5.4 Working with Macros

Previous page
Table of content
Next page
Team-Fly    
 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Table of Contents
Chapter 5.  Macro Viruses
5.4 Working with Macros

Office includes three different tools for working with macros, each specialized for a particular use. The Macro Editor is good for viewing simple macros and deleting them. The Organizer , only available in Word, is the best tool for viewing macros and style formats within templates. The Visual Basic Editor first appeared with Office 97 and is best for viewing and editing VBA macros. Different types of macros will appear in different tools. Macro viruses will often attempt to hide from these tools; it's possible for a document to be infected even if a macro is not found.

5.4.1 Macro Editor

You can view the active macros applying against a document with the Macro Editor by choosing Tools figs/u2192.gif Macro figs/u2192.gif Macros. The Macros dialog box will reveal macros and allow you to edit or delete them. Figure 5-1 shows a template previously infected by the Concept virus and displays a leftover macro named PayLoad. The word "payload" should be an indication that a mischievous macro is present.

Figure 5-1. The Macros dialog box
figs/mmc_0501.gif

You can use the Macro Editor to highlight suspicious macros and delete them. Macros written as class modules (discussed in Section 5.6) will not appear. If you choose the Edit button, you will be taken to the Visual Basic Editor . The Organizer button will take you to the Organizer.

5.4.2 Organizer

The Organizer (see Figure 5-2) can be used to view, copy, and delete macros, styles, autotext, and toolbars within Word. Unfortunately, Organizer cannot be used to view or manipulate code within a macro, just the entire macro. The Organizer always displays the macros and formatting options of the global template by default. The Organizer can be accessed through three different menu options:

  • Tools figs/u2192.gif Templates and Add-ins figs/u2192.gif Organizer

  • Tools figs/u2192.gif Macro figs/u2192.gif Macros figs/u2192.gif Organizer

  • Format figs/u2192.gif Style figs/u2192.gif Organizer

Figure 5-2. The Organizer
figs/mmc_0502.gif

You can open up one document to view and modify its items, or open up another at the same time to copy between documents. In my opinion, one of the Organizer's best traits is its ability to view the macro contents of a document or template without having to open it. In this example, a document infected by the Shiver virus is revealing that it contains an unexpected macro module called Module1.

When looking to see if a suspected document contains macros, I've had more success with Organizer than the other two tools. Many macro viruses "lock" themselves so they cannot easily be viewed with the other utilities. With Organizer, you can often see that the document does contain a macro (when in most cases it shouldn't). Unfortunately, it cannot be used to look at specific macro code, and doesn't reveal class viruses. In order to do that, you must choose one of the other two tools. Organizer isn't perfect at spotting macros, especially if a class-like virus contains private (vs. public) VBA routines. That is where the Visual Basic Editor excels.

5.4.3 Visual Basic Editor

Programmers can use Office's built-in Visual Basic Editor (VBE), as shown in Figure 5-3, to write VBA modules. It can be your ultimate debugging tool, too. VBE can be accessed with Alt-F11 or Tools figs/u2192.gif Macros figs/u2192.gif Visual Basic Editor in Word or Excel.

Figure 5-3. Microsoft Visual Basic Editor
figs/mmc_0503.gif

VBE is the tool most macro virus writers use to write code. It is also the same tool we can use to view and disable macro viruses. VBE has many different windows (too many to cover in this book) each with a different view or level of detail. The upper left portion of the screen, called Project Explorer , shows you the available projects (documents, templates, modules) open in memory, and which modules are attached to each project.

Readers interested in writing Word macros should check out another O'Reilly book, Writing Word Macros: An Introduction to Programming Word using VBA , by Steven Roman.

Documents and templates appear as the same type of object, at first view, in Project Explorer (see Figure 5-4). The Normal project refers to Word's global template, and Ora2000 is a customized template. TestMacro is a regular Word document, and Document4 is a Word document that has not been saved yet. You can expand any project to see its related modules.

Figure 5-4. Project Explorer
figs/mmc_0504.gif

Figure 5-5 shows a project expanded to reveal different class objects, including the default ThisDocument object. Below the Project window, Properties window displays the different property values for the ThisDocument object. In Figure 5-6, the Object Browser window displays all of the different objects active in a project.

Figure 5-5. Project Explorer expanded
figs/mmc_0505.gif
Figure 5-6. The Object Browser window
figs/mmc_0506.gif

Later on, we will learn how to use VBE's Code Window to troubleshoot macro viruses.

Team-Fly    
Top

Previous page
Table of content
Next page
Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176
Authors: Roger A. Grimes
BUY ON AMAZON
ERP and Data Warehousing in Organizations: Issues and Challenges
Agile Project Management: Creating Innovative Products (2nd Edition)
Software Configuration Management
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Web Systems Design and Online Consumer Behavior
Comparing, Designing, and Deploying VPNs
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy