Didier Stevens

This new version brings an update to the Pascal feature of strings.py, my tool to extract strings from arbitrary files.

I had to analyze compiled Lua code (compiled with Lua 5.2): Lua 5.2 byte code stores strings like C strings and Pascal strings.

The strings are terminated by a NULL byte, like C strings, and they are prefixed with a length counter, like Pascal strings. Since the length includes the NULL byte, my strings.py tool didn’t match compiled Lua 5.2 strings:

I need to subtract 1 from the counter, so that it matches the length of the string without NULL byte. This can now be done as follows:

strings_V0_0_7.zip (https)
MD5: 2533BF3E7CBD5526718CDE5E150039D2
SHA256: FFBE686A2E41B22858023898580419806A789349D408C24EF25E8BEBCD33A418

This is a new version of my tool to search with regular expression, adds a -F (–filter) option to filter search results.

re-search_V0_0_15.zip (https)
MD5: E68D42F9F943335961C12BED7AD459A7
SHA256: 47F837C198CC3033B9C07086EA4FD0484BC40CE850723B4F6A849FB237D9A7E0

This is a new version of my tool to search with regular expression, that adds a new regular expression to the embedded dictionary: detection of domain names that end with a valid TLD:

re-search_V0_0_14.zip (https)
MD5: 53CDB34174E6EFE211872D6BC64533CC
SHA256: 3F55E6EA7272BFC780E159BA886932F96DC055CF533B0B3C3A5CCBAF0229682E

Here is a bug fix version for my Python template (binary files).

I use these templates as a starting point for new tools or for quick development of ad-hoc tools.

python-templates_V0_0_4.zip (https)
MD5: 0ED3B69594A5BCD5069391177A6C1F79
SHA256: 15DBE4FD16F19FEBF4CB9381E4D59A1B7ECC11C43B48AE96FADD75FC53BB189F

This is a Python 3 update for my count.py tool, a tool to count items.

count_v0_3_0.zip (https)
MD5: 52B9E424640983892FAD7734D0388860
SHA256: 4ED5A3FD913E6953A4635AB93F015BEDE08DF3448125DD95E1EFCB47A320D0D5

This new version of oledump.py adds an overview of indicators to the end of the man page (-m) and adds simple password cracking to plugin_biff for Excel 95 files.

oledump_V0_0_58.zip (https)
MD5: 46CACE8791487EC18FAC250B6F5ECC7F
SHA256: 241E182CE5E1CC8B6EB612CF1EC09418BE263529501B6C54C5E683B88A3C5ABB

Here is an update to my Python templates (binary and text files).

I use these templates as a starting point for new tools or for quick development of ad-hoc tools.

python-templates_V0_0_3.zip (https)
MD5: 177ABEC23A09F489893823C5D3409C09
SHA256: A0F5F316E4EB858F9D8257039D68CF25AE0B2ADBCB3602A5FD1C12A9FC92706A

This is a Python 3 update for my tool to analyze RTF files. There are some new features, like option -O, to produce an overview:

More details in upcoming maldoc analysis posts.

rtfdump_V0_0_10.zip (https)
MD5: E7D235AC14A83DAABCD433DE1948E989
SHA256: 750430C0DA0B9D25B0BBBB972F107D1459FEAF45A2D61EAB6C10E84CB8AA01F8

This is an update of my tool to analyze Cobalt Strike beacons.

Option -l can be used to generate YARA rules to search for Cobalt Strike beacons with a given license ID.

1768_v0_0_4.zip (https)
MD5: 35779393F2DC6171731446F8E0AC361B
SHA256: 59148C2DA13BE4DB203F9444E837911476BDE74E41E5A82C865E9729101336D2

This is an update to my tool base64dump.py: a tool to detect and decode encodings like base64, hexadecimal, …

A new decoding option was added with version 0.0.13: dec (decimal).

base64dump_V0_0_13.zip (https)
MD5: B322C1E55108FB1559009FC4C1CF12DE
SHA256: EE6527B4F558439916D9854980D6980EECA9F130F37BBF4034453ABBD8BF3260