Didier Stevens

Monday 10 December 2018

Update: rtfdump.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version (actually, 0.0.8 and 0.0.9) brings the following changes:

All items can be selected now with -s a.

A warning is displayed when option -s (selecting) does not result in the selection of an item.

Option -A does a run-length encoded ASCII dump (cfr. -a).

JSON output is possible with option –jsonoutput.

Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).

And offsets in a cut expression can now be hexadecimal too (prefix 0x).

rtfdump_V0_0_9.zip (https)
MD5: 26BE358EC8D42BB7532B6C0C1EBAD1F2
SHA256: 3F6410AC7880116CDDE4480367D3F5AA534CCA3047B75FEA0F4BA1F5EAA97B07

Sunday 9 December 2018

Release: strings.py

Filed under: My Software,Release — Didier Stevens @ 0:00

I’ve been using my own Python implementation of command strings for 3 years now: time for a release (it was already available on my Beta github).

-L (–length) is an option I use often: it sorts the extracted strings from shortest to longest. When analyzing malicious documents and (binary) malware, often the interesting strings are rather long.

Like in this malicious Word document, where the longest string is the malicious PowerShell command.

It also supports JSON input.

For more options and information, take a look at the help (-h) and manual (-m):

 

strings_V0_0_3.zip (https)
MD5: DE008589A0B4B3C33B52BE3A171EB14D
SHA256: 9EBA69933B44DF41F4B51EE45B510E15FA85BCB38AD4CE45C863E8BBDAFED489

Thursday 6 December 2018

Update: oledump.py Version 0.0.39

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump brings several new features.

When option -i is used without selecting a stream, the overview will contain the size of the compiled code and the source code for all modules:

Selecting just the compiled code from a module stream can be done with suffix c: oledump.py -s A4c sample.xlsm.

Suffix s is to be used to select source code only: oledump.py -s A4s sample.xlsm.

A warning is displayed when option -s (selecting) does not result in the selection of a stream.

Option -A does a run-length encoded ASCII dump (cfr. -a).

Option -T does a head & tail: select the first 10 and last 10 lines of the output.

Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).

And offsets in a cut expression can now be hexadecimal too (prefix 0x).

oledump_V0_0_39.zip (https)
MD5: 5C9A1D94E1BC857877116E425D80A197
SHA256: DF7FFA0C707C8D66C0E0FBEE583286DBA9970824782C6B7AB6BFDC30A85BB419

Monday 3 December 2018

Quickpost: Developing for ESP32 with the Arduino IDE

Filed under: Hardware,Quickpost,WiFi — Didier Stevens @ 0:00

I have a couple of ESP32’s that can also be programmed with the Arduino IDE, provided the necessary board manager is installed:

After starting the IDE

I open the preferences:

And add the board manager URL for the ESP32 (https://dl.espressif.com/dl/package_esp32_index.json):

And via the Tools menu I launch the Boards Manager:

And install the ESP32 board manager:

And then I can select the right board (ESP32 Dev Module):

Then I can connect my ESP32 board to my Windows machine, and it will complain about missing drivers:

I install the CP210x drivers:

Then I can select the right port in the Tools menu:

And now everything is ready to program my ESP32. I will start with the WiFiScan example:

Which can then be compiled and uploaded to the ESP32 board:

Once it is uploaded and running, I can connect to the ESP32 board via the serial monitor:

 

 

Sunday 2 December 2018

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 12:32

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Blog at WordPress.com.