Didier Stevens

Tuesday 24 April 2018

SpiderMonkey and STDIN

Filed under: Malware,My Software — Didier Stevens @ 0:00

With most of my tools, I try to support input via STDIN.

It’s also possible to provide JavaScript scripts for parsing to SpiderMonkey via STDIN. You can pass filename – to js for processing STDIN input:

I often store malware in password protected ZIP files, these files can be analyzed too provided you use zipdump.py:

And with option -e, it’s also possible to change output type via the command line:

Sunday 22 April 2018

Update: python-per-line.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 10:46

This new version brings new output features. For example, you can use the output option (-o) to output simultaneously to the console and a file:


-o result.txt will write the output to file result.txt, and nothing to the console

-o #c#result.txt will write the output to file result.txt and to the console

For all the details, consult the man page: python-per-line.py -m

python-per-line_V0_0_4.zip (https)
MD5: FE8E875E2A7B8CD89FCAAB3B5830206C
SHA256: 7A6DACBAFC13DDE164F2AAB49DA766613F23BE78FF9BCAF5392EEA01F71620D0

Thursday 19 April 2018

Update: Patched SpiderMonkey

Filed under: My Software,Update — Didier Stevens @ 0:00

I was showing a colleague how to use my patched SpiderMonkey to analyze obfuscated JavaScript, when I realized I had not yet released my latest version.

SpiderMonkey is an opensource JavaScript interpreter. I modified it to help with malware analysis. For example, my version will dump the argument of the eval function, and I’ve implemented document.write and window.navigate (dumping arguments too).

This latest version was developed a couple of years ago (that’s why it’s still based on SpiderMonkey 1.7) to dump arguments to stdout. Previous versions of my patched SpiderMonkey dump arguments to files, in this latest version, you can choose were to dump the arguments. A method was added to object document: document.output(arg). This output method takes one argument: a string. The following values may be used as argument:

  • ‘a’ ASCII/HEX dump
  • ‘x’ HEX dump
  • ‘d’ raw dump
  • ‘A’ pure ASCII/HEX dump
  • ‘x’ pure HEX dump
  • ‘d’ pure raw dump
  • ‘f’ file dump

The ZIP file you can download contains source code and executables for Windows, Linux and OSX. There are 2 versions: js-ascii.exe and js-file.exe. Both are identical, except for their default output behavior. js-file.exe will output arguments by default to files (and thus behave like previous versions of SpiderMonkey) and js-ascii.exe will output arguments by default as ASCII/HEX dump to the console.

I prefer to use js-ascii.exe now, and I’ve renamed it to js.exe (like previous versions).

The ASCII/HEX dump allows me to see exactly, at the byte-level, what is passed as argument to eval.

js-1.7.0-mod-c.zip (https)
MD5: B14B522E81366D6AAF3B7EB235B62707
SHA256: 2CCB2F57DF706A8EE689C54B18A0EA7BB052EF08BA233F1319119825DB32927B

Tuesday 17 April 2018

Update: hash.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of hash.py brings a small change to the output for option -c and adds option -s to skip specified hashes.

hash_V0_0_3.zip (https)
MD5: CB4BCB40CA50ED23AC7E47510B308811
SHA256: 6C3C44C5B98C7C7415E332D15B6EA887CD54170DADDDC726B3544F1696F4E324

Monday 16 April 2018

Update: XORSelection.1sc Version 4.0

Filed under: 010 Editor,My Software,Update — Didier Stevens @ 0:00

XORSelection is a 010 Editor script I wrote some time ago, and it is included in the 010 Editor script repository. You provided it with an XOR key (ASCII or HEX), and then it will XOR-encode the file (or selection) open in 010 Editor.

I discovered it will not work properly if the hexadecimal key contains a NULL byte (0x00). This is fixed in this new version.

This new version also allows whitespace characters when an hexadecimal key is provided (hexadecimal keys start with 0x).

