Didier Stevens

Wednesday 12 June 2019

Update: virustotal-search.py Version 0.1.5

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

virustotal-search.py is a tool to query VirusTotal via its public API for file reports by providing hashes to search for.

This new version adds searching for URLs. Use option -t to select the type of search you want: file (default) or url.

Like this:

Option -e can be used to include extra information (present in the JSON reply) not included by default.

For example, a default file search does not include sha256 hashes:

But you can include it with option “-e sha256” like this:

The public API can also be used for queries for domain names and IP addresses. These queries are much simpler than file and url, and therefor, I developed a very generic program to query APIs. This will be released soon.

virustotal-search_V0_1_5.zip (https)
MD5: 2155347687726A321D1ADBB9C9B81CFD
SHA256: 4F614C9D01C694AEAA16F7D5E4DBFBCF37E8E8D01D382C1137F401612D02E110

Monday 10 June 2019

Update: sets.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 9:21

sets.py is a program to perform set operations. In this new version, I added operations unique, product, substitute and sort.

And I added options -s and -i.

Operation unique will remove all double entries (which shouldn’t occur anyway in a mathematical set):

“Line 5” appears twice in set4.txt, thus one occurrence is remove by operation unique. “Line 4” and “Line 6” not, because their case is different, or because they have leading whitespace.

To ignore case, use option -i, and to ignore leading and trailing whitespace, use option -s:

sets_V0_0_3.zip (https)
MD5: F8B1EB9140EBA621CBF6F393717BF2EA
SHA256: 94200F8313A66D7CAB6C200A24DD6A5B1D9644004C2ECCF01F22004A801EFE03

Friday 31 May 2019

Update: hex-to-bin.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 10:47

This new version comes with option -a to parse ASCII/hexdumps as produced by my tools.

Option -s can be used to select another hexadecimal/ASCII dump than the first one (for example, -s 2 to select the second dump).

Option -l (list) can be used to produce an overview of all hexadecimal/ASCII dumps found in the input, together with an index number to be used with option -s.

hex-to-bin_V0_0_2.zip (https)
MD5: 4F415E4117EC497C52E244A7087E36B9
SHA256: D283C312CC169419BC16D9199F5EC850D5D7565B9FDB272CA5236F97EDAD22C3

Tuesday 28 May 2019

Update: zipdump Version 0.0.15

Filed under: My Software,Update — Didier Stevens @ 0:00

This update is just a small change to the help description, to clarify password dictionary attacking with the build-in password list.

zipdump_v0_0_15.zip (https)
MD5: 148D49FC54477C12EBB620FDCEF61AA2
SHA256: DE6FE35FA281FAD9BBF8C56883212519E60FDF0BCAFB3AFBBF964E5C808CCA2D

Sunday 28 April 2019

Update: jpegdump.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of jpegdump.py (a tool to analyze JPEG pictures) adds 2 new options: -t and -A.

Option -t: consider everything after the first EOI as trailing.

Option -A: perform ascii dump with RLE

jpegdump_V0_0_7.zip (https)
SHA256: 123CDBACA0533BE975751F935EA9C6CEF75B7F8E67CC0FBAD36F8C66DD9354D8

Saturday 27 April 2019

Update: format-bytes.py Version 0.0.8

Filed under: My Software,Reverse Engineering,Update — Didier Stevens @ 9:42

This new version of format-bytes.py (a tool to decompose structured binary data with format strings) brings a couple of new features.

Format strings can now be stored in libraries: you can store often used format strings (option -f) in text files and refer to them for using with format-bytes.py. A library file has the name of the program (format-bytes) and extension .library. Library files can be placed in the same directory as the program, and/or the current directory.
A library file is a text file. Each format string has a name and takes one line: name=formatstring.


This defines format string eqn. It can be retrieved with option -f name=eqn.
This format string can be followed by annotations (use a space character to separate the format string and the annotations):

eqn=<HIHIIIIIBBBBBBBBBB40sIIBB*:XXXXXXXXXXXXXXXXXXsXXXX 1: size of EQNOLEFILEHDR 9: Start MTEF header 14: Full size record 15: Line record 16: Font record 19: Shellcode (fontname)

A line in a library file that starts with # is a comment and is ignored.

Format strings inside a library can be used with option -f. For example, to use format string eqn1, you use option -f name=eqn1. You prefix the format string name with “name=”, like in this example:

Option -s can also take value r now, to select the remainder: -s r. Like this:

The FILETIME format has been added. To use it explicitly, use representation format T.

And finally, with option -F (Find), you can search for values inside a binary file. For the moment, only integers can be searched. Start the option value with #i# followed by the decimal number to search for.


format-bytes_V0_0_8.zip (https)
MD5: 22F216C2304434A302B0904A9D4AF1FE
SHA256: A38D9B57DDB23543E2D462CD0AF51A4DCEDA1814CF9EAD315716D471EAACEF19

Thursday 25 April 2019

Update: python-per-line.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

In this new version of python-per-line, I introduce libraries.

Custom Python code can be stored in a “library file”, i.e. a text file with name python-per-line.library. This file is loaded automatically upon execution when it is found in the current directory or in the same directory as the script (or both).

Currently, the distributed library file contains a small Python function to defang URLs: Defang.

It can be used like this:

If you just want to apply a function to each line, you don’t have to type a full expression like in the example above (Defang(line)).

You can also use option -n and just type the function name, like this:

python-per-line_V0_0_6.zip (https)
SHA256: E7496229BF64B2772AF5C49E4BC065281F06043192453E96A783808F6F3E61D1

Sunday 21 April 2019

Update: translate.py Version 2.5.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This is just a small update to the man page.

translate_v2_5_6.zip (https)
MD5: 9615167810202129C0CFC3D5125CC354
SHA256: F926E474B966790A1077B76C029F912100128C4F1CE848781C14DF4B628395D7

Monday 25 March 2019

Update: pecheck.py Version 0.7.6

Filed under: My Software,Update — Didier Stevens @ 0:00

During recent malware analysis, I had a need to quickly extract overlays from a bunch of PE files. This can be done with this new version: use option “-g o” to get the overlay:

Option -A (rle ASCII dump) is also new.

And option -y (yara) supports regex (#r#) and hexadecimal (#x#) ad-hoc rules.


pecheck-v0_7_6.zip (https)
MD5: C07704E37FB1C18B769BB5336CD2478A
SHA256: 312E730F6DE784808B6E5BE355752803F281F7DC838E4B9C6B3FE924622F47F8

Wednesday 13 March 2019

Update: oledump.py Version 0.0.42

Filed under: My Software,Update — Didier Stevens @ 0:00

This version comes with a major update of the BIFF plugin (for Excel files). New features for plugin_biff.py will be discussed in detail in next blog post.

And there are 2 minor changes to oledump itself.

A warning is displayed when an Office file format without macro-support is selected, like .docx files:

In prior versions, no output was produced at all when files like .docx files were processed.

And there’s a bug fix when selecting non-existing streams:

oledump_V0_0_42.zip (https)
MD5: C5CCF18F9F10CB6916CC74C002C78EDE
SHA256: 14A1FDA4AB57B09729AEB2697818782FAE498369A760FEC8AEE5CFB0A0E9D126

Next Page »

Blog at WordPress.com.