Didier Stevens

Tuesday 20 September 2022

Update: My Python Templates Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This update adds the option –trim to template process-text-files.py.

python-templates_V0_0_8.zip (http)
MD5: 6C845823BB8AC4DB42993B994E93AF66
SHA256: 20EC1E6540DF31939686CA4B54C5312DF3724EB756B16BA724722C3196BDF93F

Monday 19 September 2022

Update: strings.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This version of my strings.py program adds option -N to select strings that end with a NUL character (C-strings).

strings_V0_0_8.zip (http)
MD5: 29015239E6385FFA63C2E33755C34CD9
SHA256: 449AC9AA39A464D7C5883DED3FE9CB21A2E8E700F7763AD4199C25D37DCBD296

Sunday 18 September 2022

New Tool: split-overlap.py

Filed under: Announcement,My Software — Didier Stevens @ 12:19

split-overlap.py is a tool to split a binary file in parts of a given size.

For example: split-overlap.py 1000 test.data

When test.data is a binary file with size 2500 bytes, the above command will create 2 files of 1000 bytes and one file of 500 bytes.

It’s also possible to split a file with some overlap. Like this:

The blue block represents the original file, the yellow blocks are parts of the original file without overlap, and the green blocks represent parts of the original file with some overlap.

A command to achieve this, is, for example: split-overlap.py 100M+1M dump

This will create parts of 101 MB in size, with a overlap of 1 MB.

The main reason I developed this tool, is to be able to handle very large files, like memory dumps, by tools who can not handle such large files.

Splitting up a file in smaller, equal parts is a solution, but then you run the risk (a small risk) that the pattern you are looking for, is just at the “edge”: that the file is split in such a way, that one part contains the beginning of the pattern, and the next part contains the rest of the pattern. Then your tools are unlikely to find the pattern.

I solve this with my tool by using an overlap. You just have to make sure that the size of the overlap, is larger than the pattern you are looking for.

If you want to know more, read the man page: split-overlap.py -m

split-overlap_V0_0_1.zip (http)
MD5: 77CFF0787244B3B940B07D099C26C3F1
SHA256: 3C246F35F612A43B83843F327AB4EA4EE2CADDBCEDEAD9C50540228DAB17025A

Thursday 15 September 2022

Update: virustotal-search.py Version 0.1.7

Filed under: My Software,Update — Didier Stevens @ 7:41

A new option was added to limit the amount of requests: -l (–limitrequests).

virustotal-search_V0_1_7.zip (http)
MD5: BB6E9D480F7BCF0FD3F0CB8EED1B49FE
SHA256: AEFEB5761A5BBEE998FA20A68213316522C7554796F47EB8C7EB2A5DF1D4E73D

Saturday 10 September 2022

Maldoc Analysis Video – Rehearsed & Unrehearsed

Filed under: maldoc,Malware,My Software,video — Didier Stevens @ 21:41

When I record maldoc analysis videos, I have already analyzed the maldoc prior to recording, and I rehearse the recording.

This time, I also recorded the unrehearsed analysis: when I take the first look at a maldoc I’ve not seen before.

All in this video:

Wednesday 7 September 2022

Update: hex-to-bin.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update: when non-hexadecimal characters are found, they are listed before an exception is raised.

hex-to-bin_V0_0_6.zip (http)
MD5: 9939263DCF538BBF5FC98DB2EC83F247
SHA256: 94B2B23BCA5C000CA85EEE8AE1A16AEEDB77E72057111C8207A683BD4DDF4581

Tuesday 6 September 2022

Update: xor-kpa.py Version 0.0.6

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This is an update for my tool to perform XOR known plaintext attacks: xor-kpa.py.

The tool has been updated for Python 3, and 3 new plaintext have been added, all for Cobalt Strike configurations.

cs-key is the header of the configuration entry for the public key.

cs-key-dot is the header of the configuration entry for the public key XORed with value 0x2E (a dot).

cs-key-i is the header of the configuration entry for the public key XORed with value 0x69 (letter i).

xor-kpa_V0_0_6.zip (http)
MD5: 4BA5EDEAEF6C8D528227607E78A2A797
SHA256: F7BE170D09E8B8A5B4127F64EC66FFF69EFD3EFA3B4EAC0304B39905A75CDE2A

Monday 5 September 2022

Update: translate.py Version 2.5.12

Filed under: My Software,Update — Didier Stevens @ 15:50

A small update for my translate.py program.

Python function Xor takes now 2 extra, optional arguments:

hexadecimal: a boolean, by default False.

When True, the key is provided as an hexadecimal string.

rotation: an integer, by default 0

This is the number of bytes to rotate the key to the left. For example, when the key is ABCD, a rotation value of 1 yiels key BCDA.

translate_v2_5_12.zip (http)
MD5: 4B0C79AF8A1D41BA735C5030912E6C28
SHA256: 899109A9D787D6781AEB0569330A01709063BB3FD58F4AED068A57951B230F88

Sunday 4 September 2022

Update: oledump.py Version 0.0.70

Filed under: maldoc,My Software,Update,video — Didier Stevens @ 15:38

This is an update to plugin plugin_vba_dco.py, improving generalization and adding option -p.

You can watch this maldoc analysis video to learn how to use the generalization feature of this plugin:

oledump_V0_0_70.zip (http)
MD5: D6EC4FD6B7BE60E01A98922BC06A1E8F
SHA256: E9EE79501A08E896A601F1AFDDB6D3C05D9A2A1FD5899D44AC422DD79E4EF678

Friday 2 September 2022

Update: jpegdump.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 19:14

This update to jpegdump.py, my tool to analyze JPEG images, brings 2 small changes:

Data between segments can be selected with suffix d. Like this: -s 10d

This means: select the data between segments 9 and 10.

And when option -E is used to add hash values, repeating hashes are marked with parentheses.

jpegdump_V0_0_10.zip (http)
MD5: 5B33C0ECB94E3284CA64E98B5A0947C3
SHA256: D8C657DB7564160725C95677BE200EB3A902BDC74CF335EFA8499596495633F0
« Previous PageNext Page »

Blog at WordPress.com.