I added option -k to search for keys in dictionaries. A usage example can be found in blog post “PDF Analysis: Back To Basics“.
pdf-parser_V0_6_7.zip (https)
MD5: D04D7DA42F3263139BC2C7E7B2621C91
SHA256: ED863DE952A5096FF4BE0825110D2726BA1BE75A7A6717AF0E6A153B843E3B78
I produced 4 videos covering the process hollowing maldoc “Maldoc With Process Hollowing Shellcode“.
This new version can produce a compact overview of all the resources in a PE file using option o: -o r. Here is the overview of resources in an exe (malware) created with iexpress:
It contains a cab file with 2 executables, which are executed after extraction (no surprise):
pecheck-v0_6_0.zip (https)
MD5: D3A9C71AAF63D83884B4FEF2C2C21D03
SHA256: 08DB82F190AEEB065A65FEE0DD03D20B0CC788878C4864B537BBD1807E4D6B71
Just a small change in this version: an indicator (O) for streams containing OLE 1.0 embedded data:
And plugin_http_heuristics also detects XOR-encoding starting with the second character of the key.
oledump_V0_0_26.zip (https)
MD5: 62030DEC6DBC2F69A37893FF1624F8EE
SHA256: A0DE8FD414A0B78FE8D72CAA58D8FA15159A7ABEA9842181C4C3C4EC1DE2EEC5
This new version displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources.
Options -x, -a, -D and -S can be used to dump data (hex, ascii, binary and strings).
pecheck-v0_5_2.zip (https)
MD5: A4FF0507C206535FA9224F65CCD3497D
SHA256: DE4D06F00FD9EC74FD52689B711FBF10F953F14DAFACBDE214E0A4947E60D8A6
Here is an overview of content I published in November:
Blog posts:
YouTube videos:
Videoblog posts:
SANS ISC Diary entries:
NVISO Labs blog posts:
Didier Stevens 