Didier Stevens

This is the Python 3 version of my email file analysis tool (eml).

emldump_V0_0_11.zip (https)
MD5: 09408ED0C2183178BEA71459CE001995
SHA256: 01B3543CCBAE806E1536BF55E62DF7D30885737909DB4322348AC521138660CC

This is a Python 3 update for my disitool.

disitool_v0_4.zip (https)
MD5: 3A41D8805340716913FAECE7C79B10A7
SHA256: 51EBFB0759FEEA69FFFB643659FD74DC5043338719A91CE36E427D175196661A

This new version of oledump.py brings extra JSON support and a new indicator.

Existing option -j (–jsonoutput) produces JSON output: a JSON object with the content of each individual stream (BASE64 encoded).

This option (-j) can now be used together with option -v (–vbadecompress) to produce a JSON object with the VBA code (BASE64 encoded) of each VBA module stream.

And there is a new indicator (!) :

This indicator is used for VBA module streams for which oledump is not able to recognize “normal” VBA source code (e.g. starting with something else than attributes). Here is an example of a sample that would cause this ! indicator to appear: AV Cleaned Maldoc.

oledump_V0_0_55.zip (https)
MD5: 499B66DC3BAF86BDA4BC0370E3C18A1A
SHA256: ABEABFF0F1F5AA2239AFCDE73A676D4E8D9BA2F82C03B8663FFAB6F8D3A360E7

This is a Python 3 bug fix version.

translate_v2_5_10.zip (https)
MD5: DB9574D664257263C51FE7C74C7B281E
SHA256: E8993B3F2C25A92A9F4583636E1CEF79D79649B29FFF56EAA9AF8A30FCF9B9A6

This new version of strings.py, my tool to extract strings from arbitrary files, adds option -P to add support for Pascal strings.

A Pascal string is a string that is internally stored with a length-prefix: an integer that counts the number of characters inside the string.

The Unix strings command, and my strings.py tool, can extract Pascal strings without any problem, because they just search for a sequence of characters, without looking for a terminating NULL character (C-string) or a length-prefix (P-string ot Pascal string).

But with option -P, you can direct my tool strings.py to only extract Pascal strings, by checking if character sequences are prefixed with an integer that is equal to the number of characters inside the string. Strings that do not match that requirement are ignored.

Since an integer can be represented internally with different byte formats, you have to provide a value to option -P that indicates how the integer is stored internally. I use the same format as Python’s struct module to represent that format. For example, “<I” is a little-endian, unsigned 32-bit integer. That is how a string is represented in Delphi, as can be seen in this example of a Delphi malware sample:

The strings you see here are all found inside the sample, and are prefixed by their length. If you wouldn’t use option -P, then these strings would also be extracted, but they would not stand out amid the other strings that are not prefixed by their length.

Delphi also supports the ShortString type: one byte to encode the length. These can be found with option -P “<B”: little-endian, unsigned 8-bit integer:

strings_V0_0_5.zip (https)
MD5: A4BF314BE0A72972ECA7B14B558610E6
SHA256: 30E9E9BB618006445483AA78F804766D8FFA518974B81F9B68FF534BEA30B072

This is a small bug fix release for Python 3.

translate_v2_5_9.zip (https)
MD5: 8EC7A9F0738C86CCF2F0B44D3994E798
SHA256: 3C469996F7014CC1BD5D4F02157B7D5803698D93018360904B79EA2A1601BD10

This new version of oledump.py adds a new variable for option -E: %MOFULEINFO%

This variable need to be used together with option -i: it contains the size of the compiled VBA code and the compressed VBA code. For example: 123+65.

There’s a new option (-s) for plugin plugin_http_heuristics: with this option, the plugin ignores space characters (useful for hexadecimal bytes separated by a space character, for example).

And there is a new plugin: plugin_msg_summary. This is a new type of plugin, a plugin that operates on the complete document. Before, plugins could only operate on individual streams, and were instantiated for each stream.

This plugin produces a summary of a .msg file (something we needed for our “Epic Manchego” research).

Here is an example:

This plugin has a couple of options, for example to produce JSON output or to add header or body information:

This new version of oledump.py has bug fixes, updates for -s and –raw -v options, plugins, and a bug fix for plugin_vbaproject.

Streams can now be select (-s –select) by name too. Make sure to include the single quotes:

oledump_V0_0_53.zip (https)
MD5: C26EB56580D65B2E856169A3EFC9BC03
SHA256: A10D90284F10C6D7811E2573049FE0F8315F04129846898C88E0184423988CD9

This new version of numbers-to-string.py, a tool to extract numbers from text files and convert them to strings, adds a verbose option (-v –verbose).

Example:

Running this with verbose option shows which lines were selected for number extraction:

numbers-to-string_v0_0_10.zip (https)
MD5: C7B8985C5A7D856F68A88BBD491375E6
SHA256: 8CED403C795E9287DD1500C8A0EFBF41F8837BE112113D425A7F8C97D9D1A27E

This is a bugfix version

pecheck-v0_7_11.zip (https)
MD5: D3B69575F0A08377D1A08886D34230FD
SHA256: 2B59F745377EABDF81118997CA70F5F4DBC1CE927370F02C6E0262869F988FA9