Didier Stevens

Sunday 18 September 2022

New Tool: split-overlap.py

Filed under: Announcement,My Software — Didier Stevens @ 12:19

split-overlap.py is a tool to split a binary file in parts of a given size.

For example: split-overlap.py 1000 test.data

When test.data is a binary file with size 2500 bytes, the above command will create 2 files of 1000 bytes and one file of 500 bytes.

It’s also possible to split a file with some overlap. Like this:

The blue block represents the original file, the yellow blocks are parts of the original file without overlap, and the green blocks represent parts of the original file with some overlap.

A command to achieve this, is, for example: split-overlap.py 100M+1M dump

This will create parts of 101 MB in size, with a overlap of 1 MB.

The main reason I developed this tool, is to be able to handle very large files, like memory dumps, by tools who can not handle such large files.

Splitting up a file in smaller, equal parts is a solution, but then you run the risk (a small risk) that the pattern you are looking for, is just at the “edge”: that the file is split in such a way, that one part contains the beginning of the pattern, and the next part contains the rest of the pattern. Then your tools are unlikely to find the pattern.

I solve this with my tool by using an overlap. You just have to make sure that the size of the overlap, is larger than the pattern you are looking for.

If you want to know more, read the man page: split-overlap.py -m

split-overlap_V0_0_1.zip (http)
MD5: 77CFF0787244B3B940B07D099C26C3F1
SHA256: 3C246F35F612A43B83843F327AB4EA4EE2CADDBCEDEAD9C50540228DAB17025A

Thursday 15 September 2022

Update: virustotal-search.py Version 0.1.7

Filed under: My Software,Update — Didier Stevens @ 7:41

A new option was added to limit the amount of requests: -l (–limitrequests).

virustotal-search_V0_1_7.zip (http)
MD5: BB6E9D480F7BCF0FD3F0CB8EED1B49FE
SHA256: AEFEB5761A5BBEE998FA20A68213316522C7554796F47EB8C7EB2A5DF1D4E73D

Saturday 10 September 2022

Maldoc Analysis Video – Rehearsed & Unrehearsed

Filed under: maldoc,Malware,My Software,video — Didier Stevens @ 21:41

When I record maldoc analysis videos, I have already analyzed the maldoc prior to recording, and I rehearse the recording.

This time, I also recorded the unrehearsed analysis: when I take the first look at a maldoc I’ve not seen before.

All in this video:

Wednesday 7 September 2022

Update: hex-to-bin.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update: when non-hexadecimal characters are found, they are listed before an exception is raised.

hex-to-bin_V0_0_6.zip (http)
MD5: 9939263DCF538BBF5FC98DB2EC83F247
SHA256: 94B2B23BCA5C000CA85EEE8AE1A16AEEDB77E72057111C8207A683BD4DDF4581

Tuesday 6 September 2022

Update: xor-kpa.py Version 0.0.6

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This is an update for my tool to perform XOR known plaintext attacks: xor-kpa.py.

The tool has been updated for Python 3, and 3 new plaintext have been added, all for Cobalt Strike configurations.

cs-key is the header of the configuration entry for the public key.

cs-key-dot is the header of the configuration entry for the public key XORed with value 0x2E (a dot).

cs-key-i is the header of the configuration entry for the public key XORed with value 0x69 (letter i).

xor-kpa_V0_0_6.zip (http)
MD5: 4BA5EDEAEF6C8D528227607E78A2A797
SHA256: F7BE170D09E8B8A5B4127F64EC66FFF69EFD3EFA3B4EAC0304B39905A75CDE2A

Monday 5 September 2022

Update: translate.py Version 2.5.12

Filed under: My Software,Update — Didier Stevens @ 15:50

A small update for my translate.py program.

Python function Xor takes now 2 extra, optional arguments:

hexadecimal: a boolean, by default False.

When True, the key is provided as an hexadecimal string.

rotation: an integer, by default 0

This is the number of bytes to rotate the key to the left. For example, when the key is ABCD, a rotation value of 1 yiels key BCDA.

translate_v2_5_12.zip (http)
MD5: 4B0C79AF8A1D41BA735C5030912E6C28
SHA256: 899109A9D787D6781AEB0569330A01709063BB3FD58F4AED068A57951B230F88

Sunday 4 September 2022

Update: oledump.py Version 0.0.70

Filed under: maldoc,My Software,Update,video — Didier Stevens @ 15:38

This is an update to plugin plugin_vba_dco.py, improving generalization and adding option -p.

You can watch this maldoc analysis video to learn how to use the generalization feature of this plugin:

oledump_V0_0_70.zip (http)
MD5: D6EC4FD6B7BE60E01A98922BC06A1E8F
SHA256: E9EE79501A08E896A601F1AFDDB6D3C05D9A2A1FD5899D44AC422DD79E4EF678

Friday 2 September 2022

Update: jpegdump.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 19:14

This update to jpegdump.py, my tool to analyze JPEG images, brings 2 small changes:

Data between segments can be selected with suffix d. Like this: -s 10d

This means: select the data between segments 9 and 10.

And when option -E is used to add hash values, repeating hashes are marked with parentheses.

jpegdump_V0_0_10.zip (http)
MD5: 5B33C0ECB94E3284CA64E98B5A0947C3
SHA256: D8C657DB7564160725C95677BE200EB3A902BDC74CF335EFA8499596495633F0

Saturday 27 August 2022

Update: 1768.py Version 0.0.16

Filed under: My Software,Update — Didier Stevens @ 9:13

This is a bug fix version and also adds updated statistics.

1768_v0_0_16.zip (http)
MD5: E72E66BE5A66DC2C6E1806DE82DF9B39
SHA256: 008E15C617EE94D849A3325643497D216E559609602E97CF2EE41968CCA5D096

Wednesday 17 August 2022

Update: 1768.py Version 0.0.15

Filed under: My Software,Update — Didier Stevens @ 22:30

Some new features that help with analyzing memory dumps.

Here is the analysis of a VMware vmem file:

There’s a new sanity check, determining if an extracted configuration is OK or not OK (NOK).

A config passes the sanity check if it contains a valid payload type and a valid public key.

Configurations that don’t pass the sanity check, are most likely false positives: they have a valid header, but no valid fields. They can show up in memory dumps of Windows machines.

Option -S can be used to hide configurations that don’t pass the sanity check:

Now we are just left with detections of the sleep mask routine. What’s new in this version, is that the position where the signature was found is listed.

Finding both 32-bit and 64-bit routines is unusual.

Option -V can be used to dump 256 bytes before and after the signature, to help us get an idea what we are dealing with.

And what we actually found here, is the memory of the anti-virus program containing signatures, like signatures for Cobalt Strike sleep mask deobfuscation routines.

1768_v0_0_15.zip (http)
MD5: 15EBA21D59D78ED9A674DC2B88687555
SHA256: 73987F1B8577A5C31B2D7BDC197A465F8700B3F3C7838A31802BD77FFC872C42
« Previous PageNext Page »

Blog at WordPress.com.