This is an update for virustotal-search.py and a release of a new tool: virustotal-submit.py. I created this new tool because I needed to submit a sample stored in a password protected ZIP-file (not the ZIP-file), without extracting the sample to disk.
To submit a file to VirusTotal, you just run virustotal-submit.py sample.exe.
If you submit a ZIP file, virustotal-submit.py will extract the first file to memory and submit that to VirusTotal. The ZIP file can be password protected with password “infected”. To submit the ZIP file itself, use option -z.
To submit a batch of samples, create a textfile with the name of the files to submit and use option -f.
virustotal-submit.py supports proxies too (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy).
Python module poster is required for this tool.
Updates to virustotal-search.py:
- uses json or simplejson module
- proxies are supported (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy)
- option -g forces virustotal-search.py to use the local database in the same directory as the program
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the sixth one.
This script does the opposite of js-unicode-escape.1sc: a Unicode escape encode string is decode to bytes.
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fifth one.
010 Editor has a different functions to copy bytes from a file. As raw bytes, as hex, as base64, …
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fourth one.
pecheck.py is a wrapper for pefile, but this version has a new feature: check a PE file stored in a (password protected) ZIP file (password infected).
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the third one.
010 Editor has a search feature with wildcards (like FC 01 * 10 CF), but no search and replace with wildcards (like FC 01 * 10 CF -> FD 02 * 20 DF). This scripts implements such a feature.
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the second one.
fuzzer.1sc is a 010 Editor script that implements a simple fuzzer. It overwrites bytes in a file or selection. A selection is particularly useful combined with a template. For example, with a couple of clicks you can fuzz the control structures of a JPEG image.
4 parameters (number of fuzz sequences to overwrite, minimum length and maximum length of a sequence, and the fuzz character) allow you to control the random overwriting process.
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the first one.
shift.1sc is a 010 Editor script that allows you to shift bytes in a file or selection.
XORStrings is best described as the combination of my XORSearch tool and the well-known strings command.
XORStrings will search for strings in the (binary) file you provide it, using the same encodings as XORSearch (XOR, ROL, ROT and SHIFT). For every encoding/key, XORStrings will search for strings and report the number of strings found, the average string length and the maximum string length. The report is sorted by the number of strings found, but can also be sorted by the maximum string length (use option -m). By default, the string terminator is 0×00, but you can provide your own with option -t, like the space character (0×20) in this example:
I’ve used XORStrings to identify the encoding used in TeamViewer traffic.
There are more options than the ones I mentioned here. I’ll create a dedicated page for this tool, but for now, I invite you to discover the options yourself.
This new version is a bugfix version for Python 3 plus I added a new name in the default report: /XFA
From version 0.4.1 on, you can also pass a URL or a ZIP file as argument to pdf-parser:
When you pass a URL as argument, pdf-parser will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.
Passing a ZIP file as argument instructs pdf-parser to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, pdf-parser will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.
Further changes are: bug fixes, performance improvement and option –content. This option allows you to view the content of an object without stream or with stream but without filters.