Didier Stevens

Thursday 28 February 2019

Update: pdf-parser.py Version 0.7.0

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This new version of pdf-parser brings support for analysis of stream objects (/ObjStm). Use new option -O to enable this mode.

Stream objects (/ObjStm) are objects that contain other objects: they have a stream, containing other objects. These contained objects can not have a stream.

pdfid.py detects the presence of stream objects:

But pdfid can not look inside a stream, to figure out what objects are inside. That’s why I always say to use pdf-parser to select and decompress stream objects, and then pipe this through pdfid:

When pdf-parser parses a stream object, it does not parse the content of its stream:

This changes with this new version of pdf-parser. When option -O is used, pdf-parser extracts objects from /ObjStm streams and handles them like normal objects. In the following example, object 2 is contained in object 1:

pdf-parser provides statistics for a PDF’s content with option -a:

Combining option -a with option -O includes objects present inside stream objects (this is an alternative for combining both tools: pdf-parser -s objstm -f a.pdf | pdfid -f):

This output shows that /JavaScript can be found in object 7. We need to use option -O to find object 7 “hiding” in object 1:

If we forget to use option -O, object 7 is not found:

Here is a video showing this new feature:

pdf-parser_V0_7_0.zip (https)
MD5: CDE355BB3FCACE3C4EDBC762E632F9AB
SHA256: 219FF0BB729C4478679A79163CA9942296ACF49E4EC06D128CBC53FBEE25FF05

Wednesday 27 February 2019

Update: translate.py Version 2.5.5

Filed under: My Software,Update — Didier Stevens @ 0:00

I added function ZlibRawD to translate.py to decompress Zlib compression without header (ZlibD already exists, and is for Zlib compression with header).

This compression is sometimes used in malicious PowerShell scripts:

translate_v2_5_5.zip (https)
MD5: 0BBB0E7E569BCB08D5A9278C974A3EE6
SHA256: 78E0BAC87DF47D06BB9C351FBF3CA623EE10B3993E071E7C9A0C9C4DB0FFF1D4

Monday 18 February 2019

Update: oledump.py Version 0.0.41

Filed under: My Software,Update — Didier Stevens @ 0:00

This is just an update to the cut option (-C), to support UNICODE searches, as shown in blog post “Update: cut-bytes.py Version 0.0.9“.

I show how to use this option in a malicious document analysis video below. If you want to jump straight to the point where I use option -C with a UNICODE string, go to 9:16.

oledump_V0_0_41.zip (https)
MD5: 4FD7E627F5078245705526EBE09D7989
SHA256: 0793CA920DA8B4BD09A040FEE12463BE7D8AF8AE6DFB0968CADCE478BC153CD8

Sunday 17 February 2019

Update: cut-bytes.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version supports searching for UNICODE strings: u’…’.

Example: [u’Programmé’]:0x100l

This will look for UNICODE string “Programmé” and select 256 bytes starting from the first instance of this string.

cut-bytes_V0_0_9.zip (https)
MD5: 3D11868F238AF4369372CA083303716D
SHA256: AB3EA61B0F519AB99E659F73C263A0F4C2C9DB851314C49C5DA5A5F434E0CA4E

Saturday 16 February 2019

Overview of Content Published in January

Filed under: Announcement — Didier Stevens @ 7:46

Here is an overview of content I published in January:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Blog at WordPress.com.