Didier Stevens

This update improves digital signature handling.

pecheck-v0_7_4.zip (https)
MD5: E0F90B85576F7BC42BB8601E650134FB
SHA256: E011CD82F5E3244553FBA52DDF3F0D3076E88A6F35E50AA18AC0DAAC6ED91389

This new version of numbers-to-string.py has a new option: -S (–statistics).

Statistics can help identifying malicious scripts (text files in general)  with numbers:

numbers-to-string_v0_0_5.zip (https)
MD5: 02119AFAC1942A3C97B8E554C03B2DB6
SHA256: 36A5C346063C93B45C50ACF82C317379496A815F166E25F969168DDAB561F92D

This new version has many new features and options.

First there is the remainder (*) when using option -f to specify a parsing format.

For example, -f “<i25s” directs format-bytes to interpret the provided data as a little-endian integer followed by a 25-byte long string:

With the remainder (-f “<i25s*”), format-bytes will provide info for the remaining bytes (if any) after parsing (e.g. after the 25-byte long string):

Options -c and -s changed ito -C and -S, so that option -s can be used to select items (to be consistent across my tools).

Option -s can be used to select an item, like a string, to be dumped (options -a, -x and -d). If no dump option is provided, an hex-ascii dump (-a) is the default.

And option –jsoninput can be used to process JSON output produced by oledump.py or zipdump.py, for example.

format-bytes_V0_0_5.zip (https)
MD5: 3D92BCAF8E31BFBF6F4917B3AAB64AEF
SHA256: AD43756F69C8C2ABF0F5778BC466AD480630727FA7B03A6D4DEC80743549845A

This new version of oledump.py adds option –vbadecompressskipattributes to decompress VBA code while skipping the initial attribute definitions (those that are hidden in the MS Office VBA Editor).

Here is an example of output with option -v you are familiar with:

When replacing option -v with option –vbadecompressskipattributes, the initial attributes are no longer displayed:

These attributes are actually hidden in the MS Office VBA Editor:

I added this option because lately, I’ve analyzed several samples where I had to extract all strings for further decoding, and the strings in the attribute definitions were interfering with the decoding. With this new options, I can prevent these strings from appearing in the output.

plugin_msg.py was updated to version 0.0.3 to include plugin option -k, to display only known MSG streams.

oledump_V0_0_37.zip (https)
MD5: BBC2F3B57266B557307E12E8BC950F98
SHA256: 573C73110CA35EE6451FD14EE7B7DCA3B53FF624ECCFF824799DA59F7767DA68

This new version of python-per-line.py adds new options: –grep, –grepoptions, –begingrep, –begingrepoptions, –endgrep and –endgrepoptions

With –grep and –grepoptions, you can select the lines to be processed by python-per-line.py.

If you want to skip lines at the beginning of the file, use option –begingrep to grep for the first line where processing should start.

And if you want to skip lines at the end of the file, use option –endgrep to grep for the last line to be processes.

python-per-line_V0_0_5.zip (https)
MD5: 1CED1F84FD44E64BF448558BA02E0978
SHA256: 8E6845006BD3463135CE7AA0AA05FA596AC10E6E2ACC4B45C5909B624A20D6A5

This new version of numbers-to-string.py adds new options: –grep, –grepoptions, –begin and –end.

With –grep and –grepoptions, you can select the lines to be processed by numbers-to-string.py.

And if you don’t want the tool to take a whole line into account when processing numbers, but only part of the line, you can use option –begin to specify where in the line processing should start.

Likewise, with –end you can specify where processing should end.

numbers-to-string_v0_0_4.zip (https)
MD5: DFBA2CE60D59A5DF25D7BE415D55B0FF
SHA256: DA75A6BEB7DCD0F71C008EFE43EE3D3831B545BC916AA5176F4E2004FE97A250

This new version of re-search adds 3 regular expressions to the library: str-e matches quoted strings like str but including the empty string too. str-u matches strings like str, but strips the double quotes. str-eu matches like str-e and also strips double quotes.

re-search_V0_0_12.zip (https)
MD5: 8CA8D767BDB126B097E41F0D4B1F197B
SHA256: 69752CF9862FC4EC29DD96289A21D1C8C82FB4C3C3083BE622C169BA658F0A40

This new version of base64dump adds option -I (ignorehex). Like -i, -I can be used to specify characters to be ignore by base64dump. Option -I takes the characters to be ignored as hexadecimal values, like this:

base64dump.py -I 2209

This will ignore the double-quote character (0x22) and the TAB character (0x09).

base64dump_V0_0_11.zip (https)
MD5: BF9D9EB3E6D574633D7F85345213E3E8
SHA256: 2741F9C3FD7B0897A04F60C741D7125568C8355A82FCF0FD4BB80877EE7FB935

sets.py is a small & simple tool for operations on sets, like the intersection of 2 sets.

2 new operations were added to this version: sample and join.

sets_V0_0_2.zip (https)
MD5: F744A900D3EBF7A0D0927F5244FA65F9
SHA256: B205B766D0FB4D12DD334BD6CD20748E14EF1136D545F7EFBB5CEAC6B3F0D942