Didier Stevens

Sunday 29 December 2019

Update: pdf-parser.py Version 0.7.4 and pdfid.py Version 0.2.7

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bug fix version.

pdf-parser_V0_7_4.zip (https)
MD5: 51C6925243B91931E7FCC1E39A7209CF
SHA256: FC318841952190D51EB70DAFB0666D7D19652C8839829CC0C3871BBF7E155B6A

pdfid_v0_2_7.zip (https)
MD5: F1852F238386681C2DC40752669B455B
SHA256: FE2B59FE458ECBC1F91A40095FB1536E036BDD4B7B480907AC4E387D9ADB6E60

Saturday 28 December 2019

Update: zipdump.py Version 0.0.16

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of zipdump.py, a tool to analyze ZIP files, adds option -f to scan for PK records and adds support for Python 3.

More details in an upcoming blog post.

zipdump_v0_0_16.zip (https)
MD5: 616654BDAFFDA1DDE074E6D1A41E8A42
SHA256: F3B6D52BA32D6BA3836D0919F2BBC262F043EF6E26D173DD0965735D4F3B5598

Thursday 19 December 2019

Update: oledump.py Version 0.0.44

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

This new version of oledump adds option -f to find embedded ole files, making the analysis of .DWG files with embedded VBA macros (for example) easier.

And there is a new plugin: plugin_version_vba.py. This helps with determining the VBA version.

Here is a video showing the analysis of .DWG files with option -f:

oledump_V0_0_44.zip (https)
MD5: 2BB2CD027327FFD8857CDADC1C988133
SHA256: 1A9C951E95E2FE0FDF3A3DC8E331205BC65C617953F0E30ED3E6AC045F4DD0C0

Monday 9 December 2019

Update: oledump.py Version 0.0.43

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds support for Python 3. Several plugins and decoders were also updated for Python 3.

There’s a new option to include storages in the overview: –storages.

And option –decompress now does also VBA decompression (it was zlib only). This helps to decompress the dir stream of documents with VBA macros:

And I added type 1009 to plugin_msg.py: Compressed RTF.

oledump_V0_0_43.zip (https)
MD5: F98A06CED73C4FC2CA153B7E751746B5
SHA256: 4FE1DBAB822CEC2489328CE3D4D272400F23F1FAD266C9D89B49D9F83F3AA27F

Sunday 8 December 2019

Update: numbers-to-string.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 19:34

This is just a bugfix version (Python 3).

numbers-to-string_v0_0_9.zip (https)
MD5: C5629F102FCF58E5CFF24472D35AFF22
SHA256: 5B1CA43EDFD7BA66CF44FB552BD7882AEB13A8765017F9F865071E187410EE63

Monday 18 November 2019

Update: tcp-honeypot.py Version 0.0.7

Filed under: My Software,Networking,Update — Didier Stevens @ 0:00

This new version of tcp-honeypot.py, a simple TCP honeypot and listener, brings TCP_ECHO and option -f as new features.

TCP_ECHO can be used to send back any incoming data (echo). Like this:

dListeners = {4444: {THP_LOOP: 10,THP_ECHO: None,},}

TCP_ECHO also takes a function, which’s goal is to transform the incoming data and return it. Here is an example with a lambda function that converts all lowercase letters to uppercase:

dListeners = {4444: {THP_LOOP: 10,THP_ECHO: lambda x: x.upper(),},}

If persistence is required across function calls, a custom class can also be provide. This class has to implement a method with name Process (input: incoming data, output: transformed data). Consult the man page (option -m) for more details.

And option -f (format) can be used to change the output format of data.
Possible values are: repr, x, X, a, A, b, B
The default value (repr) output’s data on a single line using Python’s repr function.
a is an ASCII/HEX dump over several lines, A is an ASCII/HEX dump too, but with duplicate lines removed.
x is an HEX dump over several lines, X is an HEX dump without whitespace.
b is a BASE64 dump over several lines, B is a BASE64 without whitespace.



Saturday 9 November 2019

Update: format-bytes.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of format-bytes.py, a tool to parse binary data, comes with support for bit streams.

This can help, for example, with decoding steganographic data, like a PE file hidden in a .WAV file.

More about this in an upcoming blog post.

format-bytes_V0_0_10.zip (https)
MD5: 3349E2F8C84AE644C0AEFDA4410297C5
SHA256: F75C3A353E42D847264702B1F316A65657E6375EF979B8EF21B282D4676BE4C3

Sunday 3 November 2019

Update: numbers-to-string.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

numbers-to-string.py is a tool to help with deobfuscation: it transforms numbers found in its input into strings.

This new version adds option -b to produce binary output.

numbers-to-string_v0_0_8.zip (https)
MD5: 69179F5EE01F8E0102F40B768E80A82E
SHA256: 535518780E9F4102320C81EF799CF1AD483C51450690A2E1FA9F2CA61B7A8A88

Saturday 2 November 2019

Update: cut-bytes.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of cut-bytes.py, a tool to select a byte sequence from its input, has bug fixes (including Python 3 fixes) and 2 new options: -p –prefix and -s –suffix.

With these options, arbitrary data can be prefixed or appended to the input.

cut-bytes_V0_0_10.zip (https)
MD5: C14F60F9843F4C2A40A05A52CBE16AB8
SHA256: AD3ADBF30B09DB77B17FEF62C40CDC138516FD24B077201D126D259D1953792B

Sunday 27 October 2019

Update: pecheck.py Version 0.7.8

Filed under: My Software,Update — Didier Stevens @ 10:37

This new version of pecheck.py, a tool to analyze PE files, comes with a small update to option -l.

The overview of embedded PE files produced with option -l P now reports the hash of the embedded PE file without overlay:

By default, this is an MD5 hash, but can be changed to your liking using environment variable DSS_DEFAULT_HASH_ALGORITHMS, like this:

I will introduce this environment variable to my other tools with new releases.


pecheck-v0_7_8.zip (https)
MD5: 616CD9159316FC2100BE3E87C5C26B2C
SHA256: F734EFFFA17E4EE6CA64A67D18340B3347B72C4B1C7522BAF1B7D720FABA2389

Next Page »

Blog at WordPress.com.