Didier Stevens

Sunday 1 May 2022

Overview of Content Published in April

Filed under: Announcement — Didier Stevens @ 10:16
Here is an overview of content I published in April:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts: NVISO Videos:

Monday 18 April 2022

New Tool: pngdump.py (Beta)

Filed under: Announcement,My Software — Didier Stevens @ 7:11

Here is a new tool I’m releasing as beta: pngdump.py.

It’s a tool to analyze PNG files. Unlike jpegdump, you can not yet select items for further analysis.

Saturday 9 April 2022

New Tool: myjson-filter.py

Filed under: Announcement,My Software — Didier Stevens @ 8:50

A couple of my tools can produce JSON output, using my own format (myjson).

This output can then be piped into another tool, like strings.py or file-magic.py.

I’m now releasing a tool that can be put into a command pipe to filter the JSON data: myjson-filter.py

For example, here I use myjson-filter.py to remove all items that are XML files (based on the content: starting with <?xml) before strings are extracted with strings.py:

More info in this ISC diary entry I wrote: “Method For String Extraction Filtering“.

myjson-filter_V0_0_2.zip (http)
MD5: 15DDC15DE65F447CE6DA94F8B34C5066
SHA256: EB330FE49421A13A8743F18064788DC2E8189A9B63FD19D517F0B830D1569321

Friday 1 April 2022

Overview of Content Published in March

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in March:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts: NVISO Videos:

Saturday 5 March 2022

Overview of Content Published in February

Filed under: Announcement — Didier Stevens @ 14:15
Here is an overview of content I published in February:

Blog posts: YouTube videos: SANS ISC Diary entries:

Wednesday 2 February 2022

Overview of Content Published in January

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in January:

SANS ISC Diary entries:

Saturday 1 January 2022

Overview of Content Published in December

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in December: Blog posts: YouTube videos: SANS ISC Diary entries:

Wednesday 1 December 2021

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in November:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts:

Monday 29 November 2021

New Tool: cs-parse-traffic.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

This tool is the combination of beta tool cs-parse-http-traffic.py (discontinued) and unreleased tool cs-parse-dns-traffic.py: it can decrypt and parse Cobalt Strike DNS and HTTP beacon network traffic.

By default it handles HTTP traffic. Use option -f dns to handle DNS traffic.

cs-parse-traffic_V0_0_3.zip (https)
MD5: D11D64222CD77407FCEE5E6235470828
SHA256: 916B44513620FD2BB3F7263D279E8219419A87F89CDA1253011D7338896405DD

Wednesday 3 November 2021

New Tool: cs-extract-key.py

Filed under: Announcement,Encryption,My Software — Didier Stevens @ 0:00

cs-extract-key.py is a tool designed to extract cryptographic keys from Cobalt Strike beacon process memory dumps.

This tool was already available in my beta repository.

This tool can extract cryptographic keys from process memory dumps of a version 3.x beacon directly:

And from version 4.x together with encrypted data extracted from network capture:

More details can be found in the man page, and in and upcoming blog post.

cs-extract-key_V0_0_1.zip (https)
MD5: 4102A5A5BFD4D432DA4A721D43F568F5
SHA256: BBEDF6CBFFF51669187694F463C32A49F53420BEDF8B76508D06850643DE334F
Next Page »

Blog at WordPress.com.