This new version of re-search adds 3 regular expressions to the library: str-e matches quoted strings like str but including the empty string too. str-u matches strings like str, but strips the double quotes. str-eu matches like str-e and also strips double quotes.
re-search_V0_0_12.zip (https)
MD5: 8CA8D767BDB126B097E41F0D4B1F197B
SHA256: 69752CF9862FC4EC29DD96289A21D1C8C82FB4C3C3083BE622C169BA658F0A40
This new version of base64dump adds option -I (ignorehex). Like -i, -I can be used to specify characters to be ignore by base64dump. Option -I takes the characters to be ignored as hexadecimal values, like this:
base64dump.py -I 2209
This will ignore the double-quote character (0x22) and the TAB character (0x09).
base64dump_V0_0_11.zip (https)
MD5: BF9D9EB3E6D574633D7F85345213E3E8
SHA256: 2741F9C3FD7B0897A04F60C741D7125568C8355A82FCF0FD4BB80877EE7FB935
sets.py is a small & simple tool for operations on sets, like the intersection of 2 sets.
2 new operations were added to this version: sample and join.
sets_V0_0_2.zip (https)
MD5: F744A900D3EBF7A0D0927F5244FA65F9
SHA256: B205B766D0FB4D12DD334BD6CD20748E14EF1136D545F7EFBB5CEAC6B3F0D942
I find the *nix tool file very useful. There’s no equivalent on Windows, that’s why I use a Windows port of this tool.
But it has some limitations, the most annoying to me being the lack of support for stdin. This prevents me from using it in a chain of commands.
That’s the main reason I developed file-magic.py, a Python tool that is essentially a wrapper for the Python magic module.
On Windows and OSX, install module python-magic-bin with pip (this will install binaries too), while on Linux install module python-magic.
Here is an example showing how output from base64dump is piped into file-magic:
And here is an example with jsonoutput I mentioned before:
You can also add your own definitions to file file-magic.def.
For example, I added a definition for VBE/JSE files (encoded .vbs/.js scripts).
file-magic_V0_0_2.zip (https)
MD5: EAE684E74731FF493D5EC5D243EB16B6
SHA256: 9B0E7B47CAED8F5627DEFCE19B737554BBF998EF380187D6DE4FC1C9572EC9ED
My oledump.py and zipdump.py tools have a new option: –jsonoutput. With this option, my tools will output JSON data to stdout. For oledump, the JSON data will contain the content of all the streams found inside the analyzed OLE file, and for zipdump respectively, the JSON data will contain the content of all the files found inside the analyzed ZIP file.
This is meant to be piped into a new tool I will release soon.
Let’s take a small ZIP files with 2 small files as example (a binary file and a text file). Here is the content displayed with zipdump:
With zipdump’s option –jsonoutput, we output JSON data with the content of these 2 files encoded in BASE64:
Here is the same data pretty-printed:
This can now be piped into other tools that support this JSON data format.
I was a bit too quick with my release for –jsonoutput, I made yet some more changes in version 0.0.36 now.
oledump_V0_0_36.zip (https)
MD5: D8C9FBFD1AA2238D6EB3CA164EE91A65
SHA256: BE609FD0D976984A8856939B76D7DF54AB5ED4934F58F7AD47E4D6E42CDFCCBF
I was a bit too quick with my release for –jsonoutput, I made yet some more changes in version 0.0.14 now.
zipdump_v0_0_14.zip (https)
MD5: FB7D1A9F90E8453DF7F3154EC52AF4E7
SHA256: ADFF99677DB512A27EBDEBBAC77FA08FFF8B180EF620CB6F9725C06511FC38BF
This update introduces option -j (–jsonoutput) to zipdump.py. Soon I will explain how to use this option together with a new tool I will release soon.
zipdump_v0_0_13.zip (https)
MD5: 264D32D0DC863FC29FED161D4A73560F
SHA256: 14D11D5244973A484E5754F20747D4B544C228AC951C885FE8B9FC6D26C86088
This updated brings some changes to option -j (–jsonoutput), an option introduced with version 0.0.33. Soon I will explain how to use this option together with a new tool I will release soon.
oledump_V0_0_35.zip (https)
MD5: 2089AFC496FFE2E44F67CF9C44EB101B
SHA256: C232282BD8AE050EECA1455E6A58EAB8D5CBBDF0D61E9FE2077CDA3DEB15D325
This new version of re-search.py comes with a new option: -e. This option instructs re-search to read its input as a binary file and extract strings from it, to be matched with the chosen regular expression. This allows, for example, the processing of UNICODE strings.
re-search_V0_0_11.zip (https)
MD5: 72F160A83E214351162704EB4B94EB9E
SHA256: 624E2864738008F6A63CC4E3F7B5FCB3738389DBC7E6EF29BC8C2F749ABAD9DE
Didier Stevens 