Didier Stevens

Wednesday 3 July 2013

Update: virustotal-search.py

Filed under: My Software,Update — Didier Stevens @ 20:09

Mark Woan reported an issue with virustotal-search.py: sometimes VirusTotal returns a JSON object that the json parser can’t parse.

That’s something I didn’t expect. I’ve added error handling for this case.

virustotal-search_V0_0_9.zip (https)
MD5: FECD02796889CDFE9FA67287F2DE567C
SHA256: 0CE06CBAFC6341835EB8A62377F5C4EB067747EE28E7ED8BB25FD69A4B99FA97

Friday 3 May 2013

VirusTotal: Searching And Submitting

Filed under: Malware,My Software,Update — Didier Stevens @ 8:47

This is an update for virustotal-search.py and a release of a new tool: virustotal-submit.py. I created this new tool because I needed to submit a sample stored in a password protected ZIP-file (not the ZIP-file), without extracting the sample to disk.

To submit a file to VirusTotal, you just run virustotal-submit.py sample.exe.

If you submit a ZIP file, virustotal-submit.py will extract the first file to memory and submit that to VirusTotal. The ZIP file can be password protected with password “infected”. To submit the ZIP file itself, use option -z.

To submit a batch of samples, create a textfile with the name of the files to submit and use option -f.

virustotal-submit.py supports proxies too (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy).

Python module poster is required for this tool.

virustotal-submit_V0_0_1.zip (https)
MD5: 8793C3276822DDE36BA0804D3390AD4D
SHA256: F17B9EEC408833039AE63FCED9F6114F99AADFBE9D547AE88B2C3A6E54AE91B4

Updates to virustotal-search.py:

  • uses json or simplejson module
  • proxies are supported (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy)
  • option -g forces virustotal-search.py to use the local database in the same directory as the program

virustotal-search_V0_0_8.zip (https)
MD5: 011C88A9C9026A32DA473187A64E880C
SHA256: 30711202BB0CD01A17AFA7BB8BBFE1545B6A840BDB91D83C7753300EF7E71A8F

Thursday 21 March 2013

Update: PDFiD Version 0.1.2

Filed under: My Software,PDF,Update — Didier Stevens @ 9:05

This new version is a bugfix version for Python 3 plus I added a new name in the default report: /XFA

pdfid_v0_1_2.zip (https)
MD5: 60FC17757201F014A6ADA0744B74A740
SHA256: 1CF36C50427A2206275C322A8C098CD96A844CAF6077B105ADE9B1974789856F

Wednesday 13 March 2013

Update: pdf-parser Version 0.4.1

Filed under: My Software,PDF,Update — Didier Stevens @ 21:24

From version 0.4.1 on, you can also pass a URL or a ZIP file as argument to pdf-parser:

pdf-parser.py http://example.com/doc.pdf
pdf-parser.py maldoc.zip

When you pass a URL as argument, pdf-parser will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.

Passing a ZIP file as argument instructs pdf-parser to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, pdf-parser will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.

Further changes are: bug fixes, performance improvement and option –content. This option allows you to view the content of an object without stream or with stream but without filters.

pdf-parser_V0_4_1.zip (https)
MD5: A0314C0CD8AAE376C7448E74D4A7472C
SHA256: 633B7400015B2C936103CC64C37435FB333B0F2634B2A6CD3A8949EAB1D18E9B

Thursday 7 March 2013

Update: PDFiD Version 0.1.0

Filed under: My Software,PDF,Update — Didier Stevens @ 5:00

A month before my PDF training at HITB, it’s time to release new versions of my pdf tools.

I start with PDFiD. From version 0.1.0 on, you can also pass a URL or a ZIP file as argument to PDFiD:

pdfid.py http://example.com/doc.pdf
pdfid.py maldoc.zip

When you pass a URL as argument, PDFiD will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.

