Didier Stevens

Friday 9 December 2016

Update: pecheck.py Version 0.5.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources.

Options -x, -a, -D and -S can be used to dump data (hex, ascii, binary and strings).

pecheck-v0_5_2.zip (https)
MD5: A4FF0507C206535FA9224F65CCD3497D
SHA256: DE4D06F00FD9EC74FD52689B711FBF10F953F14DAFACBDE214E0A4947E60D8A6

Tuesday 6 December 2016

Overview of Content Published In November

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO Labs blog posts:

Monday 28 November 2016

Update: pdf-parser Version 0.6.6

Filed under: Uncategorized — Didier Stevens @ 0:00

This new version of pdf-parser is a bugfix for /FLATEDECODE.

pdf-parser_V0_6_6.zip (https)
MD5: 47326468E1B5A1AF7BB8AD63688804D9
SHA256: 51C9B25B939B135D9949E51463F58ECEC0BEBEFB9C0EAA0B93326CBFB4D8F061

Sunday 27 November 2016

Update: xor-kpa.py Version 0.0.4

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.

xor-kpa_V0_0_4.zip (https)
MD5: FCE75B6125104D8AFC56A67B65FF75C0
SHA256: 3DCCA479D4C8CAC9B248B24F799184A69D0F10403593CB002248DD35CCE60FD4

Tuesday 22 November 2016

Simple Ciphers: cipher-tool.py

Filed under: Encryption,My Software — Didier Stevens @ 0:00

When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the ciphertext, but later I wrote a small Python tool to help me.

The simple ciphers supported by this tool are XOR, ROT, Vigenère and subtract (I added that last one because it was used in a maldoc). You can use the man page (option -m) to learn more.

cipher-tool_V0_0_1.zip (https)
MD5: B7D44090A76F66D7194D0A0D890E2CEB
SHA256: 1E8E1F112595FC08C3C20A06D172C21DDE6375EC8651A8DE6EF57B938F3E67E8

Monday 21 November 2016

Update: base64dump.py Version 0.0.5

Filed under: My Software,Uncategorized — Didier Stevens @ 0:00

This new version supports different encodings besides base64 (but the name remains base64dump).

The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).

Here’s an example with escaped unicode in JavaScript (%u), namely a PDF with shellcode in JavaScript:

20161118-221959

The shellcode, escaped with %u, can be extracted with base64dump:

20161118-222032

20161118-222049

There’s also a new option to do a string dump: -S

20161118-222059

And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.

base64dump_V0_0_5.zip (https)
MD5: 7AACFD3E34FEAAF41897F60FBC5279A3
SHA256: B4AB7B3A9D2947F08C6CC94F88CD825C9B2B63EE65AF7475E66BE9565EC4337A

Sunday 20 November 2016

Update: zipdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.

zipdump_v0_0_4.zip (https)
MD5: 64EE6575309654B6671554D0A4DA50E5
SHA256: C323C0580E95F87406A72A542A7FBF5DE39EBEF7CAFC970A7C428CA1E870F9CF

Saturday 19 November 2016

Update: byte_stats.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.

byte-stats_V0_0_4.zip (https)
MD5: B53CE5444618DCA78C46C7F72E356D8D
SHA256: 81EFED375FF666BFFDDB82D094ECE17074182F5016FE3BFA4D1CA33DE838754C

Friday 18 November 2016

Update: shellcode2vba.py Version 0.5

Filed under: My Software,Shellcode,Update — Didier Stevens @ 0:00

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:

Option –suffix allows you to instruct the program to add a suffix to the VBA function names.

shellcode2vba_v0_5.zip (https)
MD5: BAD6684A6887F9E90FF755609B4CA2D5
SHA256: C403CD8196593F2ADD6BED40E9E7A14E49DB48909788DE8BB27A95D71E58A13A

Thursday 17 November 2016

Quickpost: Zone.Identifier

Filed under: Quickpost — Didier Stevens @ 0:00

Mostly as a reminder for myself, here is how to set the Alternate Data Stream to mark a file as originating from the Internet.

notepad install.exe:Zone.Identifier

Text:
[ZoneTransfer]
ZoneId=3


Quickpost info


Next Page »

Blog at WordPress.com.