Nothing quite like getting a Microsoft file to inspect and using a good old faithful tool, but in some cases it take more than a couple commands to get what you want.
So I happened upon a request recently where I needed to quickly extract all the Macros from an XLSM file. One way would be to open the file in excel and just copy all the scripts out of it one by one using good old copy/paste, but I wanted something a little more elegant and it's been a while since I had to use any of my scripting skills so I went to work. Now keep in mind, I'm not much of a developer so I just wanted something to automate the macro extractions quickly and dirtily.
Oledump only requires a couple steps to inspect a typical MS excel file:
- Inspect the file to find the interesting contents:
- Extract each interesting content to a file that can be inspected further
- Profit! (or review and edit!)
But if there's 80+ macros in the file, we can use some simple bash scripting techniques to extract the files automatically.
oledump.py <pathToFile/.xlsm> > oledump-summary.txt
Once you have the summary file, review it to find any contents with Macros (denoted with an M). Results may look similar to this:
- A: xl/vbaProject.bin
- A1: 97 'FormSelectDate/\x01CompObj'
- A2: 260 'FormSelectDate/\x03VBFrame'
- A3: 263 'FormSelectDate/f'
- A4: 364 'FormSelectDate/o'
- A5: 1929 'PROJECT'
- A6: 785 'PROJECTwm'
- A7: M 30019 'VBA/SomeScript'
Then you can rifle through those items quickly with some simple bash scripting
for x in {2..6}; do python3 oledump.py -s A$x <pathToFile/.xlsm> > <pathToResults>/oledump-A$x.txt; done
(include -v for VBA compression - i.e. if there are VB Macros)
Now you should have a folder full of excel macros that you can safely review using your favorite file editor
Here's a list of some of the oledump parameters - it's useful for way more filetypes than just Excel
(run python3 oledump.py --help to get a full list)
- -s SELECT, --select=SELECT
- select item nr for dumping (a for all)
- -d, --dump perform dump
- -x, --hexdump perform hex dump
- -a, --asciidump perform ascii dump
- -A, --asciidumprle perform ascii dump with RLE
- -S, --strings perform strings dump
- -T, --headtail do head & tail
- -v, --vbadecompress VBA decompression
I have done other weird stuff in the past with oledump to inspect and decompile outlook messages, but this simple script was still fun.
Look forward to more technical posts in the future, but for now stay warm and keep learning!
Cheers
