Didier Stevens

Sunday 29 May 2016

Update: pecheck.py Version 0.5.1

Filed under: My Software,Update — Didier Stevens @ 10:12

This version offers more info about the overlay:


pecheck-v0_5_1.zip (https)
MD5: F045A67AC1ECCF129030DFCE316383A9
SHA256: 9F6EFD34455D530BD3A867FEDD40C1E9538E8B7299E538AAC73D936EDF9904EF

Saturday 21 May 2016

Update: pecheck.py Version 0.5.0

Filed under: My Software,Update — Didier Stevens @ 20:46

This version of pecheck adds support for YARA rules and overlays.


pecheck-v0_5_0.zip (https)
MD5: B873F8B5F6D408E4026010F010EA5FC4
SHA256: 7FCE12A8B10BEFF0C991B652CEDE376C187E74F23C603BF1A9250C9E7756AB48

Monday 16 May 2016

New YARA Rule: PE_File_pyinstaller

Filed under: Malware,My Software — Didier Stevens @ 0:00

This is a YARA rule to detect PE files that were created with PyInstaller (a tool to convert Python programs to binary executables).

More info in my ISC Diary entry: Python Malware – Part 1.

  Version 0.0.1 2016/05/14
  Source code put in public domain by Didier Stevens, no Copyright
  Use at your own risk

  Shortcomings, or todo's ;-) :

    2016/05/14: start

import "pe"

rule PE_File_pyinstaller
        author = "Didier Stevens (https://DidierStevens.com)"
        description = "Detect PE file produced by pyinstaller"
        $a = "pyi-windows-manifest-filename"
        pe.number_of_resources > 0 and $a

yara-rules-V0.0.8.zip (https)
MD5: 83D10B0A18D3F8E2C744B8FEA10F5E67
SHA256: 2D47165757F909440F6D1A95FF5C0EA1355B355AE7475D2A0CF821D3B9A6235A

Sunday 15 May 2016

Update: emldump.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 11:29

Small changes in this version to handle obfuscation.

emldump_V0_0_9.zip (https)
MD5: 752A6F06290E2A35ACB4C564FA7D72C5
SHA256: 52CA4FB61B3B6FD9AECBA974AB73DCFA5D667086EBE7FDC84DE6F90E4DCC6853

Tuesday 10 May 2016


Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

This is a new script for 010 Editor. Like my XORSelection.1sc script, it encodes/decodes with the XOR operator.

The encoding method is as follows: the values of byte 1 and 2 are XORed and the result is stored as byte 2. Then this result (byte 2) is XORed with the value of byte 3, and that result is stored as byte 3. This goes on until all selected bytes are encoded.

Decoding is similar, but from right to left.

The script takes 2 parameters:

  1. Moving XOR is performed from left-to-right (L) or from right-to-left (R).
  2. The offset of the “previous” byte to XOR with the current byte (default -1).



The result:


MovingXORSelection_V1_0.zip (https)
MD5: C0B069044E0CA64856B74DE03250F837
SHA256: CE4D0F139728DBCD7F3B817BB3B610FFAA893B3B5BDF73715345EE170166F36C

Monday 9 May 2016

Overview of Content Published In April

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in April:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Friday 6 May 2016

Update: numbers-to-hex.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

To deal with a particular maldoc sample, I added an option to numbers-to-hex.py to deal with signed bytes (negative and positive numbers used to represent byte values).

Here is a video:

The manual:

Usage: numbers-to-hex.py [options] [[@]file ...]
Program to convert decimal numbers into hex numbers

@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -i, --ignore          Do not generate an error when a number larger than 255
                        is found
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers per line (1 by default)
  -s, --signed          Numbers are signed bytes: add 256 if negative


This program reads lines from the given file(s) or standard input, and
then extracts decimal numbers from each line. A decimal number is a
sequence of digits (optionally prefixed with a dash - for negative
numbers). All numbers found in a line are converted to hexadecimal and
outputed as a line. Hexadecimal numbers are separated by a space
character. If a number is smaller than 0 or larger than 255/0xFF, an
error is generated, except when option -i is used.
Option -s (--signed) indicates that the input numbers are signed
bytes: -1 is 0xFF, -2 is 0xFE, ...
Option -n NUMBER (--number) requires that at least NUMBER numbers are
present in the input line (the default is 1 number).

The hexadecimal numbers are written to standard output, except when
option -o is used. When option -o is used, the numbers are written to
the file specified by option -o.

numbers-to-hex_V0_0_3.zip (https)
MD5: EB8CE35EA272042211B1EADBE4606BE2
SHA256: 1CE2E7C6EF930C56024C0313C9FCE6E96A7FA6FC07893EAF06ACCC05A3D2C528

Blog at WordPress.com.