Didier Stevens

Monday 30 September 2019

Update Of My PDF Tools

Filed under: maldoc,Malware,My Software,PDF,Update — Didier Stevens @ 19:16

This is an update of my PDF tools.

There are a couple of bug fixes for pdf-parser and pdfid.

And 2 new features in pdf-parser, inspired by a private training on maldoc analysis I gave last week. I often get good ideas from my students, and sometimes, even I get a good idea in class 🙂 .

Option -o can now be used to select multiple objects: separate the indices by a comma.

There’s a new environment variable, PDFPARSER_OPTIONS, that can be used to provide extra options you want to include with each execution of pdf-parser.py. This is useful for option -O, an option to parse stream objects.

It’s actually best to always parse stream objects, i.e. always use option -O. But I decided not to make this an option that is on by default, so that the behavior of pdf-parser would remain unchanged. I consider this important for the many people that rely on a predictable behavior of pdf-parser, like teachers and students of infosec trainings where my tools are used/mentioned.

However, always including option -O is tedious and error prone. So now you can have best of both worlds, by defining an environment variable with name PDFPARSER_OPTIONS and value -O.

And finally, I started to add a man page (option -m), like I do with many of my other tools. This is a work in progress: for the moment, it points to my free PDF analysis e-book that explains the use of pdfid and pdf-parser.

pdf-parser_V0_7_3.zip (https)
MD5: 7EB1713631D255B36BC698CD2422C7EB
SHA256: D4D5AC9C26A9D8FEF65CE58A769D3F64A737860DC26606068CCDD3F04FDEA0D7

pdfid_v0_2_6.zip (https)
MD5: 9CCE332914A6C76410F04B7C35DA3155
SHA256: 95F7C91EEFB561F3F3BE9809ED339D85E7109BAA7E128EF056651EE018DBDBA0

Sunday 22 September 2019

Update: strings.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 8:56

This new version of strings.py comes with a new option -T to trim the strings to a given length. And also 2 bug fixes.

strings_V0_0_4.zip (https)
MD5: 8B1F5A6BEBA2BC8BDFF16B99C27050E4
SHA256: 7BBAAB0E83692288BDC35BC0FBDD6B2F8A141280E506131E2818F49BEF31D01A

Saturday 21 September 2019

Update: hex-to-bin.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:04

hex-to-bin.py is a program to convert hexadecimal dumps (text) to binary data.

This new version of hex-to-bin.py can handle different hexdump formats, like registry dumps (text files). Use option -x to handle these hexdumps.

And option -t was added if the input is a text file that is non-ASCII, like UTF16. Option -t can be used to convert the text file.

And it supports Python3, but that code is a kludge. Something I’ll have to do better later.


hex-to-bin_V0_0_3.zip (https)
MD5: 0F87942CC9EF566D4C3B5A34073D5399
SHA256: 02447247C59F530CD6559B0FB287E314AC3AB807D843729CA9CE3F16D0930CAB

Wednesday 18 September 2019

Update: pecheck.py Version 0.7.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck.py adds option -l to carve embedded PE files. This will be explained in detail in an upcoming blog post.

pecheck-v0_7_7.zip (https)
SHA256: 91041D17A39C7FA4151830AF8FBD151680A04FC617CB0EADDA32D240E9AB9C03

Tuesday 17 September 2019

Update: hash.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version supports CRC32 hashing.

hash_V0_0_7.zip (https)
MD5: 9BE8A26F2940FA2FF5C3671B7BB6DC6F
SHA256: CFA2767F0FAA792F9B75344B2F15FF40267F3EDE77D221B0134F07FDB04E515B

Saturday 14 September 2019

Update: msoffcrypto-crack.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of msoffcrypto-crack.py, a simple tool to crack passwords of MS Office documents, adds rules via option -r.

In this release, there is only one rule to modify candidate passwords: case toggle.

If you use option -r, all passwords in the provide list will be tested, together with their case toggle variant: Secret -> sECRET.

msoffcrypto-crack_V0_0_4.zip (https)
MD5: D3D7A0475FF1C9AAB7BE773514784465
SHA256: 4A27E0FF50863A925FEE55B8F7D16AD29C2DF5E4611F9493DAEEBA89B5F3DBA9

Thursday 12 September 2019

Overview of Content Published in August

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in August:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

NVISO blog posts:

Blog at WordPress.com.