Installing OLE Tools on Windows

On By DanielIn CTF, forensics, malware, windows

I often use oletools when analyzing malicious Office documents. Lately, I have been using Windows rather than Linux. I didn’t have oletools installed yet, so here are my notes for how I got it working.

Before, I did this through WSL, which was as simple as this:

pip install -U oletools

Since I have been doing a lot of PowerShell development lately, I decided to get this working in PowerShell and not rely on using WSL. Python was already installed on my system, so I installed the module with pip. This was very similar to how I did this with Linux:

python.exe -m pip install -U oletools

I was greeted with some warnings:

WARNING: The script pcodedmp.exe is installed in 'C:\Users\Daniel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Scripts' which is not on PATH. Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location. WARNING: The script msoffcrypto-tool.exe is installed in 'C:\Users\Daniel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Scripts' which is not on PATH. Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location. Running setup.py install for colorclass … done WARNING: The scripts ezhexviewer.exe, ftguess.exe, mraptor.exe, msodde.exe, olebrowse.exe, oledir.exe, olefile.exe, oleid.exe, olemap.exe, olemeta.exe, oleobj.exe, oletimes.exe, olevba.exe, pyxswf.exe and rtfobj.exe are installed in 'C:\Users\Daniel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Scripts' which is not on PATH. Consider adding this directory to PATH or, if you prefer to suppress this warning, use --no-warn-script-location.

I’m definitely not going to want to type out the full path every time I run these, or move these filesto another folder in my PATH every time there’s an update, so I decided to add this to my PowerShell profile.

This machine isn’t my “daily driver”, and is used for developing and analyzing malware, so first I set the execution policy to unrestricted. Doing this to important machines typically isn’t a great idea.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Next, I opened up my PowerShell profile to add a line to append this path to my PATH variable:

notepad $profile

I added this line:

$env:PATH += ";C:\Users\Daniel\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.9_qbz5n2kfra8p0\LocalCache\local-packages\Python39\Scripts"

After saving my profile and restarting PowerShell, I was able to run olevba, olebrowse, and the rest of the tools provided without typing the full path.

One thought on “Installing OLE Tools on Windows

  1. decalage2

    Hi, another solution is to open a command prompt as administrator, and then run “pip install -U oletools”. This should install oletools exe files in a python folder that is already in your PATH.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s