dir stream parsing is too strict

**Affected tool:**
olevba

**Describe the bug**
sig_byte and chunk_signature compare exact byte-values.  Office only checks individual bits, not the entire byte.
For sig_byte, only bits 0-1 are checked, bits 2-7 are not checked.
For chunk_signature, only bit 15 is checked, bits 12-24 are not checked.

**File/Malware sample to reproduce the bug**
[pw_clean.zip](https://github.com/user-attachments/files/16170071/pw_clean.zip)

**How To Reproduce the bug**
olevba doc1.doc

**Expected behavior**
dir stream should be parsed correctly, no error from _extract_vba

**Console output / Screenshots**
If applicable, add screenshots to help explain your problem.
Use the option "-l debug" to add debugging information, if possible.

**Version information:**
 - OS: Windows
 - OS version: 10.0.19045 - 64 bits
 - Python version: 3.8.5 - 64 bits
 - oletools version: 0.60.2

**Additional context**
In the sample file, the sig_byte is changed from 01 to 05; chunk_signature is changed from B2 to 82.
The file opens correctly in Word 2019.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

dir stream parsing is too strict #863

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

dir stream parsing is too strict #863

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions