Didier Stevens

Wednesday 19 July 2017

Update:zipdump.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 22:20

Sometimes I just need to search for a string in the files of a ZIP container, and for that I need to create a small YARA rule.

With this new version, I can let zipdump generate the rule, I just need to provide the string. The value provided to option -y needs to start with #s# (s stands for string). Here is an example where I search for string HUBBLE:

zipdump_v0_0_11.zip (https)
MD5: E97E0191757230D2C7F9109B91636BF7
SHA256: 6640F971F61F7915D89388D3072854C00C81C47476A96CAC7BE6740DA348467B

12 Comments »

  1. […] I did with zipdump, this oledump version now also supports YARA rules provided via the command-line (# and […]

    Pingback by Update: oledump.py Version 0.0.28 | Didier Stevens — Thursday 20 July 2017 @ 18:45

  2. […] He updated zipdump to version 0.0.11, adding the ability to auto-generated a YARA rule based off a string, and then search a zip file. Update:zipdump.py Version 0.0.11 […]

    Pingback by Week 29 – 2017 – This Week In 4n6 — Sunday 23 July 2017 @ 11:09

  3. […] Update:zipdump.py Version 0.0.11 […]

    Pingback by Overview of Content Published In July | Didier Stevens — Tuesday 1 August 2017 @ 21:52

  4. […] oledump.py, zipdump.py, base64dump.py, […]

    Pingback by Emotet Maldoc & ViperMonkey – Didier Stevens Videos — Thursday 10 August 2017 @ 20:03

  5. […] oledump.py, zipdump.py, base64dump.py, pecheck.py, […]

    Pingback by Metasploit’s msf.docm Analysis – Didier Stevens Videos — Monday 21 August 2017 @ 20:39

  6. […] rules can be used in combination with a tool like zipdump.py to scan XML files inside the ZIP container with the YARA […]

    Pingback by Detecting DDE in MS Office documents | NVISO LABS – blog — Wednesday 11 October 2017 @ 11:45

  7. […] first sample uses PowerShell to download an executable and run it. With zipdump.py and our YARA rules we can extract the command, and with sed command […]

    Pingback by YARA DDE rules: DDE Command Execution observed in-the-wild | NVISO LABS – blog — Thursday 12 October 2017 @ 11:13

  8. […] of file vbaProject.bin. This rule must be used with a tool that can scan inside ZIP files, like zipdump.py or […]

    Pingback by Analyzing Metasploit’s Office Maldoc | Didier Stevens — Thursday 2 November 2017 @ 0:00

  9. […] I want to see the content of (malicious) .docx files without using MS Office. I will use my zipdump.py tool to extract the XML file with the content, and then use sed or translate.py to strip out XML […]

    Pingback by New Tool: xmldump.py | Didier Stevens — Monday 18 December 2017 @ 0:00

  10. […] I often store malware in password protected ZIP files, these files can be analyzed too provided you use zipdump.py: […]

    Pingback by SpiderMonkey and STDIN | Didier Stevens — Tuesday 24 April 2018 @ 0:00

  11. […] started the analysis of the file using Didier Stevens tool for any PK file called zipdump. The output seemed that of a normal OOXML […]

    Pingback by Furoner.CAT — Friday 18 May 2018 @ 13:04

  12. […] started the analysis of the file using Didier Stevens tool for any PK file called zipdump. The output seemed that of a normal OOXML […]

    Pingback by Apparent bening DOCX decoy that delivers malware – Furoner.CAT — Friday 18 May 2018 @ 13:07


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.