0
1
00:00:11,550 --> 00:00:16,630
Hello everyone and welcome to another video of Expert Malware analysis and reverse engineering.
1

2
00:00:16,710 --> 00:00:24,320
So moving ahead from our previous video where we analyzed a malicious office file using oledumb.
2

3
00:00:24,330 --> 00:00:30,420
In this video,  we are going to focus on another very critical tool called oletools.
3

4
00:00:30,600 --> 00:00:38,010
It's a very good tool and it's open source and it's specifically designed for analyzing or OLE file
4

5
00:00:38,010 --> 00:00:39,650
formats.
5

6
00:00:39,690 --> 00:00:41,850
So here is the home page of
6

7
00:00:41,890 --> 00:00:42,630
oletools.
7

8
00:00:42,650 --> 00:00:48,730
It has been developed by a Decalage.
8

9
00:00:48,810 --> 00:00:56,390
You can read a lot about the documentation, about the set up, how you can have it ready and working.
9

10
00:00:56,650 --> 00:01:00,150
So there are multiple sub-tools within only tools as well.
10

11
00:01:00,250 --> 00:01:05,540
And here is an exhaustive list of all the tools that are present.
11

12
00:01:05,840 --> 00:01:11,990
We will be going through a few of them in our current video.
12

13
00:01:12,150 --> 00:01:15,050
So how do we go ahead and installoletools.
13

14
00:01:15,120 --> 00:01:22,950
Well the easiest way is if you are on a Linux machine you simply run the command sudo -H pip install -U oletools
14

15
00:01:23,000 --> 00:01:24,290
all we need to.
15

16
00:01:24,660 --> 00:01:25,790
That's it.
16

17
00:01:25,920 --> 00:01:30,330
That should be the command to install it on Linux. If you are on Windows,
17

18
00:01:30,330 --> 00:01:36,660
And if you have powershell up and running and if you have Flare as well, PIP will be working for you
18

19
00:01:36,660 --> 00:01:38,700
on the Windows environment as well.
19

20
00:01:38,700 --> 00:01:46,200
And you can run the same command to have oletools installed on your machine.
20

21
00:01:46,410 --> 00:01:53,320
The other way is to go to the official github page for oletools.
21

22
00:01:54,210 --> 00:02:02,870
So that's the link for the github page and you'll see the entire code base of oletools here.
22

23
00:02:04,160 --> 00:02:10,970
If you go the folder oletools, you'll see that all the sub tools that we saw on the home page
23

24
00:02:11,450 --> 00:02:15,710
are mentioned here as python files.
24

25
00:02:15,730 --> 00:02:24,460
So what we need to do here is to just click on clone or download and just download the zip file.
25

26
00:02:24,460 --> 00:02:32,010
Once you download and unzip it on your desktop it will create a folder called oletools-master.
26

27
00:02:32,260 --> 00:02:39,830
So once that folders present, just go to that directory. let me just show you the folder once.
27

28
00:02:40,530 --> 00:02:43,170
So this will be the content of the folder.
28

29
00:02:43,200 --> 00:02:46,190
There will be a file called setup.py
29

30
00:02:46,230 --> 00:02:49,540
So to have oletools installed
30

31
00:02:49,740 --> 00:02:59,730
Just go to the particular directory where you have unzipped all the tools given the command button set
31

32
00:03:00,180 --> 00:03:06,830
python setup.py install.
32

33
00:03:06,850 --> 00:03:15,030
So once the installation goes through, oletools will be ready to use on your computer.
33

34
00:03:16,880 --> 00:03:26,150
So once the entire set up is run you'll see that the oletools folder now exists in your directory.
34

35
00:03:26,180 --> 00:03:35,210
You can either have this oletools folder moved inside Flare office so that it kind of makes it
35

36
00:03:35,300 --> 00:03:42,790
easy for you to keep track of all the office file analysis tools and later on you can reference them
36

37
00:03:42,800 --> 00:03:44,550
then if what you want.
37

38
00:03:44,630 --> 00:03:49,880
That would be a very ideal step because that will keep your tools in a very logical and arranged manner
38

39
00:03:49,910 --> 00:03:55,000
so that it's easy for you to look for them and use them whenever you need.
39

40
00:03:56,500 --> 00:04:01,150
So let's come back to powershell and move to oletools directory
40

41
00:04:01,510 --> 00:04:05,720
So some of the major tools that we want to cover here.
41

42
00:04:05,830 --> 00:04:15,450
The first one would be oleid, then will cover olemeta, oledir, olemap and olevba.
42

43
00:04:15,450 --> 00:04:16,970
There are a bunch of other tools as well.
43

44
00:04:16,980 --> 00:04:20,530
And I encourage you to just go ahead and play with them as well.