Didier Stevens

Wednesday 23 November 2022

Update: what-is-new.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This update of what-is-new-.py, my tool that reports what lines inside files are new (e.g., never seen before) has a new option: -a –action. It allows me to launch a command when something new is detected.

I use this for example to be alerted via TelegraM; More details in an upcoming blog post.

what-is-new_V0_0_2.zip (http)
MD5: 458B06FAF21F6BB150087196CCFEFAC2
SHA256: D020205346A778A4EE31B9C645F31BD4E14B465DC0B37BABD1DEEDFB6F347232

Thursday 10 November 2022

Update: pdf-parser.py Version 0.7.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update: you can now select which hash algorithm to use for option -H by setting environment variable DSS_DEFAULT_HASH_ALGORITHMS.

And the statistics options (-a) also display a list of objects with streams.

pdf-parser_V0_7_7.zip (http)
MD5: BCAE193F171184F979603DFB1380FF43
SHA256: 576C429FA88CF0A7A110DAB25851D90670C88EC4CD7728329E754E06D8D26A70

Monday 24 October 2022

Update: byte-stats.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of byte-stats.py, my tool to generate statistics for (binary) data, comes with an update to report the longest:

  • printable string (ASCII bytes between 0x20 and 0x7E included)
  • hexadecimal string (ASCII hexadecimal digits, not checking if the length is an even number)
  • BASE64 strings (ASCII BASE64 digits without padding character =, not checking if the length is a multiple of 4)
byte-stats_V0_0_9.zip (http)
MD5: 9187073EB63DE78BDACA1A3AB096DD19
SHA256: 6BC1F8A6FDAA4E8484B6C86E38E214BCBF24AB20F80C92D8AEE3C5EA402D2F0C

Saturday 22 October 2022

Update: rtfdump.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 11:35

This version adds support for ZIP files encrypted with AES, via the pyzipper module.

rtfdump_V0_0_12.zip (http)
MD5: C3D4F69908A49265E3877D4338462534
SHA256: A40CC2744DE2D4C5956F5FD306357E7E105EC693B8BEA6E7E006C48EC78055BB

Thursday 13 October 2022

Update: base64dump.py Version 0.0.24

Filed under: My Software,Update — Didier Stevens @ 19:02

This is a small update, to add extra statistical information for decoded items.

base64dump_V0_0_24.zip (http)
MD5: 47FDC47A9235CEF2DF95D1FC12BC166E
SHA256: FAF376E267CE6937BAB7544EA4AF9DD40499886992E7DA3855C16C73C02276B1

Wednesday 28 September 2022

Update: rtfdump.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 21:40

This new version of rtfdump, my tool to analyze RTF files, brings json output for options -O and -F.

rtfdump_V0_0_11.zip (http)
MD5: AFC884082B251BF288B05203DD5D4F69
SHA256: CB3984924137897F75E62C3A835BB9197CBF1DDBD6BCFB3E18423999B06A36C8

Sunday 25 September 2022

Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3

Filed under: Beta,My Software,Update — Didier Stevens @ 20:10

Here’s a new beta version of my tool pngdump.py, a tool to analyze PNG files.

I took a look at all files on MalwareBazaar with a PNG tag, and made updates to pngdump.py to handle them.

I found 3 types of “PNG” files.

First, files spoofing PNG files: files that are not PNG files, but have a .png extension.

Like .exe and .rar files:

Second, valid PNG files with an appended payload:

Third, invalid PNG files. For example, PNG files with the right record structure, but where the Zlib compressed image is replaced by an RC4 encrypted payload (IcedID):

I also have other samples, but that’s for another blog post.

Beta version 0.0.3 is available on GitHub.

Tuesday 20 September 2022

Update: My Python Templates Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This update adds the option –trim to template process-text-files.py.

python-templates_V0_0_8.zip (http)
MD5: 6C845823BB8AC4DB42993B994E93AF66
SHA256: 20EC1E6540DF31939686CA4B54C5312DF3724EB756B16BA724722C3196BDF93F

Monday 19 September 2022

Update: strings.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This version of my strings.py program adds option -N to select strings that end with a NUL character (C-strings).

strings_V0_0_8.zip (http)
MD5: 29015239E6385FFA63C2E33755C34CD9
SHA256: 449AC9AA39A464D7C5883DED3FE9CB21A2E8E700F7763AD4199C25D37DCBD296

Thursday 15 September 2022

Update: virustotal-search.py Version 0.1.7

Filed under: My Software,Update — Didier Stevens @ 7:41

A new option was added to limit the amount of requests: -l (–limitrequests).

virustotal-search_V0_1_7.zip (http)
SHA256: AEFEB5761A5BBEE998FA20A68213316522C7554796F47EB8C7EB2A5DF1D4E73D
Next Page »

Blog at WordPress.com.