Didier Stevens

Thursday 13 June 2019

New Tool: amsiscan.py

Filed under: Malware,My Software — Didier Stevens @ 0:00

amsiscan.py is a Python script that uses Windows 10’s AmsiScanBuffer function to scan input for malware.

It reads one or more files or stdin.

The AmsiScanBuffer function returns 5 possible values when it is called for a scan:

AMSI_RESULT_CLEAN
AMSI_RESULT_NOT_DETECTED
AMSI_RESULT_BLOCKED_BY_ADMIN_START
AMSI_RESULT_BLOCKED_BY_ADMIN_END
AMSI_RESULT_DETECTED

Example:

amsiscan_V0_0_1.zip (https)
MD5: 47E50599E0CFAF1D27416E68394289A0
SHA256: 044E41D7F31D8333CB5295FD6E430933CA67F9AC37CD400D38189C96AE48544D

Wednesday 12 June 2019

Update: virustotal-search.py Version 0.1.5

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

virustotal-search.py is a tool to query VirusTotal via its public API for file reports by providing hashes to search for.

This new version adds searching for URLs. Use option -t to select the type of search you want: file (default) or url.

Like this:

Option -e can be used to include extra information (present in the JSON reply) not included by default.

For example, a default file search does not include sha256 hashes:

But you can include it with option “-e sha256” like this:

The public API can also be used for queries for domain names and IP addresses. These queries are much simpler than file and url, and therefor, I developed a very generic program to query APIs. This will be released soon.

virustotal-search_V0_1_5.zip (https)
MD5: 2155347687726A321D1ADBB9C9B81CFD
SHA256: 4F614C9D01C694AEAA16F7D5E4DBFBCF37E8E8D01D382C1137F401612D02E110

Tuesday 11 June 2019

Quickpost: C Random Functions in Other Languages

Filed under: Quickpost — Didier Stevens @ 0:00

Some time ago, I had to implement a particular C-runtime random number generator in Python. That’s not difficult to do, you just need a variable that maintains the state (seed) of the random number generator, and then you use a simple algebraic expression: a linear congruential generator.

What’s more difficult to figure out, is knowing which multiplier (a) and increment (c) you need to reproduce the particular C-runtime random number generator.

Fortunately, I discovered that Wikipedia has a table with a and c values for many C compilers and other languages: parameters in common use.

Quickpost info

Monday 10 June 2019

Update: sets.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 9:21

sets.py is a program to perform set operations. In this new version, I added operations unique, product, substitute and sort.

And I added options -s and -i.

Operation unique will remove all double entries (which shouldn’t occur anyway in a mathematical set):

“Line 5” appears twice in set4.txt, thus one occurrence is remove by operation unique. “Line 4” and “Line 6” not, because their case is different, or because they have leading whitespace.

To ignore case, use option -i, and to ignore leading and trailing whitespace, use option -s:

sets_V0_0_3.zip (https)
MD5: F8B1EB9140EBA621CBF6F393717BF2EA
SHA256: 94200F8313A66D7CAB6C200A24DD6A5B1D9644004C2ECCF01F22004A801EFE03

Saturday 1 June 2019

Overview of Content Published in May

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in May:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO blog posts:

Blog at WordPress.com.