I want to draw your attention to some great work Dr. Bontchev did. pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document:
Dr. Bontchev also coded a plugin for oledump. Didier Stevens |
DidierStevens 545 Posts ISC Handler Sep 26th 2016 |
Thread locked Subscribe |
Sep 26th 2016 4 years ago |
Do you know if the AV vendors tend to scan for Malware/Viruses based on Source of P-code content ?
|
Anonymous |
Quote |
Sep 27th 2016 4 years ago |
sorry, should have been "Source OR P-Code content ?"
|
Anonymous |
Quote |
Sep 27th 2016 4 years ago |
From the few tests that I did, I say source code.
|
DidierStevens 545 Posts ISC Handler |
Quote |
Sep 27th 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!