Sunday 7 February 2016
Sunday 31 January 2016
When searching for a sequence (example [d0cf11e0]), you can now specify the instance to select. [d0cf11e0] finds the first match, [d0cf11e0]1 too, [d0cf11e0]2 find the second match, …
Search string expressions (ASCII and hexadecimal) can be followed by an instance (a number equal to 1 or greater) to indicate which instance needs to be taken. For example, [‘ABC’]2 will search for the second instance of string ‘ABC’. If this instance is not found, then nothing is selected.
Search string expressions (ASCII and hexadecimal) can be followed by an offset (+ or – a number) to add (or subtract) an offset to the found instance. For example, [‘ABC’]+3 will search for the first instance of string ‘ABC’ and then select the bytes after ABC (+ 3).
Finally, search string expressions (ASCII and hexadecimal) can be followed by an instance and an offset.
This will be implemented in my dump tools too.
Saturday 30 January 2016
I added support for ZIP files to xor-kpa.py.
If you pass a ZIP file to xor-kpa, it will analyze the contained file. The ZIP file can be password protected (password infected).
Sunday 24 January 2016
A small update to emldump.py to handle (intentionally) malformed MIME files.
More details in my SANS ISC Diary entry “Obfuscated MIME Files”.
Saturday 23 January 2016
A quick update: extended –cut option (like in oledump) and added option -w to ignore whitespace.
Saturday 2 January 2016
shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 3 new options:
Option –nocreatethread allows you to instruct the program not to add the VBA code to create a new thread.
Option –writememory: from now on, the VBA code uses RtlMoveMemory in stead of WriteProcessMemory. To use WriteProcessMemory, use option –writememory process
Option –start allows you to specify the name of the start function (ExecuteShellCode by default).
Monday 21 December 2015
Some changes when you use the –raw option. Now plugins can also be used when the VBA code is corrupted.
Sunday 29 November 2015
A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-0x100 select the whole stream except the last 256 bytes.
Saturday 28 November 2015
A small update: I added option -s (separator) so that you can choose your CSV separator.
Sunday 22 November 2015
A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-5 select the whole file except the last 5 bytes.