oletools_rs 0.1.0

Rust port of oletools — analysis tools for Microsoft Office files (VBA macros, DDE, OLE objects, RTF exploits)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75

//! # oletools_rs
//!
//! Rust port of [python-oletools](https://github.com/decalage2/oletools) for
//! analyzing Microsoft Office files.
//!
//! This library provides tools for detecting and analyzing VBA macros,
//! OLE objects, DDE exploits, embedded objects, and other potentially
//! malicious content in Office documents.
//!
//! ## Modules
//!
//! - [`ole`] — OLE2 Compound Document parsing
//! - [`ooxml`] — Office Open XML (ZIP + XML) parsing
//! - [`vba`] — VBA macro extraction and suspicious pattern scanning
//! - [`ftguess`] — File type detection (magic bytes, CLSID, content types)
//! - [`mraptor`] — MacroRaptor heuristic malicious macro detection
//! - [`oleid`] — Security indicator analysis (7 checks)
//! - [`oleobj`] — Embedded OLE object extraction
//! - [`rtfobj`] — RTF OLE extraction and CVE detection
//! - [`msodde`] — DDE command detection across all Office formats
//! - [`oletimes`] — OLE entry timestamp extraction
//!
//! ## Quick start
//!
//! ```rust,no_run
//! use oletools_rs::{VbaParser, MacroRaptor, OleID};
//!
//! fn main() -> oletools_rs::Result<()> {
//!     let data = std::fs::read("document.docm")?;
//!
//!     // Check for malicious macros
//!     let (_result, flags) = MacroRaptor::scan_file(&data)?;
//!     if flags.is_suspicious() {
//!         println!("Suspicious macro: A={} W={} X={}", flags.autoexec, flags.write, flags.execute);
//!     }
//!
//!     // Full security analysis
//!     let oleid = OleID::new(&data);
//!     for ind in oleid.analyze() {
//!         println!("{}: {} ({})", ind.name, ind.value, ind.risk);
//!     }
//!     Ok(())
//! }
//! ```

pub mod common;
pub mod error;
pub mod ftguess;
pub mod ole;
pub mod ooxml;
pub mod vba;

pub mod mraptor;
pub mod msodde;
pub mod oleid;
pub mod oleobj;
pub mod oletimes;
pub mod rtfobj;

#[cfg(feature = "crypto")]
pub mod crypto;

// Convenience re-exports
pub use error::{Error, Result};
pub use ftguess::detector::FileTypeGuesser;
pub use mraptor::analyzer::{MRaptorFlags, MRaptorResult, MacroRaptor};
pub use msodde::field_parser::DdeField;
pub use ole::container::OleFile;
pub use oleid::checker::OleID;
pub use oleid::indicator::{Indicator, RiskLevel};
pub use oleobj::extractor::OleObjExtractor;
pub use oletimes::TimestampEntry;
pub use ooxml::parser::OoxmlParser;
pub use rtfobj::object::RtfObjParser;
pub use vba::parser::VbaParser;