This new version of virustotal-search.py accepts input from stdin.
Sunday 23 October 2016
Saturday 22 October 2016
I added dumps to this new version of cut-bytes.py:
Monday 17 October 2016
This new version has a couple of new options (–decoderdir and –plugindir) and a bugfix.
Friday 14 October 2016
There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.
Friday 7 October 2016
I produced 3 videos to show you how to use my rtfdump.py tool to analyze (malicious) RTF files.
Here is a video for sample 07884483f95ae891845caf0d50ce507f:
Here is a video for sample 4483ad299158eb54f6ff58b5346a36ee:
Monday 3 October 2016
Here is an overview of content I published in September:
- Update: translate.py Version 2.3.1
- decoder-search.py Beta
- Quickpost: Enhancing Radare2 Disassembly Listing
- Malware: Process Explorer & Procmon
- Malware: FakeNet-NG
- Maldoc VBA: .pub File
- Maldoc VBA: decoder.xls
- Maldoc VBA: Shellcode
SANS ISC Diary entries:
Friday 30 September 2016
I threw a program together to add information to Radare2 disassembly listings: radare2-listing.py. I’m putting it in beta, because I hope there is another way to do this in Radare2 (e.g. without a program). So if you know of a better way to do this, please post a comment.
The tool looks for text pushed on the stack, and then adds a comment with the string build up on the stack.
Wednesday 28 September 2016
I’ve been developing a new Python program similar to XORSearch. decoder-search.py does brute-forcing and searching of a file like XORSearch, but it stead of simple operations like XOR, ROL, …, it can handle more complex translations. Templates for these translations have to be provided in a configuration file, for example like this:
expression ((byte + %i1:1-10%) ^ %i2:1-32%) % 0x100
This template specifies a translation expression that adds a number to each byte in the file, and then XORs the sum. The first integer added to each byte is brute-forced from 1 to 10 (%i1:1-10%), and the second integer used for the XOR operation is brute-forced from 1 to 32 (%i2:1-32%). Such an encoding has been used in the last hancitor maldoc samples.
And here is the result on a sample that contains encoded URLs:
For me this tool is still in beta phase, because I might change the format of the configuration file in later versions, without providing backwards compatibility. You can find it in my GitHub Beta repository.
Monday 19 September 2016
I needed to decompress the content of a Flash file (.swf). I thought of using my translate.py program with a command to inflate (zlib) the content (minus the header of 8 bytes): lambda b: zlib.decompress(b[8:])
Quite simple, but the problem is that translate.py doesn’t import zlib. I have to do that, but that can’t be done in a lambda function. So I added option -e (execute) to execute extra statements:
Sunday 18 September 2016
Here is an overview of content I published in August:
- rtfdump: Update And Videos
- Howto CreateCertGUI: Create Your Own Certificate On Windows (OpenSSL Library)
- mimikatz: Golden Ticket + DCSync
- Video: mimikatz: Golden Ticket + DCSync
- Update: xor-kpa.py Version 0.0.3 With Man Page
- Update: rtfdump Version 0.0.4
- oledump xor kpa
- ntds.dit: Mimikatz Golden Ticket & DCSync
- Visual Studio 2013 & OpenSSL
- Visual Studio 2013 & MFC
- Maldoc: numbers-to-string.py
- Training: Attacking with Excel
SANS ISC Diary entries: