VBA: __SRP_ Streams
2021-12-29 08:0:0 Author: blog.didierstevens.com(查看原文) 阅读量:24 收藏

VBA: __SRP_ Streams

Office documents with a VBA project that contains streams whose name starts with __SRP_, have had their VBA macros executed at least once.

As Dr. Bontchev describes in the documentation for his pcodedmp tool:

When the p-code has been executed at least once, a further tokenized form of it is stored elsewhere in the document (in streams, the names of which begin with __SRP_, followed by a number).

Thus in my maldoc trainings, I always explain that the presence of __SRP_ streams is an indication that the VBA code has been executed prior to the saving of the document, and vice-versa, that the absence means that the code was not executed (prior to saving).

I recently discovered that these __SRP_ streams are also created when the VBA project is compiled (without running the macros), by selecting menu option “Debug / Compile Project” in the VBA IDE.

No comments yet.


文章来源: https://blog.didierstevens.com/2021/12/29/vba-__srp_-streams/
如有侵权请联系:admin#unsafe.sh