Didier Stevens

Sunday 16 July 2023

Update: zipdump.py Version 0.0.27

Filed under: My Software,Update — Didier Stevens @ 8:04

This is a bug fix release.

zipdump_v0_0_27.zip (http)
MD5: 91A26333FB6E2FF23A37462B5031A62F
SHA256: 99E628622C5D3F3AD957C7A41264850A4FA267E46DE8F8E1AF61C684774C0850

Overview of Content Published in June

Filed under: Announcement — Didier Stevens @ 7:50
Here is an overview of content I published in June:

Blog posts: SANS ISC Diary entries:

Saturday 17 June 2023

Update: zipdump.py Version 0.0.26

Filed under: My Software,Update — Didier Stevens @ 11:45

In this new version, new features/updates are:

  • Update to statistics to include longest strings (also hexadecimal and base64)
  • Write option: ziphashdir and alphanumvir
  • Brute-force password cracking
zipdump_v0_0_26.zip (http)
MD5: 5F6C82CD17D587D201D59A4B535F3702
SHA256: 90D0F0C1FA238DA9FBC6B7100B8EC01B0E155A0BBF22613B2BA22D5190ABF4DF

Thursday 15 June 2023

Overview of Content Published in May

Filed under: Announcement — Didier Stevens @ 7:56
Here is an overview of content I published in May:

Blog posts: SANS ISC Diary entries:

Tuesday 2 May 2023

Update: oledump.py Version 0.0.75

Filed under: My Software,Update — Didier Stevens @ 0:00

This update brings an new plugin: plugin_vba_dir.py (there are no changes to oledump).

This plugin parses the records found in the vba/dir stream to display project, references and modules information

oledump_V0_0_75.zip (http)
MD5: FB0F82B3B29883707A399B99C894EF08
SHA256: D357E48D827822D15C9C22C0B5204924FBA9FC59104818C9824AD149FE6F6249

Monday 1 May 2023

Overview of Content Published in April

Filed under: Announcement — Didier Stevens @ 22:43
Here is an overview of content I published in April:

Blog posts: SANS ISC Diary entries:

Sunday 30 April 2023

Update: zipdump.py Version 0.0.25

Filed under: My Software,Update — Didier Stevens @ 9:12

Some changes to the translate option: now it supports this format (like some of my other tools):

i=codec[:error],o=codec[:error]


i= is input and o= is output. If you don’t specify an error handling mode, strict will be used.

An example of the format is: i=utf16,o=latin:ignore
This will read binary data in utf16 strict mode, and convert it to binary data in ANSI (latin) and ignore all utf16 characters that can not be represented in latin.

zipdump_v0_0_25.zip (http)
MD5: 141BCA65BF89E0561B42901598406113
SHA256: 54E23B4E7A3EB1B31394FCCC32F6509CFB448E0D917615C4C05E431784E70978

Monday 10 April 2023

New Tool: myjson-transform.py

Filed under: Announcement,My Software,Uncategorized — Didier Stevens @ 8:05

This tool takes JSON output from tools like oledump, zipdump, base64dump, … via stdin and transforms the data produced by these tools.
The transformation function (name Transform) has to be defined in a Python script provided via option -s.

This Transform function has 2 arguments: items and options.
items is a list of dictionaries produced by the “feeding” tool , e.g., the tool whose JSON output is piped into this tool (oledump, …).
Each dictionary has 3 keys: id, name and content.

The transformation function reads content from the items, and transforms it. The transformed data is the return value of the Transform function, and it can also be stored in the items list (modifying the values of the dictionaries, like the content value for example).

By default, this tool will output the transformed data (return value of Transform function) as binary data.
With options -a, -A, -x, -X, -b, -B this output can be presented as ASCII dump, hex dump and base64 dump. Option -d is also present to explicitly request a binary dump.

If option –jsonoutput is used, then the return value of the Transform function is ignored, and in stead, the transformed items are output as JSON data.
The –jsonouput option can not be combined with the above output format options.

Option -p (–parameter) is a string option that is passed on to the Transform function (via options argument). It is designed to be used by the developer of the Transform function as they see fit.
For example, it can be used to tell the Transform function which item to select for transformation, in case there are several items.

Take a look at my SANS ISC diary entry “Another Malicious HTA File Analysis – Part 2” for an example on how to decrypt an AES encrypted payload.

myjson-transform_V0_0_1.zip (http)
MD5: 01669E77D9706317A92112E2918A73B9
SHA256: 5DD1DB80D18480196C5EEF415AA7D22C1EB54B985B4D6ACF56E739B58052D34C

Saturday 8 April 2023

Update: dnsresolver.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 7:42

I added support for label * (wildcard label).

dnsresolver_V0_0_3.zip (http)
MD5: 18958CEEB8CD62B50D6533A477008649
SHA256: E8BB634C9D5562D640D23AA426948D166977193931794E67761F1BCD2436466E

Tuesday 4 April 2023

Update: 1768.py Version 0.0.18

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of 1768.py brings an option to try out all 256 xor keys if a non-standard XOR key is used to encode the configuration.

Like this sample (key !):

1768_v0_0_18.zip (http)
MD5: 323D6D20483257D76D7F9DAD07AAF630
SHA256: 653CB75FF59C27FB9A2FD651DDE2EC81A4F577F7F9050353CB0B75DF6CA95773
« Previous PageNext Page »

Blog at WordPress.com.