Didier Stevens

This tool takes JSON output from tools like oledump, zipdump, base64dump, … via stdin and transforms the data produced by these tools.
The transformation function (name Transform) has to be defined in a Python script provided via option -s.

This Transform function has 2 arguments: items and options.
items is a list of dictionaries produced by the “feeding” tool , e.g., the tool whose JSON output is piped into this tool (oledump, …).
Each dictionary has 3 keys: id, name and content.

The transformation function reads content from the items, and transforms it. The transformed data is the return value of the Transform function, and it can also be stored in the items list (modifying the values of the dictionaries, like the content value for example).

By default, this tool will output the transformed data (return value of Transform function) as binary data.
With options -a, -A, -x, -X, -b, -B this output can be presented as ASCII dump, hex dump and base64 dump. Option -d is also present to explicitly request a binary dump.

If option –jsonoutput is used, then the return value of the Transform function is ignored, and in stead, the transformed items are output as JSON data.
The –jsonouput option can not be combined with the above output format options.

Option -p (–parameter) is a string option that is passed on to the Transform function (via options argument). It is designed to be used by the developer of the Transform function as they see fit.
For example, it can be used to tell the Transform function which item to select for transformation, in case there are several items.

Take a look at my SANS ISC diary entry “Another Malicious HTA File Analysis – Part 2” for an example on how to decrypt an AES encrypted payload.