Didier Stevens

This is a small fix for an escape sequence warning.

pecheck-v0_7_19.zip (http)
MD5: A53F4648119CC9A44FB684EAC2C84C08
SHA256: 67637A257967807800AF04D45E0B8DA8F32D38AA772C3596DAE7E0CD4ECFCE52

This update add option -e to handle binary numeric expressions like 79+1.

numbers-to-hex_V0_0_4.zip (http)
MD5: 8CD22E998E84F80D1FD92504B3D3A559
SHA256: 6963ED3F013D9C6E70ACA95DA00399B0F95DD279597EABE5BA1EC51E0B28DD4D

This is a bugfix version.

cs-parse-traffic_V0_0_6.zip (http)
MD5: AED53E99D7BFF14EC45F573663A91780
SHA256: C73614FD69660C4D0E851414D86091E9E90DE9A92D58F9E6AC71D76B4A6EC638

This update brings function= to the definition of a resolve command.

Key-value pair function is optional. If provided, the value will be interpreted as a Python function and called when there is a match. The function must inspect the request and update the reply. Arguments to the function are request, reply and dCommand. The function must return a list with 2 values: first one is True when NXDOMAIN must be returned (and False if there is an answer), second one is an integer with the rcode value, it must be None if there is no rcode set by the function.

An extra Python script (for example with function definitions) can be loaded using option -s.

dnsresolver_V0_0_4.zip (http)
MD5: 7520FB4510E6ED5E5975A8606852F548
SHA256: 1C4BC4D6030A2534600283962890545D428F2BBAFD85D0B3E934B03B07EA1F6A

This is a bugfix version.

pdf-parser_V0_7_13.zip (http)
MD5: B9C0EF6EC526CDA51FB147D04FC3C5B8
SHA256: F9BA57419998748559D60EE13EEDA3BBC6BA48135C5781CB8801063AE7C29E6E

This update adds option -t: it directs teeplus.py to use the timestamp as filename for saving the incoming bytes.

teeplus_V0_0_2.zip (http)
MD5: 50C60D13D3FC6BD4306D376694D26858
SHA256: 50D7CA7D03BA6E3893DD032228A73618B560C9D81B485DE76FF415332648EC03

I added a quota feature to virustotal-search.py’s -l (–limitrequests) option.

-l is an option to limit the number of requests: you specify the maximum number of requests to make, and virustotal-search.py will stop once that maximum is reached. Remark that virustotal-search.py does 4 hash lookups per requests, thus if your remaining quota for the day is 1000, you can use -l 250 to perform a maximum of requests without exceeding your total quota (250 = 1000 / 4).

With this new version, you can also instruct virustotal-search.py to calculate (via the API) how much remaining quota you have, and use that to decide how much queries to perform. This is done with keyword quota:. The syntax is: -l quota:groupid,maximum,reserve.

groupid is the group ID your account belongs to. For example sans_isc.

maximum is your daily API quota: how many lookups can you do in one day.

And reserve is the number of lookups you want to save: how many lookups should remain when virustotal-search.py has finished.

Let’s try an example: assume you want virustotal-search.py to do as much queries as possible, but leave a reserve of 100 lookups. Option -l will look like this: -l quota:sans_isc,10000,100.

sans_isc is your group ID, 10000 is the daily API quota, 100 is the reserve.

If you want virustotal-search.py to query your remaining quota, without doing any lookups, use string query as reserve. Like this: l quota:sans_isc,10000,query.

In this example, 3896 lookups have been consumed, and that gives 10000 – 3896 = 6104 remaining lookups. To lookup file hashes, that means there are 6104 / 4 = 1526 remaining queries.

Thus in this case, starting virustotal-search.py with option -l quota:sans_isc,10000,0 would be the same as -l 1526. The difference is that in the first case, you don’t have to calculate the value 1526, virustotal-search does this for you.

You can combine this feature with option –sleep to have virustotal-search.py use the remaining lookups at the end of the day.

For example, virustotal-search.py –sleep 01:45:00 -l quota:sans_isc,10000,10 will have virustotal-search.py wait until it’s 01:45:00 (15 minutes before UTC midnight in CEST), then query the amount of remaining lookups, and do the lookups so as not to exceed the quota and to leave 10 lookups available.

virustotal-search_V0_1_9.zip (http)
MD5: 8A8D8C47A02D07AAA36FAB5A8667BC54
SHA256: A6062F7C3D910E8B090DF77C81BBF3A0ADE504A4F0F504325C009D9FC792B266

I added value stdout for option -W.

-W stdout: will write all items to stdout (binary) without any end-of-line.
To include an end-of-line, specify a Python string, like this:
-W stdout:’\n’ this will add a newline to the end of the item
-W stdout:’\r’ this will add a carriage return to the end of the item
-W stdout:’\r\n’ this will add a carriage return and newline to the end of the item

myjson-filter_V0_0_9.zip (http)
MD5: FB913E4530B7F13684A0C30EA04D44D8
SHA256: 087FF53B631A294DC6B0EA125DC711806CA28C1B8FA066C4E9A38C7069F354A6

I added option -u (–unique) to remove duplicates to search-for-compressions.py.

This is a bugfix version.

pecheck-v0_7_18.zip (http)
MD5: 813F309837091B2035A18272AE5F053F
SHA256: 2976562A8B12F0CDD3E9DBF56929B391CA73AF91906EABC18E9CD663A17155AD