Mark Woan reported an issue with virustotal-search.py: sometimes VirusTotal returns a JSON object that the json parser can’t parse.
That’s something I didn’t expect. I’ve added error handling for this case.
virustotal-search_V0_0_9.zip (https)
MD5: FECD02796889CDFE9FA67287F2DE567C
SHA256: 0CE06CBAFC6341835EB8A62377F5C4EB067747EE28E7ED8BB25FD69A4B99FA97
This update adds x64 shellcode support to my shellcode2vbs.py script.
shellcode2vba_v0_3.zip (https)
MD5: 44AF2685975346F9DE09E48E7FB855CE
SHA256: 04C42FA26717CCC7BC17A7BEDA02C746CA1A8BC8C6CE184670CD686796B5FF10
I’m giving a 2-day training on PDF at Brucon 2013. Early-bird price applies til June 15th.
Sometimes PDFiD will give you false positives for /JS and /AA. This happens with files of a couple of MBs or bigger, because it’s statistically very likely that /AA or /JS (only three bytes long) appear inside a stream. And since PDFiD, contrary to pdf-parser, has no notion of pdf objects and streams, it can produce false positives, like this:
PDFiD 0.1.2 CCNPSecurityFIREWALL642617OfficialCertGuide.pdf PDF Header: %PDF-1.6 obj 6018 endobj 6017 stream 1897 endstream 1897 xref 1 trailer 1 startxref 1 /Page 773 /Encrypt 1 /ObjStm 0 /JS 3 /JavaScript 0 /AA 1 /OpenAction 0 /AcroForm 0 /JBIG2Decode 0 /RichMedia 0 /Launch 0 /EmbeddedFile 0 /XFA 0 /Colors > 2^24 0
And when you search for /AA or /JS with pdf-parser, you will not find objects that have /AA or /JS in their dictionary:
pdf-parser.py -s /AA CCNPSecurityFIREWALL642617OfficialCertGuide.pdf
Up til now, I advised users suspecting false positives, to search the PDF document with a hex editor and see if they found /AA or /JS inside a stream. But now, with the latest version of pdf-parser supporting searching inside a stream, you can do it like this:
pdf-parser.py --searchstream /AA --unfiltered CCNPSecurityFIREWALL642617OfficialCertGuide.pdf
obj 1848 0
Type: /XObject
Referencing: 38 0 R
Contains stream
<<
/Length 121194
/Filter /DCTDecode
/Width 800
/Height 600
/BitsPerComponent 8
/ColorSpace 38 0 R
/Intent /RelativeColorimetric
/Type /XObject
/Subtype /Image
>>
I’m giving a 2-day training on PDF at Brucon 2013. Early-bird price applies til June 15th.
This new version of pdf-parser comes with options to search inside streams. For example, you can select all objects with the word Linux inside a stream with this command:
pdf-parser.py --searchstream Linux manual.pdf
The search is not case sensitive. To make it case sensitive, use option –casesensitive. Filters are applied to streams (e.g. decompressed) before the search is performed. To search in the raw stream data, use option –unfiltered.
Regular expression searching is done with option –regex. This allows you, for example, to select objects with embedded Flash files. Flash files begin with FWS, CWS or ZWS:
pdf-parser.py --searchstream "^[FCZ]WS" --regex sample.pdf
Regular expression searching has another advantage. You can search for bytes: \xCA\xFE.
pdf-parser_V0_4_2.zip (https)
MD5: B0C8F02358B386E7924DACB3059F8161
SHA256: E90620320AF6ED8E474B42BF6850E246446391878F87AE34DCDBD1D9945A6671
This is an update for virustotal-search.py and a release of a new tool: virustotal-submit.py. I created this new tool because I needed to submit a sample stored in a password protected ZIP-file (not the ZIP-file), without extracting the sample to disk.
To submit a file to VirusTotal, you just run virustotal-submit.py sample.exe.
If you submit a ZIP file, virustotal-submit.py will extract the first file to memory and submit that to VirusTotal. The ZIP file can be password protected with password “infected”. To submit the ZIP file itself, use option -z.
To submit a batch of samples, create a textfile with the name of the files to submit and use option -f.
virustotal-submit.py supports proxies too (Python variables HTTP_PROXY and HTTPS_PROXY or environment variables http_proxy and https_proxy).
Python module poster is required for this tool.
virustotal-submit_V0_0_1.zip (https)
MD5: 8793C3276822DDE36BA0804D3390AD4D
SHA256: F17B9EEC408833039AE63FCED9F6114F99AADFBE9D547AE88B2C3A6E54AE91B4
Updates to virustotal-search.py:
virustotal-search_V0_0_8.zip (https)
MD5: 011C88A9C9026A32DA473187A64E880C
SHA256: 30711202BB0CD01A17AFA7BB8BBFE1545B6A840BDB91D83C7753300EF7E71A8F
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the sixth one.
This script does the opposite of js-unicode-escape.1sc: a Unicode escape encode string is decode to bytes.
js-unicode-unescape_v0_0_1.zip (https)
MD5: E4FF29FB631142AC995636EED4CFB2AB
SHA256: C5659BCED1C6A7F92C2F7F9058DAA5807D2907283041E4F9DD1E4B6F318F2BBD
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fifth one.
010 Editor has a different functions to copy bytes from a file. As raw bytes, as hex, as base64, …
This script copies the selected bytes to the clipboard as a Unicode escape encoded string for JavaScript: %u3421%u9a0d…
js-unicode-escape_v0_0_3.zip (https)
MD5: B86B7E73D93C5A4C086384C2FF89303C
SHA256: 81F26C328FD67FB7512CD60485481D7FFD8B7FE5ACE95455D45F4F635EADF81C
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the fourth one.
pecheck.py is a wrapper for pefile, but this version has a new feature: check a PE file stored in a (password protected) ZIP file (password infected).
pecheck_v0_3_0.zip (https)
MD5: C2AC9FED3C7F1787854C8D0E651B2591
SHA256: 3CDEBADA4C594DD3622E234747C6AABD41573C94087C0554CBA65D0472F6B413
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the third one.
010 Editor has a search feature with wildcards (like FC 01 * 10 CF), but no search and replace with wildcards (like FC 01 * 10 CF -> FD 02 * 20 DF). This scripts implements such a feature.
search-and-replace-with-wildcards_v0_0_1.zip (https)
MD5: 7D620E8BEFFD4ED5563D9944C9B0B859
SHA256: B7F074304660A8DBF7AB2261D8619FFFFD461EFB5EE4C6E42880C87A3C1A4AB7
As a thank you to those who nominated me for the European Security Bloggers Awards, I’m going to release some new scripts this week. Here’s the second one.
fuzzer.1sc is a 010 Editor script that implements a simple fuzzer. It overwrites bytes in a file or selection. A selection is particularly useful combined with a template. For example, with a couple of clicks you can fuzz the control structures of a JPEG image.
4 parameters (number of fuzz sequences to overwrite, minimum length and maximum length of a sequence, and the fuzz character) allow you to control the random overwriting process.
fuzzer_v0_0_1.zip (https)
MD5: E9B7114952E81A504C7CF3B06B99B5CF
SHA256: CF399EE2D86B6039236608F4FE882E579D7DCFED1DA980B4124ED06FD0C5807A
Didier Stevens 