refinery icon indicating copy to clipboard operation
refinery copied to clipboard
verified publisher icon binref

xtchm - extract Compiled Help Modules

Open EricFaehrmann opened this issue 2 years ago • 1 comments

Specification

It is possible to weaponize .chm files but binref can't extract this files. There is a python lib PyCHM but this is just a wrapper for this c lib CHMLib. The c lib needs a string with the path to the chm file to open it. This is against the binref code of conduct.

I think the only solution would be to implement the algorithm in python as a new binref unit.

@huettenhain can you prove that there isn't a other way to extract chm files with binref? If so I can start to develop a new unit.

Test Cases

Malicious-CHM-Guide.md AgentTesla Spreads Through CHM and PDF Files in Recent Attacks Cryptowall Makes a Comeback Via Malicious Help Files (CHM) Harmful Help: Analyzing a Malicious Compiled HTML Help File Delivering Agent Tesla

EricFaehrmann avatar Jan 08 '24 20:01 EricFaehrmann

After our prior discussion, I did some research and could not identify any acceptable Python libraries to unpack CHM files either. I had collected a few links to CHM-related online resources, but not much more. I will leave them here to posterity:

  • https://chmspec.nongnu.org/latest/
  • https://code.google.com/archive/p/bookinsight/wikis/chmformat.wiki
  • http://www.jedrea.com/chmlib/
  • https://savannah.nongnu.org/projects/chmdeco

Notably, 7Zip can handle CHM files, so the 7Zip source code might also be a good reference. I probably won't have time to work on this myself, but I would be grateful for the contribution.

huettenhain avatar Jan 09 '24 14:01 huettenhain