This new version of pdf-parser is a bugfix for /FLATEDECODE.
Monday 28 November 2016
Monday 21 November 2016
This new version supports different encodings besides base64 (but the name remains base64dump).
The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).
The shellcode, escaped with %u, can be extracted with base64dump:
There’s also a new option to do a string dump: -S
And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.
Monday 30 November 2015
I released new versions of my AnalyzePESig and ListModules authenticode tools.
Extra fields with information were added to the output of the tools, and the tools were adapted to use the SE_BACKUP_NAME privilege, giving the tools the privilege to read files even when the permissions do not allow it (running as administrator and elevated).
A new field that might require some extra explanation is the DEROIDHash field. The DEROIDHash is a sha-256 hash of the DER structure and OID numbers of a PKCS7 signature: it’s the sha-256 hash of the bytes that make up the PKCS7 signature, except for the data. In other words, it’s the sha-256 hash of the DER bytes that specify the tags and the OID numbers. Signatures with the same structure and OID numbers share the same DEROIDhash.
For example, if a new version of a signed executable is released and the DEROIDHash value is different from the previous version, then the author has changed his/her signing process or is using a certificate with a different structure; or the executable was signed by another party using another signing process.
Thursday 31 July 2014
I plan to produce short videos more frequently. I will not post them all here on my blog, I’ve created another blog for all my videos:
The RSS is http://videos.didierstevens.com/feed/.
And from time to time, I’ll repost an old video on that feed.
Wednesday 14 March 2012
The major change is that these 2 tools support Python 3 too now. And then there are a couple of bugfixes and new features given to me by readers.
You can find these tools on the PDF Tools page.
Tuesday 18 January 2011
Start Process Explorer, and set the lower pane to display DLLs. Select process explorer.exe, and add column ASLR to the lower pane view. Then sort on column ASLR.
You will see this:
Notice that on a default Windows 7 32-bits install all DLLs (with code) support ASLR. The n/a is for resource DLLs, they don’t contain code, and ASLR doesn’t apply to them.
Now open an explorer window and right-click a file, like this:
This action will load the context menu shell extensions.
Take a look at Process Explorer:
Now you see the shell extensions without ASLR support.
Tuesday 1 September 2009
I know, I love a bit of mischief 😉
Wim renamed his “old” Twitter account @domgingelom to the “new” @wimremes. And then I promptly registered @domdingelom… 😉
Did some Tweeting under an assumed name…
And then gave the “new” @domdingelom to Wim.
Tuesday 8 July 2008
Post your guess as a comment.
Sunday 9 December 2007
I added the SafeBoot registry keys for Windows 2000 SP4 Professional to the zip file and updated the post.