Simple python program to check Office docs (doc,xls) for canary tokens

canary_checker.py

#!/usr/bin/env python3
# (C)2022 Netscylla
# License GNU GPL v3.0

import re
from zipfile import ZipFile
from io import StringIO
from io import BytesIO
import argparse
from colorama import Fore,Style
import pdfquery

#GLOBALS
verbose=0
errorcount=0

flark = argparse.ArgumentParser(fromfile_prefix_chars='@')

flark.add_argument('-f','--file',type=str,
                       help='target file',
                       required=False)
flark.add_argument('-d','--dir',type=str,
                       help='target folder',
                       required=False)
flark.add_argument('-v','--verbose',action="store_true",
                       help='verbose',
                       required=False)

args = flark.parse_args()
verbose=args.verbose

def checkzip(filename,filetype):
  try:
    f = open(filename, "rb")
    zip=ZipFile(BytesIO(f.read()))
    if filetype == "doc":
      paths=["word/footer2.xml","word/_rels/footer2.xml.rels"]
    if filetype == "xls":
      paths=["xl/drawings/_rels/drawing1.xml.rels"]
    for path in paths:
      for line in zip.open(path).readlines():
        if re.findall('canarytokens',str(line)):
            print(filename + f': {Fore.RED}Canary Found!{Style.RESET_ALL}',end = ' ')
            if verbose:
              if filetype == "doc":
                try:
                  print(re.match(r'.*\"(.*canarytokens.+?\\).*',str(line))[1])
                except Exception as e:
                  print('\n' + filename + ': Canary Found! But error parsing canary '+ e)
              if filetype == "xls":
                print(re.match(r'.*\=\"(http.*canarytokens.+)\sT',str(line))[1])
            else:
              print()
              break
      else:
        #if filetype else
        continue
      break
  except Exception as e:
    print(filename + ': Clean!')
  finally:
    f.close()

def checkpdf(filename):
  pdf = pdfquery.PDFQuery(filename)
  obj14=pdf.parser.doc.getobj(14)
  obj14.decode()
  obj14dec=str(obj14.data)
  if re.findall('canarytokens',obj14dec):
    try:
      print(filename + f': {Fore.RED}Canary Found!{Style.RESET_ALL}',end=' ')
      if verbose: 
        print(re.match(r'.*URI\((.*\.canarytokens.*)\)',obj14dec)[1])   
      else:
        print()
    except Exception as e:
      print(filename + e + ': Canary Found!')

def checktextfile(filename):
  f = open(filename, "r")
  for line in f.readlines():
    if re.findall('canarytokens',line):
      try:
        print(filename + f': {Fore.RED}Canary Found!{Style.RESET_ALL}',end=' ')
        if verbose:
          print(re.match(r'(.*\.canarytokens.*)',line)[1])
        else:
          print()
      except:
        print(filename + ': Canary Found!')

if (args.file):
  if (args.file).endswith(".doc") or (args.file).endswith(".docx"):
    checkzip(args.file,"doc")

  if (args.file).endswith(".xls") or (args.file).endswith(".xlsx"):
    checkzip(args.file,"xls")

  if (args.file).endswith(".pdf"):
    checkpdf(args.file)  

  if (args.file).endswith(".ini"):
    checktextfile(args.file)

if (args.dir):
  from os import walk
  import os
  filenames = [os.path.join(dp, f) for dp, dn, filenames in os.walk(args.dir) for f in filenames]

  for file in filenames:
    try: 
      if not re.findall(os.path.basename(__file__),file):
         if (file).endswith(".doc") or (file).endswith(".docx"):
           checkzip(file,"doc")
         if (file).endswith(".xls") or (file).endswith(".xlsx"):
           checkzip(file,"xls")
         if (file).endswith(".pdf"):
           checkpdf(file)
         else:
           checktextfile(file)
    except:
      errorcount+=1

print("No of errors: "+str(errorcount))