XORSelection_V4_0.zip (https)
SHA256: 22E60E10BC99BD24A408C12CC674858DB6F318088CD34B7C70782833401AACF2

Tuesday 3 April 2018

Quickpost: Email Server Simulator

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I needed an email server simulator to test a script I’m writing (a simple email honeypot), and found GreenMail.

It’s a Java application and can thus run on Windows too:

This is the command I used:

java -Dgreenmail.setup.test.all -Dgreenmail.users=testuser1:P#ssw0rd@example.com,testuser2:P#ssw0rd@example.com -Dgreenmail.verbose -Dgreenmail.auth.disabled -jar greenmail-standalone-1.5.7.jar

This command starts all servers (SMTP, POP3, IMAP) on the default ports + 3000 (3025, 3110, …).

I configured 2 user mailboxes, enabled verbosity and disabled authentication.

To send emails to my script, I used Outlook:

Since everything is running on the same machine using localhost (, I’m using Npcap so that I can capture loopback traffic with Wireshark (WinPcap can not capture loopback traffic).


Quickpost info

Monday 2 April 2018

Update: xmldump.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small bugfix version.

xmldump_V0_0_3.zip (https)
MD5: 70D67100DDD30F6178C3E06B7CE97329
SHA256: C0A3199EA69494962CAC6EC3BA3AD47130BE5BB3D9D7D330579856AC9C314BF0

Sunday 1 April 2018

Overview of Content Published In March

Filed under: Announcement — Didier Stevens @ 11:11

Here is an overview of content I published in March:

Blog posts:

SANS ISC Diary entries:

Thursday 29 March 2018


Filed under: My Software — Didier Stevens @ 0:00

On Windows, CTRL-Z is the end-of-file character for text files.

A friend of mine had the following problem with my tools:

The “Broken pipe” error occurs because 1) zipdump.py -D is dumping the content of all files as binary data and 2) re-search.py is reading this binary data as a text file. Whenever zipdump.py outputs a CTRL-Z character, re-search.py interprets this as end-of-file, terminates, therefor the pipe is closed, and zipdump is left with a broken pipe.

To prevent this, use option -f to make re-search read its input as a binary file:

Tuesday 27 March 2018

Quickpost: Using Suricata on Windows

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

I like to be able to get work done, regardless of the machine I’m using. That’s why I installed Suricata on Windows to help me develop rules.

Here is the process:

Installing Suricata with default settings:

Now that I installed Suricata in the programs folder, I’m going to create a folder with my configurations, rules and test captures. Let’s say that folder is C:\Suricata.

In that folder, I create folders log, rules and projects.

In folder rules, I copy the content of the rules folder in the Suricata programs directory.

threshold.config is an empty file, and suricata.yaml is a copy of suricata.yaml found inside the Suricata programs directory.

You can find the modifications I make to suricata.yaml on GitHub. Of course, you can make more configuration changes, this is just a minimum.

Then, for each project or test, I create a folder in folder projects. Like this mimikatz folder:

I use the following BAT file to start Suricata with my rules and my capture file:

“C:\Program Files (x86)\Suricata\suricata.exe” -c ..\..\suricata.yaml -S mimikatz.rules -l logs -k none -v -r drsuapi-DsGetNCChanges.pcap

With option -S I use my rule file mimikatz.rules (exclusively, no other rule file will be loaded), option -l logs uses my local logs directory to write the log files, -k none disable checksum checks, -v means verbose and -r .pcap reads my capture file for processing by Suricata.

If you get this error:

you need to install WinPcap. Here is the installation with default options:

Then you will get output like this:

When you use option -s in stead of -S, your rule will be loaded together with the rules configured in the configuration file. This will give you warnings, because the rule files are missing:

You can download rules from Emerging Threats and extract the files from the rules folder to your C:\Suricata\rules folder.

Of course, you can also process your capture file without explicit rule:

Please post a comment if you want to share your own preferred configuration options.


Quickpost info

Next Page »

Blog at WordPress.com.