In this version, I’ve changed the output for “level 0”. Level 0 is actually the remainder, e.g. what comes after the last balanced curly brace. In a normal RTF document, there should be no remainder.
rtfdump_V0_0_7.zip (https)
MD5: 59F86BA57D67CB78B9D863AFEA710709
SHA256: 1A8EDD4F73F020F44B0AAB39FC3A1C313C81BF8A1E031A76D8B8C85E34116DD6
Yesterday I had to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog post.
But it’s still not that practical, copying that onliner from my blog post, so I’m releasing a new version of translate.py where I defined function GzipD as that onliner (and I also defined ZlibD).
Here is how I use build-in function GzipD to decompress the malicious payload:
translate_v2_5_2.zip (https)
MD5: 1499C7D9C03928F2CE90BAA813A982DA
SHA256: 34451966781CA9821CD66AEF54379A3B47576CD4FCE8CBEFD9EFA3DA06E49CE9
jpegdump.py is a tool I developed to analyze JPEG images. I have used it for a couple of ISC diary entries: Analyzing JPEG files, It is a resume – Part 3 and A strange JPEG file.
This tool reads binary files and parses the JPEG markers inside them:
It can help with corrupted images, here is an example of a JPEG file that was partially overwritten by ransomware:
The partial image starts from marker 3.
With options -f and -c, one can search through binary files with embedded JPEG images, like this Google Chrome process dump:
For more information, take a look at the man page: jpegdump.py -m
jpegdump_V0_0_3.zip (https)
MD5: 929F3EC096AEBEC642C44C6A6EE2895E
SHA256: C5C1CA151C7E24FB6E305E5116BE7B6BC4C417810217249D3831BE5805BBAA9F
This new version of format-bytes.py display extra information when unpacking strings: string length, first 10 bytes of the string (ASCII and HEX), entropy and MD5 hash.
In this example, a small binary file starts with an integer with the string length (25 bytes), followed by the string (like a Pascal string):
format-bytes_V0_0_4.zip (https)
MD5: EBCF854E9525D470171D7D8E99F836FD
SHA256: CEE2E5B71E1BE8E5D5C934ACCD10BC0FEE2B60DFB6FDB6472F1014CEC4E509EC
This new version of xmldump introduces 2 new commands to extract information from XML files: elementtext and attributes.
The following video shows how to use these commands:
xmldump_V0_0_2.zip (https)
MD5: 8ABFA4FFE259F61B7C42B2D19EADD8CB
SHA256: 0A8B94EE8C77B404A507F4BEA4C5464146F3745A1FA9017ED3DCE8D7C2D18C15
Isn’t the beginning of a new year a good moment to release a new tool called what-is-new.py? 🙂
It’s actually an old tool, I started this in 2012, because it’s something I have to do often: I have a recurring list, and I need to know what items on that list are new (in a nutshell, that’s the problem I tried to solve).
For example, every week I produce a list of User Agent Strings for the requests to my web servers. With a single what-is-new.py command, I can see what User Agent Strings have never hit my servers before.
what-is-new.py takes one argument and a bunch of files. The argument is the name of the database (a Python pickle file). The input can be a single file, several files or stdin. Every line in these files that was not seen before (i.e. not in the database) will be listed by what-is-new.py
In the following example, I run 2 files through what-is-new (files 1.txt and 2.txt) with database demo. The database doesn’t exist yet, hence all lines of the first file are considered new. But with the second invocation, you can see that only line 4 is new.
The tool has several options, I invite you to take a look at the help (-h) and manual (-m).
what-is-new_V0_0_1.zip (https)
MD5: 02067A60EA2EBEE29E98CAF31CEDDF37
SHA256: A4499A230D1925C164531A68C0E8F4FE016882A44D6EDBFF9F4D7BFFA29D14A4
I regularly copy bytes from my command-line tool over to 010 Editor to have this data represented by the Inspector using different formats, like this:
format-bytes.py is a new tool with which I try to achieve a similar result:
Using option -f, it is essentially a wrapper for the struct module. In the following example, we parse the beginning of the PE header of 2 Windows executables:
This shows us that both files have 6 sections and that notepad is from 2016 and regedit from 2017.
-f IHHI uses the struct module’s formatting to specify how to parse the bytes, and “#c#[‘PE’]:” is a cut-expression to carve the PE header out of the executables.
format-bytes_V0_0_3.zip (https)
MD5: CFE426B605DEDA6E388C1F62D2655A31
SHA256: 227C3911A0D2B9D8E524B44D5B4F80EBAABD34810A11A9189B09ADFA5D2FB67A
Sometimes I want to see the content of (malicious) .docx files without using MS Office. I will use my zipdump.py tool to extract the XML file with the content, and then use sed or translate.py to strip out XML tags.
But that doesn’t always yield the best results. Here is a small tool, xmldump, that will parse an XML file and output the text.
It supports 2 commands for the moment: text and wordtext.
Command text extracts the text between any XML tags.
Command wordtext extracts the text between Word paragraph XML tags (<w:p>) and prints each paragraph’s text on a separate line.
xmldump_V0_0_1.zip (https)
MD5: 23D5643E45B97D6AE641DF6CAFA79370
SHA256: A999F2297EE44FAABCA5A025DAEC7E84CB30D34C68F181357BA439EBFE38A660
Outlook MSG files are also ole files.
Here is a new plugin (plugin_msg.py) for oledump that identifies streams in MSG files based on the 8-digit hexadecimal codes in the stream name.
The first 4 hexadecimal digits identify the content of stream, and the next 4 hexadecimal digits identify the type of the stream.
oledump_V0_0_32.zip (https)
MD5: 10D8995B6AF5C783B1F8AAF70B8FDB03
SHA256: 0E38BAF12B066A100F97F3362402E1999F2DE223A09491E3D44C20EA4BDBD8AB
This is an update to plugin_biff, the oledump plugin to parse the BIFF format (used in .xls files).
New options allow to search for opcodes (-o) and strings/bytes (-f) inside BIFF records:
oledump_V0_0_31.zip (https)
MD5: 63B2B5ECE2BC46B937D33A6494F7F6A0
SHA256: D2CF42662897642DF27C863F6C246CE70019EDF03F275354A7A505DCE27632D1
Didier Stevens 