Didier Stevens

Wednesday 6 March 2019

Update: pdf-parser.py Version 0.7.1

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bug fix version for statistics (-a).

pdf-parser_V0_7_1.zip (https)
MD5: 1480D3BF602686C9E7C2FE82AC6C963B
SHA256: D2C8E0599A84127C36656AA2600F9668A3CB12EF306D28752D6D8AC436A89D1A

Thursday 28 February 2019

Update: pdf-parser.py Version 0.7.0

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This new version of pdf-parser brings support for analysis of stream objects (/ObjStm). Use new option -O to enable this mode.

Stream objects (/ObjStm) are objects that contain other objects: they have a stream, containing other objects. These contained objects can not have a stream.

pdfid.py detects the presence of stream objects:

But pdfid can not look inside a stream, to figure out what objects are inside. That’s why I always say to use pdf-parser to select and decompress stream objects, and then pipe this through pdfid:

When pdf-parser parses a stream object, it does not parse the content of its stream:

This changes with this new version of pdf-parser. When option -O is used, pdf-parser extracts objects from /ObjStm streams and handles them like normal objects. In the following example, object 2 is contained in object 1:

pdf-parser provides statistics for a PDF’s content with option -a:

Combining option -a with option -O includes objects present inside stream objects (this is an alternative for combining both tools: pdf-parser -s objstm -f a.pdf | pdfid -f):

This output shows that /JavaScript can be found in object 7. We need to use option -O to find object 7 “hiding” in object 1:

If we forget to use option -O, object 7 is not found:

Here is a video showing this new feature:

pdf-parser_V0_7_0.zip (https)
MD5: CDE355BB3FCACE3C4EDBC762E632F9AB
SHA256: 219FF0BB729C4478679A79163CA9942296ACF49E4EC06D128CBC53FBEE25FF05

Wednesday 27 February 2019

Update: translate.py Version 2.5.5

Filed under: My Software,Update — Didier Stevens @ 0:00

I added function ZlibRawD to translate.py to decompress Zlib compression without header (ZlibD already exists, and is for Zlib compression with header).

This compression is sometimes used in malicious PowerShell scripts:

translate_v2_5_5.zip (https)
MD5: 0BBB0E7E569BCB08D5A9278C974A3EE6
SHA256: 78E0BAC87DF47D06BB9C351FBF3CA623EE10B3993E071E7C9A0C9C4DB0FFF1D4

Monday 18 February 2019

Update: oledump.py Version 0.0.41

Filed under: My Software,Update — Didier Stevens @ 0:00

This is just an update to the cut option (-C), to support UNICODE searches, as shown in blog post “Update: cut-bytes.py Version 0.0.9“.

I show how to use this option in a malicious document analysis video below. If you want to jump straight to the point where I use option -C with a UNICODE string, go to 9:16.

oledump_V0_0_41.zip (https)
MD5: 4FD7E627F5078245705526EBE09D7989
SHA256: 0793CA920DA8B4BD09A040FEE12463BE7D8AF8AE6DFB0968CADCE478BC153CD8

Sunday 17 February 2019

Update: cut-bytes.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version supports searching for UNICODE strings: u’…’.

Example: [u’Programmé’]:0x100l

This will look for UNICODE string “Programmé” and select 256 bytes starting from the first instance of this string.

cut-bytes_V0_0_9.zip (https)
MD5: 3D11868F238AF4369372CA083303716D
SHA256: AB3EA61B0F519AB99E659F73C263A0F4C2C9DB851314C49C5DA5A5F434E0CA4E

Saturday 26 January 2019

Update: msoffcrypto-crack.py Version 0.0.3

Filed under: Encryption,My Software,Update — Didier Stevens @ 13:44

This is a bug fix update: for agile encryption, Python module msoffcrypto does not throw an exception in method load_key when an invalid password is provided. It throws an exception when an attempt is made to decrypt the file.

I added a call to method decrypt to handle this case.

msoffcrypto-crack_V0_0_3.zip (https)
MD5: 45BAB81D744DA62182EC58A8F2E05BFE
SHA256: CF9DE02C72C07C07786BE09551CD17F6DBB83BCEF2A1C5435E06A695D7C6770E

Monday 7 January 2019

Update: msoffcrypto-crack.py Version 0.0.2

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

In this update of msoffcrypto-crack.py, two new options were added:

-e takes a text file and extracts all words from this text file to be used in the dictionary attack. Words are strings delimited by space characters. Words between single or double quotes, and words after string “password” are put at the beginning of the list for the dictionary attack.

The idea for option -e, is that you give it the content of an email message that contains the password of the encrypted attachment(s).

-c takes the password to decrypt the document. You use this option after the password was recovered (with option -p or -e for example), and need to run the tool again to decrypt the document. You can run the password cracking each time when you need to decrypt the document, but if this takes too long, then you just run it once and from then on provide the recovered password with option -c.

Password VelvetSweatshop was added to the embedded password list.

msoffcrypto-crack_V0_0_2.zip (https)
MD5: 010B7FA68FCF9CE84427815EFDFE1C42
SHA256: 6B368E40EEE8A907D444A49963B37F456A3645991201CE06F0E46A0F2E188A74

Monday 31 December 2018

New Tool: msoffcrypto-crack.py

Filed under: Encryption,maldoc,My Software — Didier Stevens @ 0:00

This is a new tool to recover the password of encrypted MS Office documents. I quickly put together this script to help with the analysis of encrypted, malicious documents.

This tool relies completely on Python module msoffcrypto to decrypt MS Office documents.

Since this is a Python tool based on a Python library, don’t except fast password recovery. This is more a convenience program.

It can recover passwords using a build-in password list, or you can provide your own list via option -p.

The tool can also decrypt the encrypted MS Office document if the password is recovered: used option -o to achieve this. Otherwise, the tool just displays the recovered password.

Like many of my tools, it can take its input from stdin and provide the decrypted document via stdout.

It’s developed with Python 2, and also tested on Python 3.

Read the man page for all the details: option -m.

msoffcrypto-crack_V0_0_1.zip (https)
MD5: F67060E0DE62727A1A69D0FD6F39013A
SHA256: 1466B94B56595BA0B91F0A2606F699E1D737E964F3F1A4DFDF7EAA47843DD063

Sunday 30 December 2018

Update: format-bytes.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

In this update, I added support for “run-length encoded” ASCII dump (-A), and X and S representation for strings:

format-bytes_V0_0_7.zip (https)
MD5: 58D3380B48593B3497AD04ACB1719CF3
SHA256: 8E07C1462AE88416CF8D5218A70BCFAE34F89B284684BFD0AC6B943A39E3CA8E

Saturday 29 December 2018

New Tool: SimpleEncoder

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

I needed a 010 Editor script to do ROT-47 encoding. The script I developed supports different types of simple encodings (including ROT-47):

With custom shift encoding, you choose the shift value by providing a number in a second input dialog. This number can be negative to shift the characters to the left in stead of to the right.µ

FYI: I submitted this script to 010 Editor’s repository.

SimpleEncoder_V1_0.zip (https)
MD5: 02C7BA20D8BF9EB965B3957BE8D26094
SHA256: 7C98B404F49F5E22A8A052AB4E100BF4ABCE37F39518293FC697D21C1D36A4F3

« Previous PageNext Page »

Blog at WordPress.com.