Didier Stevens

Sunday 8 December 2019

Update: numbers-to-string.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 19:34

This is just a bugfix version (Python 3).

numbers-to-string_v0_0_9.zip (https)
MD5: C5629F102FCF58E5CFF24472D35AFF22
SHA256: 5B1CA43EDFD7BA66CF44FB552BD7882AEB13A8765017F9F865071E187410EE63

Monday 18 November 2019

Update: tcp-honeypot.py Version 0.0.7

Filed under: My Software,Networking,Update — Didier Stevens @ 0:00

This new version of tcp-honeypot.py, a simple TCP honeypot and listener, brings TCP_ECHO and option -f as new features.

TCP_ECHO can be used to send back any incoming data (echo). Like this:

dListeners = {4444: {THP_LOOP: 10,THP_ECHO: None,},}

TCP_ECHO also takes a function, which’s goal is to transform the incoming data and return it. Here is an example with a lambda function that converts all lowercase letters to uppercase:

dListeners = {4444: {THP_LOOP: 10,THP_ECHO: lambda x: x.upper(),},}

If persistence is required across function calls, a custom class can also be provide. This class has to implement a method with name Process (input: incoming data, output: transformed data). Consult the man page (option -m) for more details.

And option -f (format) can be used to change the output format of data.
Possible values are: repr, x, X, a, A, b, B
The default value (repr) output’s data on a single line using Python’s repr function.
a is an ASCII/HEX dump over several lines, A is an ASCII/HEX dump too, but with duplicate lines removed.
x is an HEX dump over several lines, X is an HEX dump without whitespace.
b is a BASE64 dump over several lines, B is a BASE64 without whitespace.



Saturday 9 November 2019

Update: format-bytes.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of format-bytes.py, a tool to parse binary data, comes with support for bit streams.

This can help, for example, with decoding steganographic data, like a PE file hidden in a .WAV file.

More about this in an upcoming blog post.

format-bytes_V0_0_10.zip (https)
MD5: 3349E2F8C84AE644C0AEFDA4410297C5
SHA256: F75C3A353E42D847264702B1F316A65657E6375EF979B8EF21B282D4676BE4C3

Sunday 3 November 2019

Update: numbers-to-string.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

numbers-to-string.py is a tool to help with deobfuscation: it transforms numbers found in its input into strings.

This new version adds option -b to produce binary output.

numbers-to-string_v0_0_8.zip (https)
MD5: 69179F5EE01F8E0102F40B768E80A82E
SHA256: 535518780E9F4102320C81EF799CF1AD483C51450690A2E1FA9F2CA61B7A8A88

Saturday 2 November 2019

Update: cut-bytes.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of cut-bytes.py, a tool to select a byte sequence from its input, has bug fixes (including Python 3 fixes) and 2 new options: -p –prefix and -s –suffix.

With these options, arbitrary data can be prefixed or appended to the input.

cut-bytes_V0_0_10.zip (https)
MD5: C14F60F9843F4C2A40A05A52CBE16AB8
SHA256: AD3ADBF30B09DB77B17FEF62C40CDC138516FD24B077201D126D259D1953792B

Sunday 27 October 2019

Update: pecheck.py Version 0.7.8

Filed under: My Software,Update — Didier Stevens @ 10:37

This new version of pecheck.py, a tool to analyze PE files, comes with a small update to option -l.

The overview of embedded PE files produced with option -l P now reports the hash of the embedded PE file without overlay:

By default, this is an MD5 hash, but can be changed to your liking using environment variable DSS_DEFAULT_HASH_ALGORITHMS, like this:

I will introduce this environment variable to my other tools with new releases.


pecheck-v0_7_8.zip (https)
MD5: 616CD9159316FC2100BE3E87C5C26B2C
SHA256: F734EFFFA17E4EE6CA64A67D18340B3347B72C4B1C7522BAF1B7D720FABA2389

Monday 30 September 2019

Update Of My PDF Tools

Filed under: maldoc,Malware,My Software,PDF,Update — Didier Stevens @ 19:16

This is an update of my PDF tools.

There are a couple of bug fixes for pdf-parser and pdfid.

And 2 new features in pdf-parser, inspired by a private training on maldoc analysis I gave last week. I often get good ideas from my students, and sometimes, even I get a good idea in class 🙂 .

Option -o can now be used to select multiple objects: separate the indices by a comma.

There’s a new environment variable, PDFPARSER_OPTIONS, that can be used to provide extra options you want to include with each execution of pdf-parser.py. This is useful for option -O, an option to parse stream objects.

It’s actually best to always parse stream objects, i.e. always use option -O. But I decided not to make this an option that is on by default, so that the behavior of pdf-parser would remain unchanged. I consider this important for the many people that rely on a predictable behavior of pdf-parser, like teachers and students of infosec trainings where my tools are used/mentioned.

However, always including option -O is tedious and error prone. So now you can have best of both worlds, by defining an environment variable with name PDFPARSER_OPTIONS and value -O.

And finally, I started to add a man page (option -m), like I do with many of my other tools. This is a work in progress: for the moment, it points to my free PDF analysis e-book that explains the use of pdfid and pdf-parser.

pdf-parser_V0_7_3.zip (https)
MD5: 7EB1713631D255B36BC698CD2422C7EB
SHA256: D4D5AC9C26A9D8FEF65CE58A769D3F64A737860DC26606068CCDD3F04FDEA0D7

pdfid_v0_2_6.zip (https)
MD5: 9CCE332914A6C76410F04B7C35DA3155
SHA256: 95F7C91EEFB561F3F3BE9809ED339D85E7109BAA7E128EF056651EE018DBDBA0

Sunday 22 September 2019

Update: strings.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 8:56

This new version of strings.py comes with a new option -T to trim the strings to a given length. And also 2 bug fixes.

strings_V0_0_4.zip (https)
MD5: 8B1F5A6BEBA2BC8BDFF16B99C27050E4
SHA256: 7BBAAB0E83692288BDC35BC0FBDD6B2F8A141280E506131E2818F49BEF31D01A

Saturday 21 September 2019

Update: hex-to-bin.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:04

hex-to-bin.py is a program to convert hexadecimal dumps (text) to binary data.

This new version of hex-to-bin.py can handle different hexdump formats, like registry dumps (text files). Use option -x to handle these hexdumps.

And option -t was added if the input is a text file that is non-ASCII, like UTF16. Option -t can be used to convert the text file.

And it supports Python3, but that code is a kludge. Something I’ll have to do better later.


hex-to-bin_V0_0_3.zip (https)
MD5: 0F87942CC9EF566D4C3B5A34073D5399
SHA256: 02447247C59F530CD6559B0FB287E314AC3AB807D843729CA9CE3F16D0930CAB

Wednesday 18 September 2019

Update: pecheck.py Version 0.7.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck.py adds option -l to carve embedded PE files. This will be explained in detail in an upcoming blog post.

pecheck-v0_7_7.zip (https)
SHA256: 91041D17A39C7FA4151830AF8FBD151680A04FC617CB0EADDA32D240E9AB9C03

Next Page »

Blog at WordPress.com.