Passing a ZIP file as argument instructs PDFiD to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, PDFiD will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.

pdfid_v0_1_0.zip (https)
MD5: 6A5FF56C22EF2745C3D78C8FD8ACA01F
SHA256: D72FE8555DC89808EE7BFC9F791AD819A465106A95801C09C31B0FD2644B3977

Wednesday 20 February 2013

Update XORSearch V1.8.0: Shifting

Filed under: My Software,OSX,Reverse Engineering,Update — Didier Stevens @ 21:32

This new version of XORSearch comes with a new operation: shifting left.

It comes in handy to reverse engineer protocols like TeamViewer’s remote access protocol.

Here’s an example. When you run TeamViewer, your machine gets an ID:

20-02-2013 22-11-39

We capture some TeamViewer traffic with Wireshark, and then we use XORSearch to search for TeamViewer ID 441055893 in this traffic:

20130216-231230

And as you can see, XORSearch finds this ID by left-shifting the content of the pcap file with one bit.

Tuesday 20 November 2012

Update: AnalyzePESig Version 0.0.0.2

Filed under: Encryption,Forensics,My Software,Update — Didier Stevens @ 20:59

I added several new fields to the output produce by my new tool AnalyzePESig:

  • countCatalogs
  • catalogFilename
  • signatureTimestamp
  • creationtime
  • lastwritetime
  • lastaccesstime
  • dwFileAttributes
  • uiCharacteristics
  • extensions
  • issuer unique id
  • sections
  • subject unique id
  • notBeforeChain
  • notAfterChain

AnalyzePESig_V0_0_0_2.zip (https)
MD5: 738F97F76921FA2220368B3F4190F534
SHA256: E0D43E04AFD242307E3E6B675A650952D2605F45FE55F0B883ACF5B22BA32A01

Thursday 6 September 2012

Update & Split: TaskManager.xls Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 18:38

This is a small fix for TaskManager suggested by goglev: he had 2 network drives pointing to the same share, and this triggered a bug.

Since it was brought to my attention that some AV products detect the version with shellcode, I’m forking the project:

TaskManager.xls has no shellcode injection features, while TaskManagerSC.xls does.

TaskManager_V0_1_4.zip (https)
MD5: FBB30486CF0E7A1BEB7342EF4672DE52
SHA256: 30779E09B5B0D1D1AFE9C33B12EDD0982E775A9FA0B0D2A1189835004750FB5F

TaskManagerSC_V0_1_4.zip (https)
MD5: 61C6657B2E36F3240A67960BCA413E56
SHA256: FAAB1044318A1EB6FEA09109ABDD982CDFFAEE54DC1C81D3416CC2A69DEEEC70

Wednesday 29 August 2012

Update: InteractiveSieve 0.7.6

Filed under: My Software,Update — Didier Stevens @ 13:18

The most important feature in this new version is the pivot table. You can select 2 columns and generate a pivot table for the data in these columns. Here is an example with data from a new tool I’m working on:

FYI: this shows which root certificates are present in the AuthentiCode signatures using MD5 or SHA1.

Here’s a list of changes:

  • Quick fix for empty field bugs reported by Troy Larson
  • Replaced Copy button in Values form with Copy Values and Copy All
  • Added hide doubles column command
  • Added Hide column; row counter & timer
  • Added Load from clipboard (paste)
  • Added Generate…
  • Added “Has header row” option, code for version 0.7.3 provided by Patrick Thomas

InteractiveSieve_V_0_7_6_0.zip (https)
MD5: 37C18D2E41CB311442E033F253818057
SHA256: 5758289A939388FDB73617DAD686EBD2B79D1E48444A772946E7606DAF49DB05

Tuesday 28 August 2012

Update: USBVirusScan 1.7.5

Filed under: My Software,Update — Didier Stevens @ 18:56

This new version of USBVirusScan displays a banner when a USB stick is inserted. You specify the text of the banner in text file banner.txt.

Option -b enables this banner and displays it the first time a removable drive is mounted. Option -B displays the banner each time a removable drive is mounted.

You can find this new version here.

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 238 other followers