Didier Stevens

Wednesday 28 September 2022

Update: rtfdump.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 21:40

This new version of rtfdump, my tool to analyze RTF files, brings json output for options -O and -F.

rtfdump_V0_0_11.zip (http)
MD5: AFC884082B251BF288B05203DD5D4F69
SHA256: CB3984924137897F75E62C3A835BB9197CBF1DDBD6BCFB3E18423999B06A36C8

Sunday 25 September 2022

Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3

Filed under: Beta,My Software,Update — Didier Stevens @ 20:10

Here’s a new beta version of my tool pngdump.py, a tool to analyze PNG files.

I took a look at all files on MalwareBazaar with a PNG tag, and made updates to pngdump.py to handle them.

I found 3 types of “PNG” files.

First, files spoofing PNG files: files that are not PNG files, but have a .png extension.

Like .exe and .rar files:

Second, valid PNG files with an appended payload:

Third, invalid PNG files. For example, PNG files with the right record structure, but where the Zlib compressed image is replaced by an RC4 encrypted payload (IcedID):

I also have other samples, but that’s for another blog post.

Beta version 0.0.3 is available on GitHub.

Tuesday 20 September 2022

Update: My Python Templates Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This update adds the option –trim to template process-text-files.py.

python-templates_V0_0_8.zip (http)
MD5: 6C845823BB8AC4DB42993B994E93AF66
SHA256: 20EC1E6540DF31939686CA4B54C5312DF3724EB756B16BA724722C3196BDF93F

Monday 19 September 2022

Update: strings.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This version of my strings.py program adds option -N to select strings that end with a NUL character (C-strings).

strings_V0_0_8.zip (http)
MD5: 29015239E6385FFA63C2E33755C34CD9
SHA256: 449AC9AA39A464D7C5883DED3FE9CB21A2E8E700F7763AD4199C25D37DCBD296

Thursday 15 September 2022

Update: virustotal-search.py Version 0.1.7

Filed under: My Software,Update — Didier Stevens @ 7:41

A new option was added to limit the amount of requests: -l (–limitrequests).

virustotal-search_V0_1_7.zip (http)
SHA256: AEFEB5761A5BBEE998FA20A68213316522C7554796F47EB8C7EB2A5DF1D4E73D

Wednesday 7 September 2022

Update: hex-to-bin.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update: when non-hexadecimal characters are found, they are listed before an exception is raised.

hex-to-bin_V0_0_6.zip (http)
MD5: 9939263DCF538BBF5FC98DB2EC83F247
SHA256: 94B2B23BCA5C000CA85EEE8AE1A16AEEDB77E72057111C8207A683BD4DDF4581

Tuesday 6 September 2022

Update: xor-kpa.py Version 0.0.6

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This is an update for my tool to perform XOR known plaintext attacks: xor-kpa.py.

The tool has been updated for Python 3, and 3 new plaintext have been added, all for Cobalt Strike configurations.

cs-key is the header of the configuration entry for the public key.

cs-key-dot is the header of the configuration entry for the public key XORed with value 0x2E (a dot).

cs-key-i is the header of the configuration entry for the public key XORed with value 0x69 (letter i).

xor-kpa_V0_0_6.zip (http)
MD5: 4BA5EDEAEF6C8D528227607E78A2A797
SHA256: F7BE170D09E8B8A5B4127F64EC66FFF69EFD3EFA3B4EAC0304B39905A75CDE2A

Monday 5 September 2022

Update: translate.py Version 2.5.12

Filed under: My Software,Update — Didier Stevens @ 15:50

A small update for my translate.py program.

Python function Xor takes now 2 extra, optional arguments:

hexadecimal: a boolean, by default False.

When True, the key is provided as an hexadecimal string.

rotation: an integer, by default 0

This is the number of bytes to rotate the key to the left. For example, when the key is ABCD, a rotation value of 1 yiels key BCDA.

translate_v2_5_12.zip (http)
MD5: 4B0C79AF8A1D41BA735C5030912E6C28
SHA256: 899109A9D787D6781AEB0569330A01709063BB3FD58F4AED068A57951B230F88

Sunday 4 September 2022

Update: oledump.py Version 0.0.70

Filed under: maldoc,My Software,Update,video — Didier Stevens @ 15:38

This is an update to plugin plugin_vba_dco.py, improving generalization and adding option -p.

You can watch this maldoc analysis video to learn how to use the generalization feature of this plugin:

oledump_V0_0_70.zip (http)
MD5: D6EC4FD6B7BE60E01A98922BC06A1E8F
SHA256: E9EE79501A08E896A601F1AFDDB6D3C05D9A2A1FD5899D44AC422DD79E4EF678

Friday 2 September 2022

Update: jpegdump.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 19:14

This update to jpegdump.py, my tool to analyze JPEG images, brings 2 small changes:

Data between segments can be selected with suffix d. Like this: -s 10d

This means: select the data between segments 9 and 10.

And when option -E is used to add hash values, repeating hashes are marked with parentheses.

jpegdump_V0_0_10.zip (http)
MD5: 5B33C0ECB94E3284CA64E98B5A0947C3
SHA256: D8C657DB7564160725C95677BE200EB3A902BDC74CF335EFA8499596495633F0
Next Page »

Blog at WordPress.com.