Here is an update to my Python templates (binary and text files).
I’ll explain the updates to each template in upcoming blog posts.
python-templates_V0_0_2.zip (https)
MD5: 082812485D24AD0E3D12F1618BC44367
SHA256: 98DE8BEC508C7E678D294DD630466DA175524D4180C1E8C3A6C06EE11587981E
This update for translate.py, a tool to “Translate bytes according to a Python expression”, adds a new function for XOR multy-byte-key encoding/decoding.
translate_v2_5_7.zip (https)
MD5: 886C1B4C518EA58F972F87980994B976
SHA256: 01E4239E050DE4853AC53020CCE44C9804003A4A2C195974B5B16AEDD1B8E1B1
This new version of format-bytes.py brings a new option when extracting bitstreams: producing a stream of 0s & 1s, like this:
Join specifier j:b (option “-f bitstream=…”) produces a bitstream of 0s & 1s, that I can then process further:
The png file I analyze in this example, was created with PHP Stegger on the Geocaching Toolbox site.
format-bytes_V0_0_13.zip (https)
MD5: E7A7A344B3B8753553FC5B2E4084D8DA
SHA256: 1F22A1D784DCF1269FFD12E2C9467EE0FB93B0895CC24D04CBBD9696D50945DB
This version of hex-to-bin.py, a simple tool to convert hexadecimal data to binary, can also handle bitstreams (option -b) with this update. If necessary, the bitstream is right-padded with 0s to make the bitstream length a multiple of 8.
Example:
hex-to-bin_V0_0_4.zip (https)
MD5: CBD3D27A2BC703F51FB23F757084BBE1
SHA256: CD70D7644BB353C64DD37AA0717B14967176A1A5E35E5DC6AE163D929BE13AAD
This new version of xmldump.py, a tool to parse and display xml content, has a new command: pretty.
As its name implies, this command performs a pretty print of the xml content.
xmldump_V0_0_4.zip (https)
MD5: A97F4048226BD9A0BE47D1ABDEC5D770
SHA256: 2636D10294C5BCD8B1E97DFE30745FF91496FB9F87ABB8D99371B379AA711B25
This new version of oledump.py has a feature to display Ad Hoc YARA rules using option –verbose.
In this example, I show a string Ad Hoc YARA rule to search for string attri (-y #s#attri). By including option –verbose, the YARA rule generated by oledump for string attri is displayed first:
Plugin plugin_http_heuristics has a new option: -c –contains.
By default, plugin_http_heuristics looks for (obfuscated) strings that start with keywords (http:// and https:// by default). Option -c changes this behavior: when this option is used, the keywords are searched in the entire string, and not just at the start.
In this example, I use this feature to search for the filename of the dropped executable (strings containing “.exe”):
And I also include plugin_vba: this is an old plugin that I failed to release. It searches for string concatenation in VBA code.
Video:
oledump_V0_0_45.zip (https)
MD5: FB9694358CCEAE4AFDFCF97FDA0D5205
SHA256: FB75B1E19E5067751E2DE1AD21826245B7E11EDBE03278566484754F606F3965
This is a Python 3 bug fix version for pecheck.py, a tool to analyze PE files.
pecheck-v0_7_9.zip (https)
MD5: F69709C475D513A8D2031C21EEC13284
SHA256: 99E71A9FC917BB27CDD893F14AE77F2E810A4C7BB56A6E975BB619C978B12D47
Here is an overview of content I published in January:
Blog posts:
YouTube videos:
Videoblog posts:
SANS ISC Diary entries:
Didier Stevens 