This new version of numbers-to-string.py has a new option: -t (table).
With this option, you can use another table for number-to-character conversion than ASCII. Just provide the table as a string (a sequence of characters):
And I made a change to option –end: now it will select up to the last string occurrence provided, no longer the first one.
numbers-to-string_v0_0_6.zip (https)
MD5: 283003C9B328A3DB79BC83AD3C3B0FB1
SHA256: E96417C26EA1231748C6A5DE2F12F56D816F2F875795ED7412ED5D6458CF7B93
This new version (actually, 0.0.8 and 0.0.9) brings the following changes:
All items can be selected now with -s a.
A warning is displayed when option -s (selecting) does not result in the selection of an item.
Option -A does a run-length encoded ASCII dump (cfr. -a).
JSON output is possible with option –jsonoutput.
Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).
And offsets in a cut expression can now be hexadecimal too (prefix 0x).
rtfdump_V0_0_9.zip (https)
MD5: 26BE358EC8D42BB7532B6C0C1EBAD1F2
SHA256: 3F6410AC7880116CDDE4480367D3F5AA534CCA3047B75FEA0F4BA1F5EAA97B07
I’ve been using my own Python implementation of command strings for 3 years now: time for a release (it was already available on my Beta github).
-L (–length) is an option I use often: it sorts the extracted strings from shortest to longest. When analyzing malicious documents and (binary) malware, often the interesting strings are rather long.
Like in this malicious Word document, where the longest string is the malicious PowerShell command.
It also supports JSON input.
For more options and information, take a look at the help (-h) and manual (-m):
strings_V0_0_3.zip (https)
MD5: DE008589A0B4B3C33B52BE3A171EB14D
SHA256: 9EBA69933B44DF41F4B51EE45B510E15FA85BCB38AD4CE45C863E8BBDAFED489
This new version of oledump brings several new features.
When option -i is used without selecting a stream, the overview will contain the size of the compiled code and the source code for all modules:
Selecting just the compiled code from a module stream can be done with suffix c: oledump.py -s A4c sample.xlsm.
Suffix s is to be used to select source code only: oledump.py -s A4s sample.xlsm.
A warning is displayed when option -s (selecting) does not result in the selection of a stream.
Option -A does a run-length encoded ASCII dump (cfr. -a).
Option -T does a head & tail: select the first 10 and last 10 lines of the output.
Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).
And offsets in a cut expression can now be hexadecimal too (prefix 0x).
oledump_V0_0_39.zip (https)
MD5: 5C9A1D94E1BC857877116E425D80A197
SHA256: DF7FFA0C707C8D66C0E0FBEE583286DBA9970824782C6B7AB6BFDC30A85BB419
cut-bytes.py is a tool I use to select (cut) a sequence of bytes out of a file, using a cut-expression. This expression specifies the start of the sequence and the end of the sequence.
In this example, I use a cut-expression to find the first occurrence of MZ (i.e. [‘MZ’]) and select 8 bytes (8l) starting at the position of that occurrence (-a is ASCII dump):
I realized that with a few changes, I could add a binary grep feature to cut-bytes. Option -g activates this binary grep:
In stead of one occurrence (the first), with option -g, all occurrences are selected.
JSON output is now also available with option –jsonoutput:
This JSON output contains all the selected byte sequences (BASE64 encoded and with metadata), and it can be piped into tools that accept this format, like file-magic.py:
file-magic will then identify each byte sequence. As you can guess, I’m looking for PE files embedded in file update.bin. But the byte sequences are too short (8 bytes) for file-magic.py to properly identify file types. By increasing the length to 512 bytes, file-magic.py has enough data to locate 2 PE files (a 32-bit DLL and a 64-bit DLL) inside update.bin:
Option -G is identical to -g, except that the selected byte sequences will not overlap.
And I also added a “run length encoded” ASCII dump (-A). If 2 or more consecutive output lines are identical, the duplicates are suppressed:
cut-bytes_V0_0_8.zip (https)
MD5: 1A69542E7E9D7348101B7E91884674B7
SHA256: 15BC253323FF162F26BEF784172A502383970E63514DF6B88A09952A19DAE826
This new version adds CSV output via option -C:
hash_V0_0_6.zip (https)
MD5: DE0AC3F7809E55E1577EB049A5F34EDF
SHA256: D66FF1D5173E3DDAFC842087B9E4E8447C18EF0AA8C03E02A365E3F9028BA8D9
When using option -f to specify struct members, you can now also use new option -n (annotations) to annotate members.
Like in this example:
format-bytes_V0_0_6.zip (https)
MD5: D73C88AB15B8AE3B30BA2C5EBE8CC77E
SHA256: 3FB480B52F5BF535A54B66CABBD853666B3E306EFAE4BD9247B45255F223E0B6
I added a new option to file-magic.py to limit identification to the custom definitions: -C.
file-magic_V0_0_4.zip (https)
MD5: CCF170F09B1442D27AE6519A0BB0CBAB
SHA256: F240BAEE78C8AE4DB29724D8A8F2A5DEDEFE47570219D700FB3BB9A6707432BB
This is an update with a custom definition to recognize compressed RTF.
file-magic_V0_0_3.zip (https)
MD5: C46EBA4BC6BC63E097A86E30E6DE5432
SHA256: 3F3012B06182925C1A42678977089184B9C97C37CD025F9D71757B4227E7BE09
VBA macros inside a PowerPoint document are not stored directly inside streams, but as records in the “PowerPoint Document” stream. I have a plugin to parse the records of the “PowerPoint Document” stream, but I failed to extract the embedded, compressed OLE file with the macros. Until a recent tweet by @AngeAlbertini brought this up again. On his sample too I failed to extract the compressed OLE file, but then I remembered I had fixed a problem with zlib extraction in pdf-parser.py. Taking this code into plugin_ppt.py fixed the decompression problems.
VBA macros in a PowerPoint document do not appear directly in streams:
Plugin plugin_ppt parses records found in stream “PowerPoint Document”:
Each line represents a record, prefixed by an index generated by the plugin (to easily reference records). Records with a C indicator (like 1 and 435) contain sub-records. Records prefixed with ! contain an embedded object.
Record 441 (RT_ExternalOleObjectStg) interests us because it contains an OLE file with VBA macros.
Plugin option -s can be used to select this record:
Plugin option -a can then be used to do an hex/ascii dump:
The first four bytes are the size, and then follows the zlib compressed OLE file (as indicated by 0x78).
This OLE file can be decompressed and extracted with option -e, but pay attention to use option -q (quiet) so that oledump will only report the output of the plugin, and nothing else. This can then be piped into a second instance of oledump:
And now we can extract the VBA macros:
oledump_V0_0_38.zip (https)
MD5: C1D7F71A390497A516F67D798BA25128
SHA256: 4CADEE69D024E9242CDA0CE3A9C22BCB1CAFF9D5BA2D946519C6B7C18F895B81
