Didier Stevens

Wednesday 21 December 2022

Update: InteractiveSieve Version

Filed under: My Software,Update — Didier Stevens @ 0:00

New features:

  • Loading files from command line arguments
  • Column index to right click-menu
  • “Hide (if equal to prev and next)” to right click-menu
  • “Values separator…” to right click-menu
  • “Hide duplicates” to right click-menu
  • Added column filtering when loading files

InteractiveSieve_V_0_9_2_0.zip (http)
MD5: 74A4019A36199C5057207184341FB639
SHA256: D9481C99F44FCEA0729F526B70E307881E2128FB1EB23DF135790EDB4392CB4A

Tuesday 20 December 2022

Update: filescanner Version

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version brings extra statistics with option -f (fullread): counter for unique bytes, control bytes, printable bytes, high bytes. And lengths of the longest ASCII string, ASCII hexadecimal string and ASCII base64 string.

Remark that no check is made for hex string length being a multiple of 2 and base64 string length being a multiple of 4.

Rule DMP for minidumps was added.

And option -e now accepts multiple extensions (comma separated).

FileScanner_V0_0_0_8.zip (http)
MD5: 20201A4336F3E5298896EE0962C6C287
SHA256: F0EAE8F989A65509EE2AC793EB23C3FED3F333D10C62C30FF047EE45CD308190

Monday 19 December 2022

New tool: teeplus.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

This new tool, teeplus.py, is an extension of the tee command.

The tools takes (binary) data from stdin, and sends it to stdout, while also writing the data to a file on disk.

While the tee command requires a filename as argument, teeplus.py takes no arguments (only options).

By default, teeplus.py will write the data to a file on disk, with filename equal to the sha256 of the data and extension .vir.

And it will also log this activity in a log file (teeplus.log by default).

Here is an example.

I run curl with a request to ipify to get my current public IPv4 address:

Then I pipe this output to teeplus.py:

This results in the creation of two files inside the current directory:

The first file it the output of the curl command:

The filename is the SHA256 hash of the data with extension .vir:

The second file, teeplus.log, is a log file:

Each line in teeplus.log has 4 fields (comma separated):

  1. The ISO timestamp when the activity was logged
  2. The length in bytes of the data
  3. The SHA256 hash of the data
  4. An error message (empty string when no error occured)

A line is created for each invocation of the teeplus.py command:

When the IPv4 address changes:

And the command is executed again, a new .vir file is created (since the received data changed):

And this is reflected in the log file:

This allows you to create a log of your public IPv4 address, for example (by scheduling this command as a recurrent task).

I use it for monitoring websites, and saving a copy of the HTML page I downloaded. I will explain how in an upcoming blog post.

teeplus.py has a couple of options: you can change the extension of the saved file, and the filename of the log file. And you can also us option -n to prevent the data to be piped to stdout (or you could redirect to /dev/null).

This is something I would do when the teeplus.py command is not followed by another command.

teeplus_V0_0_1.zip (http)
MD5: 0A3704CD56BD6B3A1FF2B92FD87476FB
SHA256: 9E3CBE7323D83FFC588FD67F7B762F53189391A43EDF465C64BD0E4D8E7E8990

Sunday 18 December 2022

Update: zipdump.py Version 0.0.23

Filed under: My Software,Update — Didier Stevens @ 0:00

Option -W can be used to write all files to disk. The only accepted value for -W is vir (for the moment). When this option is provided, all files are written to the local disk (ignoring contained paths) with their original name, and appended extension .vir.

To print out properties line per line, use separator *.

And more parsing for PK records has been added (with option -f). This is a work in progress, more info will provided in an upcoming blog post.

zipdump_v0_0_23.zip (http)
MD5: B37E6A25B736CB4396DEB2DC8A0853C6
SHA256: 68B7E11B4456A8A9A5A9733EE9B1945A03EBA64A13903B98FAC838BDB828BD02

Saturday 17 December 2022

Update: virustotal-search.py Version 0.1.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This update to virustotal-search brings new options:

  1. -D don’t send queries to VT, just use the local database
  2. –sleep before starting: provide an integer with suffix s (seconds), m (minutes), h (hours) or d (days). Or provide a local time: 01:00:00
virustotal-search_V0_1_8.zip (http)
MD5: 69A4504E06E97585EDBA4BBD60EAC36C
SHA256: 16FA2F9748959A88BE38B4A2FF006FC658FB4FF8932F3EC2E2568F48EB9FAE85

Friday 16 December 2022

Update: hash.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

Options validate and skip support here files now.

And when validating hashes, a summary is displayed at the end of the report.

hash_V0_0_9.zip (http)
MD5: E1BEFF0A256002949B084F7ED410C5A5
SHA256: 84F846D6CFE93ADA77C5DE0C318CEA36C3F92F22A3D0A7FE829DB88D7CE31FA0

Thursday 15 December 2022

Update: count.py Version 0.3.1

Filed under: My Software,Update — Didier Stevens @ 0:00

This update to count.py, my tool to count items, adds totals and options for:

  1. singles: a single is an item that appears only once
  2. multiples: a multiple is an item that appears more than once
count_v0_3_1.zip (http)
MD5: 1B36247FE910FE5FB4E3253B65E440A1
SHA256: 9C99627F07E1B366DCEB000A56C4C3D358C3408D36531A921514B4F3809F45D1

Sunday 4 December 2022

Update: python-per-line.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update to add the lineNumber variable.

python-per-line_V0_0_9.zip (http)
MD5: CD9FC344E4C5F649E4043BD703CDCA52
SHA256: BD6713A7DF86AC75ADC2A6742A453919F56583D8CC5EB3B82B736608D2A52619

Wednesday 23 November 2022

Update: what-is-new.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This update of what-is-new-.py, my tool that reports what lines inside files are new (e.g., never seen before) has a new option: -a –action. It allows me to launch a command when something new is detected.

I use this for example to be alerted via TelegraM; More details in an upcoming blog post.

what-is-new_V0_0_2.zip (http)
MD5: 458B06FAF21F6BB150087196CCFEFAC2
SHA256: D020205346A778A4EE31B9C645F31BD4E14B465DC0B37BABD1DEEDFB6F347232

Thursday 10 November 2022

Update: pdf-parser.py Version 0.7.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update: you can now select which hash algorithm to use for option -H by setting environment variable DSS_DEFAULT_HASH_ALGORITHMS.

And the statistics options (-a) also display a list of objects with streams.

pdf-parser_V0_7_7.zip (http)
MD5: BCAE193F171184F979603DFB1380FF43
SHA256: 576C429FA88CF0A7A110DAB25851D90670C88EC4CD7728329E754E06D8D26A70
« Previous PageNext Page »

Blog at WordPress.com.