Didier Stevens

Monday 31 December 2018

New Tool: msoffcrypto-crack.py

Filed under: Encryption,maldoc,My Software — Didier Stevens @ 0:00

This is a new tool to recover the password of encrypted MS Office documents. I quickly put together this script to help with the analysis of encrypted, malicious documents.

This tool relies completely on Python module msoffcrypto to decrypt MS Office documents.

Since this is a Python tool based on a Python library, don’t except fast password recovery. This is more a convenience program.

It can recover passwords using a build-in password list, or you can provide your own list via option -p.

The tool can also decrypt the encrypted MS Office document if the password is recovered: used option -o to achieve this. Otherwise, the tool just displays the recovered password.

Like many of my tools, it can take its input from stdin and provide the decrypted document via stdout.

It’s developed with Python 2, and also tested on Python 3.

Read the man page for all the details: option -m.

msoffcrypto-crack_V0_0_1.zip (https)
MD5: F67060E0DE62727A1A69D0FD6F39013A
SHA256: 1466B94B56595BA0B91F0A2606F699E1D737E964F3F1A4DFDF7EAA47843DD063

Sunday 30 December 2018

Update: format-bytes.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

In this update, I added support for “run-length encoded” ASCII dump (-A), and X and S representation for strings:

format-bytes_V0_0_7.zip (https)
MD5: 58D3380B48593B3497AD04ACB1719CF3
SHA256: 8E07C1462AE88416CF8D5218A70BCFAE34F89B284684BFD0AC6B943A39E3CA8E

Saturday 29 December 2018

New Tool: SimpleEncoder

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

I needed a 010 Editor script to do ROT-47 encoding. The script I developed supports different types of simple encodings (including ROT-47):

With custom shift encoding, you choose the shift value by providing a number in a second input dialog. This number can be negative to shift the characters to the left in stead of to the right.µ

FYI: I submitted this script to 010 Editor’s repository.

SimpleEncoder_V1_0.zip (https)
MD5: 02C7BA20D8BF9EB965B3957BE8D26094
SHA256: 7C98B404F49F5E22A8A052AB4E100BF4ABCE37F39518293FC697D21C1D36A4F3

Friday 28 December 2018

Update: numbers-to-string.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 10:58

In this update, I added option -T. This is an alternative for option -t (table for number to character conversion). In stead of providing the full table with option -t, now you can provide a partial table with option -T, provided the table is present in the input.

This is often the case in DOSfuscated scripts:

In this example, the table starts with MkBMMM. Hence I use option -T MkBMMM, in stead of option -t with the full table: -t MkBMMMdkGLKIEzzjzlJJanhzSNf7,Y9x@bm(/5Hqo6 +8wri)$;uv{-QtgOUP}C:\VDFW.=y’AsRe0cp

numbers-to-string_v0_0_7.zip (https)
MD5: C23E49A24B54365F469BB35CCDA12701
SHA256: 3E9E7DF84359BEB4A054FC82E73C3E94219FC85E462FFBE3676C16E115F61AB3

Thursday 27 December 2018

Update: XORSearch Version 1.11.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This update for XORSearch brings new features and bug fixes.

Starting with this version, XORSearch accepts input from stdin. Use filename – to read data from stdin:

Option -S will print out all strings found using all decoders supported by XORSearch. Strings are sequences of printable characters, ASCII and UNICODE, at least 4 characters long.

As option -S brings many of the functionalities of XORStrings to XORSearch, I’m no longer developing XORStrings.

Last new option is -r. You can use option -r to reverse the file before searching.

I’m also including more compiled versions (look inside the ZIP file).

XORSearch_V1_11_2.zip (https)
MD5: 2B76F6C730BAC6324E92A731F42FEB74
SHA256: 4206B843AC2B9417A85A4B5381023EC4613C5B5095A6A0A19A072C21C66DE93F

Wednesday 19 December 2018

Update:oledump.py Version 0.0.40

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds option –password to use a different password than infected for samples inside password protected ZIP files.

And plugin_biff adds support for MS Excel 4.0 macros:

oledump_V0_0_40.zip (https)
MD5: 4013CC3A01D4CAE481EAA099A080B07F
SHA256: C5EC0B7B1EFA69D9EB6572F61D866ECEA7952FEADA06943377F8178C7A252E70

Saturday 15 December 2018

Update: numbers-to-string.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 17:58

This new version of numbers-to-string.py has a new option: -t (table).

With this option, you can use another table for number-to-character conversion than ASCII. Just provide the table as a string (a sequence of characters):

And I made a change to option –end: now it will select up to the last string occurrence provided, no longer the first one.

numbers-to-string_v0_0_6.zip (https)
MD5: 283003C9B328A3DB79BC83AD3C3B0FB1
SHA256: E96417C26EA1231748C6A5DE2F12F56D816F2F875795ED7412ED5D6458CF7B93

Monday 10 December 2018

Update: rtfdump.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version (actually, 0.0.8 and 0.0.9) brings the following changes:

All items can be selected now with -s a.

A warning is displayed when option -s (selecting) does not result in the selection of an item.

Option -A does a run-length encoded ASCII dump (cfr. -a).

JSON output is possible with option –jsonoutput.

Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).

And offsets in a cut expression can now be hexadecimal too (prefix 0x).

rtfdump_V0_0_9.zip (https)
MD5: 26BE358EC8D42BB7532B6C0C1EBAD1F2
SHA256: 3F6410AC7880116CDDE4480367D3F5AA534CCA3047B75FEA0F4BA1F5EAA97B07

Sunday 9 December 2018

Release: strings.py

Filed under: My Software,Release — Didier Stevens @ 0:00

I’ve been using my own Python implementation of command strings for 3 years now: time for a release (it was already available on my Beta github).

-L (–length) is an option I use often: it sorts the extracted strings from shortest to longest. When analyzing malicious documents and (binary) malware, often the interesting strings are rather long.

Like in this malicious Word document, where the longest string is the malicious PowerShell command.

It also supports JSON input.

For more options and information, take a look at the help (-h) and manual (-m):


strings_V0_0_3.zip (https)
MD5: DE008589A0B4B3C33B52BE3A171EB14D
SHA256: 9EBA69933B44DF41F4B51EE45B510E15FA85BCB38AD4CE45C863E8BBDAFED489

Thursday 6 December 2018

Update: oledump.py Version 0.0.39

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump brings several new features.

When option -i is used without selecting a stream, the overview will contain the size of the compiled code and the source code for all modules:

Selecting just the compiled code from a module stream can be done with suffix c: oledump.py -s A4c sample.xlsm.

Suffix s is to be used to select source code only: oledump.py -s A4s sample.xlsm.

A warning is displayed when option -s (selecting) does not result in the selection of a stream.

Option -A does a run-length encoded ASCII dump (cfr. -a).

Option -T does a head & tail: select the first 10 and last 10 lines of the output.

Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).

And offsets in a cut expression can now be hexadecimal too (prefix 0x).

oledump_V0_0_39.zip (https)
MD5: 5C9A1D94E1BC857877116E425D80A197
SHA256: DF7FFA0C707C8D66C0E0FBEE583286DBA9970824782C6B7AB6BFDC30A85BB419

Next Page »

Blog at WordPress.com.