vbe6 hooks does not cover later office apps? about monitor HOT 4 OPEN

Would it also please be possible to hook OleConvertOLESTREAMToIStorage for RTF decoding mentioned here:
https://www.fireeye.com/blog/threat-research/2016/05/how_rtf_malware_evad.html

from monitor.

Unfortunately only Office 2007 as of yet. Regarding your request, I added that a little while ago as well https://github.com/cuckoosandbox/monitor/blob/master/sigs/ole.rst#oleconvertolestreamtoistorage. The issue though is the fact that this dumps a plain OLE1 file I believe they call it and I couldn't find any existing tools to work with OLE1 files. I believe it is possible to convert it to an OLE2 structure with some Windows API usage, but that obviously requires some additional work.

from monitor.

I do plan to add other versions of Office, it's just that one can only focus on so many things at once.
Thanks for the continuous requests, though! Keep 'em coming :-)

from monitor.

Hi,

Yes I understand this; just was unsure as it wasn't noted office 2007 (not
that it would be). Unfortunately this bit is beyond me or I would just get
it done; I have been looking at the API stuff though and while not wrapped
my head around that I want to see if I can figure out enough to get some
more hooks that I have requested although I hope my signature stuff will be
somewhat helpful. Thanks for the response :-)

On 22 July 2016 at 09:41, Jurriaan Bremer [email protected] wrote:

I do plan to add other versions of Office, it's just that one can only
focus on so many things at once.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#27 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACTXtXWGmgNQ8FISAURY2A7IejrasoKbks5qYIIvgaJpZM4JOnfK
.

from monitor.