This new version of pecvheck.py adds an overview of sections. More details here.
pecheck-v0_7_0.zip (https)
MD5: 7BE550EC71BF99FC31704C2DD4ED3C8A
SHA256: 12C03369362045DF5A9AAB83002E59A4A31050EC008DF45F777C87186D611F6E
Tuesday 4 July 2017
Update: pecheck.py Version 0.7.0
Monday 3 July 2017
Update: zipdump.py Version 0.0.9
In this new version of zipdump.py, you can provide a YARA rule directly on the command line, without having to store it inside a file.
Just start the value of option -y with # and type your rule (use quotes because of spaces):
zipdump_v0_0_9.zip (https)
MD5: 2700AF663980204075107164AA12750A
SHA256: 5686F24373AF64E1F5D866C71B29A22CE97964EC563A2219681A6268CC9A1153
Sunday 2 July 2017
Update; base64dump.py Version 0.0.7
This new version of base64dump.py has a new option: -z. With this option, you can ignore leading null bytes (to be used for example to handle UNICODE).
You can see this option used in this video (starting 1:28):
base64dump_V0_0_7.zip (https)
MD5: D37DE7CEFDA55ADD1822EADDD84D5FFB
SHA256: 5F676DF8B36172A1D7B29F03E2B0CCB026BB9A96DF8830FDB137E65CBB59DD63
Tuesday 6 June 2017
Update: xor-kpa.py Version 0.0.5
Some small changes to my XOR known plaintext attack tool (xor-kpa), which will be detailed in an ISC Diary entry.
xor-kpa_V0_0_5.zip (https)
MD5: 023D8E3725E0EF7CEC449085AA96BB3A
SHA256: 7517DD44AFBFA11122FD940D76878482F50B7A2A2BCD1D7A2AF030F6CAC4F4E3
Tuesday 23 May 2017
WannaCry Simple File Analysis
In this video, I show how to get started with my tools and a WannaCry sample.
Tools: pecheck.py, zipdump.py, strings.py
Sample: 84c82835a5d21bbcf75a61706d8ab549
Sunday 21 May 2017
Update: zipdump.py Version 0.0.8
Added handling of zlib errors when performing a dictionary attack.
zipdump_v0_0_8.zip (https)
MD5: 51B971B57800D126B2067DC53303355A
SHA256: 095EE6000E99B9193C830B8BA11139907CB9445FD7D94D81E3F97A8B458D5D16
Saturday 20 May 2017
Update: zipdump.py Version 0.0.7
After adding support for password lists in zipdump, I decided to add an internal password list to zipdump, based on John’s public domain password list.
This internal password list (a few thousand passwords) can be used by providing filename . (a single dot) to options -P and –passwordfilestop.
zipdump_v0_0_7.zip (https)
MD5: 7B3D165B68B4E66D7EFCF54B25E08115
SHA256: DC794679CFDEA57AC532E11BC338F6823EECC26A36CB844B29EF15F93B6BA1C1
Thursday 18 May 2017
Update: re_search.py Version 0.0.7
This new version of re-search.py has a build-in regular expression for bitcoin addresses, together with a Python function to validate the address.
re-search_V0_0_7.zip (https)
MD5: 38EBBC6B45476AA2FB03DC9604D2F7EE
SHA256: 7BE3B986126C3E40A886A66A08EA360EEE01A29F064F2D3235A1311C4FB4E45E
Saturday 13 May 2017
Update: re_search.py Version 0.0.5
When I used my re-search.py tool to extract Bitcoin addresses from the latest WCry samples, I found a small bug. This version is a bugfix (bug introduced in version 0.0.4).
re-search_V0_0_5.zip (https)
MD5: A03CBBA9F2C5900A368BC064D3CC3D00
SHA256: 940B12CA8E3ADCC0266BC788B5A7AE2C830115BDB9FC04C3A7A178FDD7D44F02
Thursday 11 May 2017
Crack A ZIP Password, And Fly To Dubai …
We had to crack a password protected ZIP file, to discover that just few hours later, we would fly to Dubai for our NVISO team building event.
This inspired me to update my zipdump.py tool. This tool can handle password protected ZIP files. Using default password “infected”, or a password that can be provided with option -p.
In this new version, you can provide a list of password in a text file using option -P. Turns out that this simple dictionary attack just using Python is surprisingly quick (at least to me): 8000 passwords per second on an average machine.
zipdump_v0_0_6.zip (https)
MD5: B605DEABFC5458488B6487B1E9104085
SHA256: DDC2CE94D250CBDE62AD1EBE650654E4A50C51F97CADF412B16A553242819772
Didier Stevens 