Didier Stevens

Monday 1 October 2018

Title: Overview of Content Published in September

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in September:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Wednesday 5 September 2018

Overview of Content Published in August

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in August:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO blog:

Monday 20 August 2018

Obtaining Malware Samples for Analysis

Filed under: Announcement,Malware — Didier Stevens @ 0:00

In my malware analysis blog posts and videos, I always try to include the hash or VirusTotal link of the sample(s) I analyze. If I don’t, it means I’m not at liberty to share the hash.

For every video that I post on YouTube, I create a corresponding video blog post (https://videos.DidierStevens.com) with more info like the sample’s hash and a link to VirusTotal.

In the description of the YouTube video, you will find a link to the video blog post.

Example:

I will often use the MD5 hash, but since I include a link to VirusTotal, you can consult the report and find other hashes like sha256 in that report.

Regarding MD5: I don’t worry about hash collisions for malware samples. Actually, if there is an MD5 hash collision, VirusTotal will inform me, and that would make my day 🙂 .

Don’t ask me for the malware samples I analyze, I don’t host or send these malware samples. If you or your organization have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal.

If you don’t, there are several free repositories online (sometimes they require free registration). Lenny Zeltser has a list of repositories.

 

 

Thursday 2 August 2018

Overview of Content Published in July

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in July:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO blog:

Wednesday 11 July 2018

New Tool: file-magic.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

I find the *nix tool file very useful. There’s no equivalent on Windows, that’s why I use a Windows port of this tool.

But it has some limitations, the most annoying to me being the lack of support for stdin. This prevents me from using it in a chain of commands.

That’s the main reason I developed file-magic.py, a Python tool that is essentially a wrapper for the Python magic module.

On Windows and OSX, install module python-magic-bin with pip (this will install binaries too), while on Linux install module python-magic.

Here is an example showing how output from base64dump is piped into file-magic:

And here is an example with jsonoutput I mentioned before:

You can also add your own definitions to file file-magic.def.

For example, I added a definition for VBE/JSE files (encoded .vbs/.js scripts).

file-magic_V0_0_2.zip (https)
MD5: EAE684E74731FF493D5EC5D243EB16B6
SHA256: 9B0E7B47CAED8F5627DEFCE19B737554BBF998EF380187D6DE4FC1C9572EC9ED

Monday 2 July 2018

Overview of Content Published in June

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in June:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Thursday 21 June 2018

Validating Your Downloads

Filed under: Announcement,My Software — Didier Stevens @ 0:00

Occasionally, a comment is posted on my blog to report that the posted hash of a file doesn’t match the hash of the downloaded file. Often, it’s because the reader calculated the hash of my program, and not the hash of the downloaded ZIP file, containing the program.

Let’s clarify this. Here is an example of download details I use in my blog posts:

hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2

First you have the HTTP download link to the file, and then you have the HTTPS download link of the same file.

Next, you have the MD5 hash and SHA256 hash of the hosted file, e.g. the ZIP file.

The links and hashes are served by one host (blog.didierstevens.com), and the file is served by another host (didierstevens.com).

To validate that the file you downloaded has not been tampered with, or corrupted during the download, you have to calculate the hash of the downloaded file (if it’s a ZIP file, calculate the hash of the ZIP file, not of the archived files) and compare this with the hash I published.

If you don’t have a tool to do this, you can use my hash.py tool like this:

Tuesday 5 June 2018

Overview of Content Published In May

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in May:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Tuesday 1 May 2018

Overview of Content Published In April

Filed under: Announcement — Didier Stevens @ 8:23

Here is an overview of content I published in April:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

NVISO Blog posts:

Sunday 1 April 2018

Overview of Content Published In March

Filed under: Announcement — Didier Stevens @ 11:11

Here is an overview of content I published in March:

Blog posts:

SANS ISC Diary entries:

Next Page »

Blog at WordPress.com.