2 document, it will be inspected for VBA code and the p-code of each code module will be disassembled. If the name is a directory, all the files in this directory and its subdirectories will be similarly processed. In addition to the disassembled p-code, by default the script also displays the parsed records of the `dir` stream, as well as the identifiers (variable and function names) used in the VBA modules and stored in the `_VBA_PROJECT` stream.
@@ -67,6 +71,20 @@ For reference, it is the result of compiling the following VBA code:
67
71
Shell("calc.exe")
68
72
End Sub
69
73
74
+
## Known problems
75
+
76
+
- Office 2016 64-bit only: When disassembling variables declared as being of custom type (e.g., `Dim SomeVar As SomeType`), the type (`As SomeType`) is not disassembled.
77
+
78
+
- Office 2016 64-bit only: The `Private` property of `Sub`, `Function` and `Property` declarations is not disassembled.
79
+
80
+
- Office 2016 64-bit only: The `Declare` part of external function declarations (e.g., `Private Declare PtrSafe Function SomeFunc Lib "SomeLib" Alias "SomeName" () As Long`) is not disassembled.
81
+
82
+
- All versions of Office: The `Alias "SomeName"` part of external function declarations (e.g., `Private Declare PtrSafe Function SomeFunc Lib "SomeLib" Alias "SomeName" () As Long`) is not disassembled.
83
+
84
+
- All versions of Office: The `Public` property of custom type definitions (e.g., `Public Type SomeType`) is not disassembled.
85
+
86
+
I do not have access to 64-bit Office 2016 and the few samples of documents, generated by this version of Office, that I have, have been insufficient for me to figure out where the corresponding information resides. I know where it resides in the other versions of Office, but it has been moved elsewhere in 64-bit Office 2016 and the old algorithms no longer work.
87
+
70
88
## To do
71
89
72
90
- Implement support of VBA3 (Excel95).
@@ -82,3 +100,5 @@ Version 1.0.0: Initial version.
82
100
Version 1.1.0: Storing the opcodes in a more efficient manner. Implemented VBA7 support. Implemented support for documents created by the 64-bit version of Office.
83
101
84
102
Version 1.2.0: Disassembling the various declarations (`New`, `Type`, `Dim`, `ReDim`, `Sub`, `Function`, `Property`).
103
+
104
+
Version 1.2.1: Now runs under Python 3.x too. Improved support of 64-bit Office documents. Implemented support of some VBA7-specific features (`Friend`, `PtrSafe`, `LongPtr`). Improved the disassembling of `Dim` declarations.
0 commit comments