Didier Stevens

Saturday 9 April 2022

New Tool: myjson-filter.py

Filed under: Announcement,My Software — Didier Stevens @ 8:50

A couple of my tools can produce JSON output, using my own format (myjson).

This output can then be piped into another tool, like strings.py or file-magic.py.

I’m now releasing a tool that can be put into a command pipe to filter the JSON data: myjson-filter.py

For example, here I use myjson-filter.py to remove all items that are XML files (based on the content: starting with <?xml) before strings are extracted with strings.py:

More info in this ISC diary entry I wrote: “Method For String Extraction Filtering“.

myjson-filter_V0_0_2.zip (http)
MD5: 15DDC15DE65F447CE6DA94F8B34C5066
SHA256: EB330FE49421A13A8743F18064788DC2E8189A9B63FD19D517F0B830D1569321

Wednesday 30 March 2022

New Tool: xlsbdump.py

Filed under: My Software — Didier Stevens @ 0:00

This is a new tool to parse XLSB files.

It is still in beta.

Tuesday 29 March 2022

Update: oledump.py Version 0.0.64

Filed under: My Software,Update — Didier Stevens @ 7:22

This new version of oledump brings option -u. This option is used to look for data past the end of the streams.

oledump_V0_0_64.zip (http)
MD5: D2FE33398A2BA85A760518972C0207D3
SHA256: C44F11D31CDCFDE0E7207363A9F35ED07A98A69A4A4228A8CA49292BA8EE9683

Saturday 26 February 2022

Update: 1768.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 9:16

I included a new Cobalt Strike 4.5 private key in this released, shared with me by a user.

Further, ZIP files with AES encryption are supported. And a few other bug fixes

1768_v0_0_12b.zip (https)
MD5: C1675CD1CD5E817BDBC4B10D8850D6DD
SHA256: 0694F52EFA2332E8FCFFA739AD123ABF4A75F20ACB5DE3174376FE5D816DE071

Wednesday 23 February 2022

Update: oledump.py Version 0.0.63

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix update for oledump.py.

It fixes a bug that occurred when you calculated the hash of decompressed VBA code:

oledump.py -E %MD5% -v sample.doc
oledump_V0_0_63.zip (https)
MD5: 52440972347843FF56B8F754910BFE4A
SHA256: F92660FFA0F484B46A14944A8B7B475C3D34E80D9C197FA1E99C444CA9ED533B

Monday 21 February 2022

Beta: smtp-honeypot.py

Filed under: Beta,My Software — Didier Stevens @ 16:49

This Python script is essentially a wrapper for the smtpd Python module.

I use it to receive emails, and write them to disk.

Sometimes I use this to exfiltrate (malicious) emails.

Tuesday 8 February 2022

Update: jpegdump.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 20:27

This new version of jpegdump.py adds option -E to display extra info for each segment.

This extra data is a hash of the segment’s data: md5, sha1, sha256.

jpegdump_V0_0_9.zip (https)
MD5: 1736DA65F7355308DC698E29DE8F5432
SHA256: 1E5AE79BB060F59D255999DBD74786F8A8A45DDB2C5F9C85A6FB2FA04CFD4D6C

Friday 31 December 2021

Update: base64dump.py Version 0.0.20

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version brings a new encoding: zxcn

zxcn stands for “zero x comma no-leading zero”, and is very similar to zxc encoding (zero x comma).

Example of zxc: 0x90,0x0A,0x4D,0x5A

Remark the leading zero for value 0x0A (values smaller than 0x10).

With zxcn encoding, there is no leading zero for values smaller than 0x10.

Thus the example for zxcn becomes: 0x90,0xA,0x4D,0x5A

base64dump_V0_0_20.zip (https)
MD5: 10E130F7B989EDDBF03092B8AA0585E1
SHA256: BD7ADF465CA89B10D0591A6D73E6E97DA3EF313EA7C28C90DD59F0A5CBBEB9CD

Thursday 30 December 2021

Update: pecheck Version 0.7.14

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck adds support for dumping files (-D) while using option -l P.

pecheck-v0_7_14.zip (https)
MD5: 3B5CED47987F0395CC4BC795A938EA4A
SHA256: 547941BD830C22586CE0C509DE8406424C2EB02D0C5FEAA555C43C77FCCDE33D

Tuesday 28 December 2021

Update: cs-analyze-processdump.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version brings some options to guide the XOR-key detection algorithm.

The beacon’s AES and HMAC key are contained in writable process memory: my tool cs-extract-key.py can detect these keys. But the beacon can be configured to encode these keys while it is sleeping. This feature is called a sleep mask, and uses a 13-byte long XOR key. The complete writable memory section that contains the beacon process data, like encryption keys, is encoded with this 13-byte long XOR key.

Since writable process memory sections contain a lot of consecutive NULL bytes (0x00), the 13-byte long XOR-key will be present in the encoded process memory (XORing 0x00 with a key gives the key).

My tool will try to detect this XOR-key, but searching for 13-byte long random byte sequences that appear often. It does this by considering all possible 13-byte long sequences as a potential key, and counting how many times each potential key appears. Then it throws away all keys that don’t appear often (less than 100 times) and all keys that do not appear random (for example, keys with more than 3 0x00 bytes).

The most prevalent of these remaining keys, is considered as the most likely XOR key.

The new options that have been added to version 0.0.3, allow to guide this key finding algorithm.

Option –keysize is the XOR key size: the default value is 13.

Option –numberofkeystotry specifies how many keys that are considered to be potential XOR keys. The default value is 10: this means that the 10 most prevalent keys are selected and displayed.

Option –keystotry specifies which keys to try, out of the 10 keys selected. By default, only the first key (most prevalent key) is tried: value 0. But you can provide several keys, as a comma separated list of indices.

A potential XOR-key is selected as a decoding key, if the decoded memory section contains string b’sha256\x00′.

Finally, option -r can be used to let the tool analyze a raw set of data (e.g., the provided file is not parsed as a minidump file, but just taken as raw data).

cs-analyze-processdump_V0_0_3.zip (https)
MD5: 46C232F594CF67272A915985AFDFE839
SHA256: 84EBC79B9CC5764E7D8C85DCBADEE49F09ABF6F19962A0D9C505703F82675B23
« Previous PageNext Page »

Blog at WordPress.com.