Didier Stevens

Sunday 26 February 2023

Update: oledump.py Version 0.0.72

Filed under: My Software,Update — Didier Stevens @ 17:49

This update brings a new plugin to analyze MSI files: plugin_msi_info

oledump_V0_0_72.zip (http)
MD5: 27CBB0D67EA90DD02875081785B50CB4
SHA256: 3E20C06B40222DAB69951D13159E063E9AF8766291D15362C0E39026B3923DC2

Thursday 16 February 2023

Update: process-binary-file Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix update.

python-templates_V0_0_10.zip (http)
MD5: 29806A562411E4584455746C8CE41BAB
SHA256: CC520C26BE6E59F48AEA639EC477983333D75F91FFE295915DB4711C275E26DB

Wednesday 15 February 2023

Update: cut-bytes.py Version 0.0.16

Filed under: My Software,Update — Didier Stevens @ 0:00

In this new version of cut-bytes.py, I add support for custom Python transforms (options -P and -S), pyzipper and fixed a bug.

cut-bytes_V0_0_16.zip (http)
MD5: 04E6E0E46C6698127BAE443AF5CEF0F6
SHA256: 0657F6A6837CEC9F3E9E50551F8861D19B70305A4B7C3C409D561C3462550D24

Tuesday 14 February 2023

Update: xor-kpa.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

I added extra plaintexts for the modulus of Cobalt Strike’s public RSA key.

xor-kpa_V0_0_7.zip (http)
MD5: FB8155E56234648CC3AFFD890BFE9043
SHA256: 069DCA2A1901D448DBF2CF202B5CE49846EFCBAACB73BF35B20AA085AAB31BA9

Monday 13 February 2023

Update: file-magic.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 18:37

This new version of file-magic.py adds a definition to identify OneNote .one files:

And adds support for pyzipper.

file-magic_V0_0_6.zip (http)
MD5: 2C564E9B215672BA9352934C8B91B0EC
SHA256: 6102CE6788EB17B17AB3C0AB054FE9ECA2C557E9349A7ACF9612759CC5C6CA97

Sunday 12 February 2023

Update: pdf-parser.py Version 0.7.8

Filed under: My Software,Update — Didier Stevens @ 12:15

A small feature update for pdf-parser.py Statistics include unreferenced objects now:

pdf-parser_V0_7_8.zip (http)
MD5: 7BBEA9497666397CBBB88B012A710210
SHA256: FE393865861E00B48124B99CD5AEBBB5A632F1FBD883F4E4044DF8C8FA75BE9D

Sunday 22 January 2023

Analyzing Malicious OneNote Documents

Filed under: My Software — Didier Stevens @ 18:09

About a week ago, I was asked if I had tools for OneNote files.

I don’t, and I had no time to take a closer look.

But last Thursday night, I had some time to take a look. I looked at this OneNote maldoc sample.

I opened the file in the binary editor I use often (010 Editor):

I expected to see some magic header, a special sequence of byte that would tell me which file type is used. I didn’t see that, but I noticed that the first 16 bytes look random. And they were the same for another sample. So this could be a GUID. GUIDs in Microsoft’s representation are a mix of little- and big-endian hexadecimal integers. That’s why 010 Editor has an entry for GUIDs in its inspector tab:

This is the GUID represented as a string: {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}

Looking this up with Google:

That’s great, Microsoft has a document [MS-ONESTORE] describing this file format.

Unfortunately, I did a quick search but didn’t find a pure Python module to read this file format. Maybe it exists, but I didn’t find it.

Next I tried my pecheck.py tool to locate the executable inside the onenote sample. That worked well:

At position 0x2aa4, here’s an embedded PE file. Taking a look with the binary editor:

I see the MZ header, and 36 bytes in front of that, another random looking sequence of 16 bytes. Maybe another GUID:


A bit of Google search:

Turns out that this is a FileDataStoreObject structure.

So looking for this GUID in any file, one can find (and extract) embedded files. So that’s what I quickly coded using my Python template for binary files (there are some issues with this GUID-search method, I’ll address these in an upcoming blog post or video)

A new tool: onedump.py

Update: process-binary-file Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 9:27

New functions and classes have been added to process-binary-file.py.

python-templates_V0_0_9.zip (http)
MD5: 7C5E8602F225735015E9A431C5818762
SHA256: CAEEEBB1E402E5127A431446A01BBE607B22AA0EB1F6FA12B8E7703275BE6F15

New Tool: onedump.py

Filed under: maldoc,Malware,My Software — Didier Stevens @ 9:24

This is a new tool (based on my Python template for binary files) to analyze OneNote files.

This version is limited to handling embedded files (for the moment).

As I might still make significant changes to the user interface, I’ve put this tool in my GitHub beta repository.

Thursday 29 December 2022

Update: zipdump.py Version 0.0.24

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to option -W of zipdump.py.

Next to value vir, you can now also specify values hash and hashvir.

hash: write each file with name equal to the SHA256 of the content of the file.

hashvir: write each file with name equal to the SHA256 of the content of the file plus extension .vir.

zipdump_v0_0_24.zip (http)
MD5: 33E7B7602263CB2C23D59C7EDEC8666C
SHA256: 1BEF40A9B567DAE84563FEA1B4DE8E0BD7F5926F7FCFF6D7086D2643133FBACE
« Previous PageNext Page »

Blog at WordPress.com.