Didier Stevens

Wednesday 10 February 2016

Create Your Own CMD.XLS

Filed under: Hacking,My Software — Didier Stevens @ 0:00

For several years now I’ve been using my modified cmd.exe from Excel.

20160209-232633

I’m not releasing this spreadsheet with my cmd code, but I release the VBA code. You can create your own spreadsheet (or Word document) with this VBA file. If you don’t know how, here’s a video:

Tuesday 9 February 2016

Overview of Content Published In January

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in January:

Blog posts:

YouTube Videos:

SANS ISC Diary entries:

Sunday 7 February 2016

Update: numbers-to-hex.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 9:21

A bugfix.

numbers-to-hex_V0_0_2.zip (https)
MD5: 911D2BF2EC0839DD595C48FF4BE5E979
SHA256: 41D5B19E401516CB134521E1F6973A16DBFE491303BD93429EEBE55C0B3AFEF6

Sunday 31 January 2016

Update: cut-bytes.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:01

When searching for a sequence (example [d0cf11e0]), you can now specify the instance to select. [d0cf11e0] finds the first match, [d0cf11e0]1 too, [d0cf11e0]2 find the second match, …

Search string expressions (ASCII and hexadecimal) can be followed by an instance (a number equal to 1 or greater) to indicate which instance needs to be taken. For example, [‘ABC’]2 will search for the second instance of string ‘ABC’. If this instance is not found, then nothing is selected.
Search string expressions (ASCII and hexadecimal) can be followed by an offset (+ or – a number) to add (or subtract) an offset to the found instance. For example, [‘ABC’]+3 will search for the first instance of string ‘ABC’ and then select the bytes after ABC (+ 3).
Finally, search string expressions (ASCII and hexadecimal) can be followed by an instance and an offset.

This will be implemented in my dump tools too.

cut-bytes_V0_0_3.zip (https)
MD5: 211B96F715FD6AB4696D6E58D6DA924D
SHA256: 9D5D38AF1375FFBDE705280F99758FF4C7D9751B81C46D80681740C43D6B94C6

Saturday 30 January 2016

Update: xor-kpa.py Version 0.0.2

Filed under: Encryption,My Software,Update — Didier Stevens @ 8:48

I added support for ZIP files to xor-kpa.py.

If you pass a ZIP file to xor-kpa, it will analyze the contained file. The ZIP file can be password protected (password infected).

xor-kpa_V0_0_2.zip (https)
MD5: CA4DB797A7C12E3E81F55D9634EE77BF
SHA256: 76344E06A2C1F121D4CDD1B063DC109E59B9D2351BA5CFDDEE8613DCD220283B

Sunday 24 January 2016

Update: emldump.py Version 0.0.6

Filed under: Malware,My Software,Update — Didier Stevens @ 10:32

A small update to emldump.py to handle (intentionally) malformed MIME files.

20160124-112917

More details in my SANS ISC Diary entry “Obfuscated MIME Files”.

emldump_V0_0_6.zip (https)
MD5: 682793840D895E473647F2A1F85A9867
SHA256: D76BADF2A332C3417BB7DD46B783CE90757DD76648D2313083982BFD74902C41

Saturday 23 January 2016

Update: base64dump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 17:51

A quick update: extended –cut option (like in oledump) and added option -w to ignore whitespace.

base64dump_V0_0_4.zip (https)
MD5: 5864B1AF997EBA6E5F6DD0C3B8ADBE56
SHA256: 1B01023A97361A9DBBB16B9D8851FFD757F03FA3964C0ED72067F9117F283992

Friday 22 January 2016

BlackEnergy .XLS Dropper Puzzle

Filed under: Malware,Puzzle — Didier Stevens @ 0:00

Over at the ISC diary I posted an entry with a puzzle to help you to practice the extraction of an embedded file in a spreadsheet.

This is the image I embedded:

Waterlogue-2016-01-11-20-13-29

Wednesday 20 January 2016

Overview of Content Published In December

Filed under: Announcement — Didier Stevens @ 17:58

Here is an overview of content I published in December:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Thursday 7 January 2016

BlackEnergy .XLS Dropper

Filed under: maldoc,Malware — Didier Stevens @ 0:00

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed the spreadsheet (97b7577d13cf5e3bf39cbe6d3f0a7732) used in the recent BlackEnergy attacks against Ukrainian news media and electric industry.

numbers-to-hex_V0_0_1.zip (https)
MD5: 9050768633DDADF34900DAB0061F3B24
SHA256: 00B099F3939251F2027F2705AD08AE352C0FC447C86EB3271721FB2935CF71B6

hex-to-bin_V0_0_1.zip (https)
MD5: 18FC870888B333D8B081CE3E31428A1B
SHA256: 17B4257C6951C792FFE64EDDDFF20674AD07DE2699EF066BDF7A548DA09E6592

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 375 other followers