Didier Stevens

Tuesday 20 December 2022

Update: filescanner Version

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version brings extra statistics with option -f (fullread): counter for unique bytes, control bytes, printable bytes, high bytes. And lengths of the longest ASCII string, ASCII hexadecimal string and ASCII base64 string.

Remark that no check is made for hex string length being a multiple of 2 and base64 string length being a multiple of 4.

Rule DMP for minidumps was added.

And option -e now accepts multiple extensions (comma separated).

FileScanner_V0_0_0_8.zip (http)
MD5: 20201A4336F3E5298896EE0962C6C287
SHA256: F0EAE8F989A65509EE2AC793EB23C3FED3F333D10C62C30FF047EE45CD308190

Monday 19 December 2022

New tool: teeplus.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

This new tool, teeplus.py, is an extension of the tee command.

The tools takes (binary) data from stdin, and sends it to stdout, while also writing the data to a file on disk.

While the tee command requires a filename as argument, teeplus.py takes no arguments (only options).

By default, teeplus.py will write the data to a file on disk, with filename equal to the sha256 of the data and extension .vir.

And it will also log this activity in a log file (teeplus.log by default).

Here is an example.

I run curl with a request to ipify to get my current public IPv4 address:

Then I pipe this output to teeplus.py:

This results in the creation of two files inside the current directory:

The first file it the output of the curl command:

The filename is the SHA256 hash of the data with extension .vir:

The second file, teeplus.log, is a log file:

Each line in teeplus.log has 4 fields (comma separated):

  1. The ISO timestamp when the activity was logged
  2. The length in bytes of the data
  3. The SHA256 hash of the data
  4. An error message (empty string when no error occured)

A line is created for each invocation of the teeplus.py command:

When the IPv4 address changes:

And the command is executed again, a new .vir file is created (since the received data changed):

And this is reflected in the log file:

This allows you to create a log of your public IPv4 address, for example (by scheduling this command as a recurrent task).

I use it for monitoring websites, and saving a copy of the HTML page I downloaded. I will explain how in an upcoming blog post.

teeplus.py has a couple of options: you can change the extension of the saved file, and the filename of the log file. And you can also us option -n to prevent the data to be piped to stdout (or you could redirect to /dev/null).

This is something I would do when the teeplus.py command is not followed by another command.

teeplus_V0_0_1.zip (http)
MD5: 0A3704CD56BD6B3A1FF2B92FD87476FB
SHA256: 9E3CBE7323D83FFC588FD67F7B762F53189391A43EDF465C64BD0E4D8E7E8990

Sunday 18 December 2022

Update: zipdump.py Version 0.0.23

Filed under: My Software,Update — Didier Stevens @ 0:00

Option -W can be used to write all files to disk. The only accepted value for -W is vir (for the moment). When this option is provided, all files are written to the local disk (ignoring contained paths) with their original name, and appended extension .vir.

To print out properties line per line, use separator *.

And more parsing for PK records has been added (with option -f). This is a work in progress, more info will provided in an upcoming blog post.

zipdump_v0_0_23.zip (http)
MD5: B37E6A25B736CB4396DEB2DC8A0853C6
SHA256: 68B7E11B4456A8A9A5A9733EE9B1945A03EBA64A13903B98FAC838BDB828BD02

Saturday 17 December 2022

Update: virustotal-search.py Version 0.1.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This update to virustotal-search brings new options:

  1. -D don’t send queries to VT, just use the local database
  2. –sleep before starting: provide an integer with suffix s (seconds), m (minutes), h (hours) or d (days). Or provide a local time: 01:00:00
virustotal-search_V0_1_8.zip (http)
MD5: 69A4504E06E97585EDBA4BBD60EAC36C
SHA256: 16FA2F9748959A88BE38B4A2FF006FC658FB4FF8932F3EC2E2568F48EB9FAE85

Friday 16 December 2022

Update: hash.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

Options validate and skip support here files now.

And when validating hashes, a summary is displayed at the end of the report.

hash_V0_0_9.zip (http)
MD5: E1BEFF0A256002949B084F7ED410C5A5
SHA256: 84F846D6CFE93ADA77C5DE0C318CEA36C3F92F22A3D0A7FE829DB88D7CE31FA0

Thursday 15 December 2022

Update: count.py Version 0.3.1

Filed under: My Software,Update — Didier Stevens @ 0:00

This update to count.py, my tool to count items, adds totals and options for:

  1. singles: a single is an item that appears only once
  2. multiples: a multiple is an item that appears more than once
count_v0_3_1.zip (http)
MD5: 1B36247FE910FE5FB4E3253B65E440A1
SHA256: 9C99627F07E1B366DCEB000A56C4C3D358C3408D36531A921514B4F3809F45D1

Monday 5 December 2022

Extracting Certificates For Defender

Filed under: Malware — Didier Stevens @ 0:00

A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list.

The procedure involves right-clicking the EXE in Windows Explorer, selecting properties to view the digital signature, and so on …

But I don’t like procedures where one has to click on malware.

So I looked for a PowerShell command, and found this.

Get-AuthenticodeSignature .\malware.exe.vir | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath SignerCertificate.cer

Sunday 4 December 2022

Update: python-per-line.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update to add the lineNumber variable.

python-per-line_V0_0_9.zip (http)
MD5: CD9FC344E4C5F649E4043BD703CDCA52
SHA256: BD6713A7DF86AC75ADC2A6742A453919F56583D8CC5EB3B82B736608D2A52619

Saturday 3 December 2022

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 9:52

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

« Previous Page

Blog at WordPress.com.