Here is an overview of content I published in December:
SANS ISC Diary entries:
NVISO Labs blog posts:
I added option -k to search for keys in dictionaries. A usage example can be found in blog post “PDF Analysis: Back To Basics“.
I produced 4 videos covering the process hollowing maldoc “Maldoc With Process Hollowing Shellcode“.
This new version can produce a compact overview of all the resources in a PE file using option o: -o r. Here is the overview of resources in an exe (malware) created with iexpress:
It contains a cab file with 2 executables, which are executed after extraction (no surprise):
Just a small change in this version: an indicator (O) for streams containing OLE 1.0 embedded data:
And plugin_http_heuristics also detects XOR-encoding starting with the second character of the key.
This new version displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources.
Options -x, -a, -D and -S can be used to dump data (hex, ascii, binary and strings).
This new version of pdf-parser is a bugfix for /FLATEDECODE.
This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.
When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the ciphertext, but later I wrote a small Python tool to help me.
The simple ciphers supported by this tool are XOR, ROT, Vigenère and subtract (I added that last one because it was used in a maldoc). You can use the man page (option -m) to learn more.