I’ve a feature in some of my tools, that let you choose the hash algorithm.
Many of my tools calculate hashes, and for historical reasons, that is the MD5 hash.
But if you want another hash, you can change this (for some of my tools) by setting environment variable DSS_DEFAULT_HASH_ALGORITHMS.
Like for pdf-parser.py, on Windows, you can set DSS_DEFAULT_HASH_ALGORITHMS=sha256 and then the hashes of the streams will be SHA256 in stead of MD5.
A reader asked about bulk extraction of email attachments with emldump.py
If you want to extract all attachments and write them to disk, you can use the following command:
emldump.py --jsonoutput sample.eml | myjson-filter.py -W hashvirThis command will produce a MyJSON data structure will the content and metadata of all parts (not only attachments, also the different bodies) and save the parts to disk with filenames formatted as the sha256 hash of the content and the extension .vir.
You can then run the desired analysis commands on the files written to disk.
But you can also run a command directly on the items, without writing them to disk. Here is an example of such a command:
emldump.py --jsonoutput sample.eml | myjson-filter.py -r "cmd.exe /c oledump.py"This command will start a oledump.py command for each part in the multipart document, and provide the content of each part via stdout.
It’s something that I’ve been doing for 10+years, but every couple of years I need to configure this again (on a new machine), and then I need to look it up because I forgot the details. Hence this quickpost.
This is how I run Firefox on Windows:
"C:\Program Files\Mozilla Firefox\firefox.exe" -ProfileManager -no-remoteThis allow me to run multiple instances (option -no-remote) of Firefox and invoke the profile manager to select the desired profile at startup
This tool is still beta.
VBA compression is now supported, besides zlib compression. Option -t (–type) was added so that one can choose the compression type to search for. Possible values are zlib (default) or vba.
And shortcut #p# was added to the yara option, to predefine these rules:
rule attribute_vb_name {
strings:
$a = "Attribute VB_Name = "
condition:
$a
}
rule dir {
strings:
$a = { 01 00 04 }
condition:
$a at 0
}I’ll explain in another blog post how these features can be used to analyze MS Access databases with VBA project.
This update brings options -f and -c.
Option -f is used to define a Python function (function name or lambda) that will be applied to the content of each item in the MyJSON data.
Option -c is a shortcut for calling the CutData function via option -f. The lambda that is generated is: lambda data: CutData(data, ‘CUTEXPRESSION’)[0]
CUTEXPRESSION is the cut-expression provides as value for option -c.
Didier Stevens 