Didier Stevens

Saturday 14 June 2025

Update: virustotal-search.py Version 0.1.9

Filed under: My Software,Update — Didier Stevens @ 0:00

I added a quota feature to virustotal-search.py’s -l (–limitrequests) option.

-l is an option to limit the number of requests: you specify the maximum number of requests to make, and virustotal-search.py will stop once that maximum is reached. Remark that virustotal-search.py does 4 hash lookups per requests, thus if your remaining quota for the day is 1000, you can use -l 250 to perform a maximum of requests without exceeding your total quota (250 = 1000 / 4).

With this new version, you can also instruct virustotal-search.py to calculate (via the API) how much remaining quota you have, and use that to decide how much queries to perform. This is done with keyword quota:. The syntax is: -l quota:groupid,maximum,reserve.

groupid is the group ID your account belongs to. For example sans_isc.

maximum is your daily API quota: how many lookups can you do in one day.

And reserve is the number of lookups you want to save: how many lookups should remain when virustotal-search.py has finished.

Let’s try an example: assume you want virustotal-search.py to do as much queries as possible, but leave a reserve of 100 lookups. Option -l will look like this: -l quota:sans_isc,10000,100.

sans_isc is your group ID, 10000 is the daily API quota, 100 is the reserve.

If you want virustotal-search.py to query your remaining quota, without doing any lookups, use string query as reserve. Like this: l quota:sans_isc,10000,query.

In this example, 3896 lookups have been consumed, and that gives 10000 – 3896 = 6104 remaining lookups. To lookup file hashes, that means there are 6104 / 4 = 1526 remaining queries.

Thus in this case, starting virustotal-search.py with option -l quota:sans_isc,10000,0 would be the same as -l 1526. The difference is that in the first case, you don’t have to calculate the value 1526, virustotal-search does this for you.

You can combine this feature with option –sleep to have virustotal-search.py use the remaining lookups at the end of the day.

For example, virustotal-search.py –sleep 01:45:00 -l quota:sans_isc,10000,10 will have virustotal-search.py wait until it’s 01:45:00 (15 minutes before UTC midnight in CEST), then query the amount of remaining lookups, and do the lookups so as not to exceed the quota and to leave 10 lookups available.

virustotal-search_V0_1_9.zip (http)
MD5: 8A8D8C47A02D07AAA36FAB5A8667BC54
SHA256: A6062F7C3D910E8B090DF77C81BBF3A0ADE504A4F0F504325C009D9FC792B266

Friday 13 June 2025

Update: myjson-filter.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

I added value stdout for option -W.

-W stdout: will write all items to stdout (binary) without any end-of-line.
To include an end-of-line, specify a Python string, like this:
-W stdout:’\n’ this will add a newline to the end of the item
-W stdout:’\r’ this will add a carriage return to the end of the item
-W stdout:’\r\n’ this will add a carriage return and newline to the end of the item

myjson-filter_V0_0_9.zip (http)
MD5: FB913E4530B7F13684A0C30EA04D44D8
SHA256: 087FF53B631A294DC6B0EA125DC711806CA28C1B8FA066C4E9A38C7069F354A6

Thursday 12 June 2025

Update: search-for-compression.py 0.0.5

Filed under: My Software,Update — Didier Stevens @ 8:40

I added option -u (–unique) to remove duplicates to search-for-compressions.py.

Wednesday 11 June 2025

Update: pecheck.py Version 0.7.18

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bugfix version.

pecheck-v0_7_18.zip (http)
MD5: 813F309837091B2035A18272AE5F053F
SHA256: 2976562A8B12F0CDD3E9DBF56929B391CA73AF91906EABC18E9CD663A17155AD

Monday 9 June 2025

Update: pngdump.py Version 0.0.7

Filed under: Beta,My Software,Update — Didier Stevens @ 0:00

This update to pngdump.py adds an index for chunks, and allows for the selection of a chunk via its index.

Saturday 7 June 2025

Python Requirements for Didier Stevens Suite

Filed under: My Software — Didier Stevens @ 0:00

Although many of my tools have zero or a just a few dependencies (it’s a design decision), I’ve had requests to create a requirements file.

It is available now in Didier Stevens Suite ZIP file and on GitHub.

Some dependencies are only necessary when you actually use the corresponding feature. For example, many of my tools support YARA rules, but it’s not a mandatory requirement. If you don’t use YARA rules with my tools, you don’t need to install module yara-python.

Friday 6 June 2025

DSS_DEFAULT_HASH_ALGORITHMS

Filed under: My Software — Didier Stevens @ 0:00

I’ve a feature in some of my tools, that let you choose the hash algorithm.

Many of my tools calculate hashes, and for historical reasons, that is the MD5 hash.

But if you want another hash, you can change this (for some of my tools) by setting environment variable DSS_DEFAULT_HASH_ALGORITHMS.

Like for pdf-parser.py, on Windows, you can set DSS_DEFAULT_HASH_ALGORITHMS=sha256 and then the hashes of the streams will be SHA256 in stead of MD5.

Tuesday 3 June 2025

Update: search-for-compression.py Version 0.0.4

Filed under: Beta,My Software,Update — Didier Stevens @ 0:00

This tool is still beta.

VBA compression is now supported, besides zlib compression. Option -t (–type) was added so that one can choose the compression type to search for. Possible values are zlib (default) or vba.

And shortcut #p# was added to the yara option, to predefine these rules:

rule attribute_vb_name {
    strings:
        $a = "Attribute VB_Name = "
    condition:
        $a
}

rule dir {
    strings:
        $a = { 01 00 04 }
    condition:
        $a at 0
}

I’ll explain in another blog post how these features can be used to analyze MS Access databases with VBA project.

Monday 2 June 2025

Update: myjson-transform.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This update brings options -f and -c.

Option -f is used to define a Python function (function name or lambda) that will be applied to the content of each item in the MyJSON data.

Option -c is a shortcut for calling the CutData function via option -f. The lambda that is generated is: lambda data: CutData(data, ‘CUTEXPRESSION’)[0]
CUTEXPRESSION is the cut-expression provides as value for option -c.

myjson-transform_V0_0_2.zip (http)
MD5: BAA4F4E7E8159EB05063C588DAF2A111
SHA256: 0F79D0D1B35D3F6C7DF0C17746E18F257AF9493D8C474448D16774A405B620E4

Saturday 31 May 2025

Update: myjson-filter.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

A new possible value for option -W (–write) has been added: nameext. This allows for writing files with the sanitized item name and the given extension. For example, nameext:config will create files with extension .config.

myjson-filter_V0_0_8.zip (http)
MD5: 6A899FB406C60F078F2B9E8310F9F2E0
SHA256: 7F5E5DA0C51DB2FF8A1A622925008770D5810D4967D313DEBA9C5ECBB7D99D14
« Previous PageNext Page »

Blog at WordPress.com.