This new version of pecheck.py adds option -l to carve embedded PE files. This will be explained in detail in an upcoming blog post.
pecheck-v0_7_7.zip (https)
MD5: CEFCCC094EF9E29A539092A6ECB77EEE
SHA256: 91041D17A39C7FA4151830AF8FBD151680A04FC617CB0EADDA32D240E9AB9C03
This new version supports CRC32 hashing.
hash_V0_0_7.zip (https)
MD5: 9BE8A26F2940FA2FF5C3671B7BB6DC6F
SHA256: CFA2767F0FAA792F9B75344B2F15FF40267F3EDE77D221B0134F07FDB04E515B
This new version of msoffcrypto-crack.py, a simple tool to crack passwords of MS Office documents, adds rules via option -r.
In this release, there is only one rule to modify candidate passwords: case toggle.
If you use option -r, all passwords in the provide list will be tested, together with their case toggle variant: Secret -> sECRET.
msoffcrypto-crack_V0_0_4.zip (https)
MD5: D3D7A0475FF1C9AAB7BE773514784465
SHA256: 4A27E0FF50863A925FEE55B8F7D16AD29C2DF5E4611F9493DAEEBA89B5F3DBA9
This is a bugfix version.
pdf-parser_V0_7_2.zip (https)
MD5: 7D417F2313FF505AC96B80D80495BB78
SHA256: 3CDB98A57DAABC98382BFA361390AE3637F96852F6F078D03A7922766AE14B57
tcp-honeypot.py is a Python program that allows you to define listeners using dictionaries: they listen on a given TCP port and process connections according to their configuration.
It started as a simple TCP honeypot, but now I use it too if I need a small network server.
For my quickpost “Quickpost: Browsers & Content-Disposition“, I needed a simple web server that would serve a page that I could fully control (headers & body).
I did this with tcp-honeypot. Dictionary dListeners (used by tcp-honeypot) defines the listeners: the keys are the TCP port numbers to listen on, and the values are dictionaries with configuration entries.
As I wanted to serve 3 different pages, I resorted to listen on 3 different ports (8080, 8081, 8082), each would serve a different page. Each dictionary for these listeners contains one entry with key THP_REPLY. Because each listener is very simple it listens for a connection and reads incoming data, discards it, and then sends its reply (regardless of input).
Here is the code to do this (file content-disposition-test.py):
#!/usr/bin/env python
__description__ = 'TCP honeypot configuration for Content-Disposition tests'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2019/04/03'
"""
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2019/04/03: start
Todo:
"""
dListeners = {
8080: {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: inline', '', 'Line 1', 'Line 2', 'Line 3'])},
8081: {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: attachment', '', 'Line 1', 'Line 2', 'Line 3'])},
8082: {THP_REPLY: TW_CRLF(['HTTP/1.1 200 OK', 'Content-Disposition: attachment; filename="test.js"', '', 'Line 1', 'Line 2', 'Line 3'])},
}
THP_REPLY configures a listener to read incoming data when a TCP connection is established, then send a reply (the value of dictionary entry THP_ENTRY) and then close the connection. This value is a string: the HTTP message (start-line, headers and body) to be send to the browser. In stead of defining one long string with start-line, headers and body, separated with carriage return & newline (CR NL), I use convenience function TW_CRNL. When you call convenience function TW_CRNL (Terminate With CR NL) with a list of strings, it terminates each string with CR NL (\r\n) and concatenates all strings into one string, that is returned by the function.
To start the server with this configuration, I just have to run tcp-honeypot.py with content-disposition-test.py as argument.
There are other methods to do this, for example using a single port. I’ll describe these methods in an upcoming blog post.
This new version of format-bytes brings support for TLV records.
Here is an example with certificates in the Windows registry:
More details will be provided in an upcoming blog post.
format-bytes_V0_0_9.zip (https)
MD5: 2F97370D12A7DBB53EB8B30AA0A40463
SHA256: 87C9F3120673C0E92C9562EC2687B60AA93DAF612CE854939E48F6E902BFBBB4
amsiscan.py is a Python script that uses Windows 10’s AmsiScanBuffer function to scan input for malware.
It reads one or more files or stdin.
The AmsiScanBuffer function returns 5 possible values when it is called for a scan:
AMSI_RESULT_CLEAN
AMSI_RESULT_NOT_DETECTED
AMSI_RESULT_BLOCKED_BY_ADMIN_START
AMSI_RESULT_BLOCKED_BY_ADMIN_END
AMSI_RESULT_DETECTED
Example:
amsiscan_V0_0_1.zip (https)
MD5: 47E50599E0CFAF1D27416E68394289A0
SHA256: 044E41D7F31D8333CB5295FD6E430933CA67F9AC37CD400D38189C96AE48544D
virustotal-search.py is a tool to query VirusTotal via its public API for file reports by providing hashes to search for.
This new version adds searching for URLs. Use option -t to select the type of search you want: file (default) or url.
Like this:
Option -e can be used to include extra information (present in the JSON reply) not included by default.
For example, a default file search does not include sha256 hashes:
But you can include it with option “-e sha256” like this:
The public API can also be used for queries for domain names and IP addresses. These queries are much simpler than file and url, and therefor, I developed a very generic program to query APIs. This will be released soon.
virustotal-search_V0_1_5.zip (https)
MD5: 2155347687726A321D1ADBB9C9B81CFD
SHA256: 4F614C9D01C694AEAA16F7D5E4DBFBCF37E8E8D01D382C1137F401612D02E110
sets.py is a program to perform set operations. In this new version, I added operations unique, product, substitute and sort.
And I added options -s and -i.
Operation unique will remove all double entries (which shouldn’t occur anyway in a mathematical set):
“Line 5” appears twice in set4.txt, thus one occurrence is remove by operation unique. “Line 4” and “Line 6” not, because their case is different, or because they have leading whitespace.
To ignore case, use option -i, and to ignore leading and trailing whitespace, use option -s:
sets_V0_0_3.zip (https)
MD5: F8B1EB9140EBA621CBF6F393717BF2EA
SHA256: 94200F8313A66D7CAB6C200A24DD6A5B1D9644004C2ECCF01F22004A801EFE03
This new version comes with option -a to parse ASCII/hexdumps as produced by my tools.
Option -s can be used to select another hexadecimal/ASCII dump than the first one (for example, -s 2 to select the second dump).
Option -l (list) can be used to produce an overview of all hexadecimal/ASCII dumps found in the input, together with an index number to be used with option -s.
hex-to-bin_V0_0_2.zip (https)
MD5: 4F415E4117EC497C52E244A7087E36B9
SHA256: D283C312CC169419BC16D9199F5EC850D5D7565B9FDB272CA5236F97EDAD22C3
