Didier Stevens

Wednesday 28 December 2016

Update: pdf-parser Version 0.6.7

Filed under: My Software,PDF,Update — Didier Stevens @ 12:03

I added option -k to search for keys in dictionaries. A usage example can be found in blog post “PDF Analysis: Back To Basics“.

pdf-parser_V0_6_7.zip (https)
MD5: D04D7DA42F3263139BC2C7E7B2621C91
SHA256: ED863DE952A5096FF4BE0825110D2726BA1BE75A7A6717AF0E6A153B843E3B78

Wednesday 14 December 2016

Update: pecheck.py Version 0.6.0 – Overview Of Resources

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This new version can produce a compact overview of all the resources in a PE file using option o: -o r.  Here is the overview of resources in an exe (malware) created with iexpress:

20161213-215750

It contains a cab file with 2 executables, which are executed after extraction (no surprise):

20161213-220001

pecheck-v0_6_0.zip (https)
MD5: D3A9C71AAF63D83884B4FEF2C2C21D03
SHA256: 08DB82F190AEEB065A65FEE0DD03D20B0CC788878C4864B537BBD1807E4D6B71

Monday 12 December 2016

Update: oledump.py Version 0.0.26

Filed under: My Software,Update — Didier Stevens @ 0:00

Just a small change in this version: an indicator (O) for streams containing OLE 1.0 embedded data:

20161211-203401

And plugin_http_heuristics also detects XOR-encoding starting with the second character of the key.

oledump_V0_0_26.zip (https)
MD5: 62030DEC6DBC2F69A37893FF1624F8EE
SHA256: A0DE8FD414A0B78FE8D72CAA58D8FA15159A7ABEA9842181C4C3C4EC1DE2EEC5

Friday 9 December 2016

Update: pecheck.py Version 0.5.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources.

Options -x, -a, -D and -S can be used to dump data (hex, ascii, binary and strings).

pecheck-v0_5_2.zip (https)
MD5: A4FF0507C206535FA9224F65CCD3497D
SHA256: DE4D06F00FD9EC74FD52689B711FBF10F953F14DAFACBDE214E0A4947E60D8A6

Sunday 27 November 2016

Update: xor-kpa.py Version 0.0.4

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.

xor-kpa_V0_0_4.zip (https)
MD5: FCE75B6125104D8AFC56A67B65FF75C0
SHA256: 3DCCA479D4C8CAC9B248B24F799184A69D0F10403593CB002248DD35CCE60FD4

Sunday 20 November 2016

Update: zipdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.

zipdump_v0_0_4.zip (https)
MD5: 64EE6575309654B6671554D0A4DA50E5
SHA256: C323C0580E95F87406A72A542A7FBF5DE39EBEF7CAFC970A7C428CA1E870F9CF

Saturday 19 November 2016

Update: byte_stats.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.

byte-stats_V0_0_4.zip (https)
MD5: B53CE5444618DCA78C46C7F72E356D8D
SHA256: 81EFED375FF666BFFDDB82D094ECE17074182F5016FE3BFA4D1CA33DE838754C

Friday 18 November 2016

Update: shellcode2vba.py Version 0.5

Filed under: My Software,Shellcode,Update — Didier Stevens @ 0:00

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:

Option –suffix allows you to instruct the program to add a suffix to the VBA function names.

shellcode2vba_v0_5.zip (https)
MD5: BAD6684A6887F9E90FF755609B4CA2D5
SHA256: C403CD8196593F2ADD6BED40E9E7A14E49DB48909788DE8BB27A95D71E58A13A

Sunday 23 October 2016

Update: virustotal-search.py Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of virustotal-search.py accepts input from stdin.

virustotal-search_V0_1_4.zip (https)
MD5: 867D6272792965D11317BFB6308E20A9
SHA256: 8C033B3C46767590C54C191AEEDC0162B3B8CCDE0D7B75841A6552CA9DE76044

Saturday 22 October 2016

Update: cut-bytes.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 9:49

I added dumps to this new version of cut-bytes.py:

20161022-114024

cut-bytes_V0_0_4.zip (https)
MD5: A44D8BBE9BAB9309E732F8995CB5C7BB
SHA256: F95453DE1CC5855C320AB947D9AE354BE8E3ABFA52418C0CF623351A9DBF6344

Next Page »

Blog at WordPress.com.