Created
September 24, 2020 15:31
-
-
Save JohnLaTwC/5e110aa379810e25c94d544ffdf2498e to your computer and use it in GitHub Desktop.
Defined name matching mod for UTF16 names
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| def get_defined_name(self, name, full_match=True): | |
| result = [] | |
| name = name.lower().replace('[', '') | |
| if full_match: | |
| if name in self.get_defined_names(): | |
| result = self._defined_names[name] | |
| else: | |
| for defined_name, cell_address in self.get_defined_names().items(): | |
| if defined_name.startswith(name): | |
| result.append((defined_name, cell_address)) | |
| # By @JohnLaTwC: | |
| # if no matches try matching by matching 'name' by looking for its characters | |
| # in the same order (ignoring junk chars from UTF16 etc in between. Eg: | |
| # Auto_open: | |
| # match: 'a_u_t_o___o__p____e_n' | |
| # not match:'o_p_e_n_a_u_to__' | |
| # Reference: https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/ | |
| # Sample: e23f9f55e10f3f31a2e76a12b174b6741a2fa1f51cf23dbd69cf169d92c56ed5 | |
| if len(result) == 0: | |
| for defined_name, cell_address in self.get_defined_names().items(): | |
| lastidx = 0 | |
| fMatch = True | |
| for c in name: | |
| idx = defined_name.find(c, lastidx) | |
| if idx == -1: | |
| fMatch = False | |
| lastidx = idx | |
| if fMatch: | |
| result.append((defined_name, cell_address)) | |
| ##print("fMatch for %s in %s is %d:" % (name,defined_name, fMatch)) | |
| return result |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment