A month before my PDF training at HITB, it’s time to release new versions of my pdf tools.
I start with PDFiD. From version 0.1.0 on, you can also pass a URL or a ZIP file as argument to PDFiD:
When you pass a URL as argument, PDFiD will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.
Passing a ZIP file as argument instructs PDFiD to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, PDFiD will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.
This new version of XORSearch comes with a new operation: shifting left.
It comes in handy to reverse engineer protocols like TeamViewer’s remote access protocol.
Here’s an example. When you run TeamViewer, your machine gets an ID:
We capture some TeamViewer traffic with Wireshark, and then we use XORSearch to search for TeamViewer ID 441055893 in this traffic:
And as you can see, XORSearch finds this ID by left-shifting the content of the pcap file with one bit.
I added several new fields to the output produce by my new tool AnalyzePESig:
- issuer unique id
- subject unique id
This is a small fix for TaskManager suggested by goglev: he had 2 network drives pointing to the same share, and this triggered a bug.
Since it was brought to my attention that some AV products detect the version with shellcode, I’m forking the project:
TaskManager.xls has no shellcode injection features, while TaskManagerSC.xls does.
The most important feature in this new version is the pivot table. You can select 2 columns and generate a pivot table for the data in these columns. Here is an example with data from a new tool I’m working on:
FYI: this shows which root certificates are present in the AuthentiCode signatures using MD5 or SHA1.
Here’s a list of changes:
- Quick fix for empty field bugs reported by Troy Larson
- Replaced Copy button in Values form with Copy Values and Copy All
- Added hide doubles column command
- Added Hide column; row counter & timer
- Added Load from clipboard (paste)
- Added Generate…
- Added “Has header row” option, code for version 0.7.3 provided by Patrick Thomas
This new version of USBVirusScan displays a banner when a USB stick is inserted. You specify the text of the banner in text file banner.txt.
Option -b enables this banner and displays it the first time a removable drive is mounted. Option -B displays the banner each time a removable drive is mounted.
You can find this new version here.
I fixed InstalledPrograms as earthsound suggested: now I include 32-bit installations on 64-bit systems (provided you use 64-bit Excel).
I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.
Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.
I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version can take action after a picture is taken. For each picture to retrieve, you can specify a optional program to be executed; this program receives the picture as argument.
Each line in vs.config can have a 5th parameter now: the name of the program to execute:
Hall.jpg http://192.168.1.1/IMAGE.JPG - Thread1 image-compare.py
I use it to start a program that compares the new picture with the previous picture, and warns me if they are significantly different.
I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then).
What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database.
If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force.
And if you don’t want to include your API key in the program source code, you have two alternatives:
- use option –key and provide the API key on the command line
- define environment variable VIRUSTOTAL_API2_KEY with the your API key