Didier Stevens

This new version of re-search.py adds a regex for UNCs to the library and has a Python 3 fix.

re-search_V0_0_21.zip (http)
MD5: 294DD5D4027F0AFD0A2DE6432FE4552D
SHA256: B818CE4F7E217B381128550A3A36B40B6D07CC687CE4CF5AFF3C70EC0D3EEAD2

This update brings an update to plugin plugin_vba_dco.py.

This is a plugin that scans VBA source code for keywords (Declare, CreateObject, GetObject, CallByName and Shell), extracts all lines with these keywords, followed by all lines with identifiers associated with these keywords.

For example, if the result of a CreateObject call is stored in variable oXML, then all lines with this oXML identifier are selected.

I updated this plugin with two options -g (–generalize) and -a (–all).

Option -g generalize will replace all identifiers (like variable & functions names) with a general name: Identifier#### where #### is a numeric counter.

I added this option to analyze a sample where almost all identifiers where completely unreadable, as they consisted solely out of characters that are between byte values 128 and 255 (e.g., non-ASCII).

Here is the output for that sample, without using any plugin option:

You can see the CreateObject functions, but appart from the WshShell identifier, the other identifiers don’t have letters and are hard to trace in the code.

This changes when you use option -g:

All identifiers have been generalized to names like Identifier0001, Identifier0002, …

To view all generalized code (and not only the lines with keywords), use option -a:

Remark that this plugin is not a VBA parser: it uses some simple scans and regexes to find identifiers. For example, it handles line comments like any other lines.

oledump_V0_0_69.zip (http)
MD5: 9FDE05EB0B475C5BB76A92A926DBE8CD
SHA256: 16761C633DEC83CB691AE7223BB5AE82E5EC668F5D161499800638BC45420285

This new version adds JSON input support, allowing,for example, to detect encoded payloads inside the registry:

More info in an upcoming blog post.

base64dump_V0_0_23.zip (http)
MD5: 00D1E2344A6D09D3A2F18FC257F77090
SHA256: E4CA046198E801DFF309D6A8B346D5084FB4B4DFBFD339C5BCB3EF570CD08A79

This new version of format-bytes.py adds a feature to search for a range of integers:

#iv5#6080 means: look for an integer (i) equal to 6080 with a variation of 5 (v5), e.g., look for integers between 6075 and 6085.

format-bytes_V0_0_14.zip (http)
MD5: 600969FAC1F397036673574EA0BE0EE1
SHA256: D0EB0709985A4A5FEC1DA4B420CA440FF5268229CFFA1B3CC1EE5FAE92101957

This new version contains a Python 3 fix.

cut-bytes_V0_0_15.zip (http)
MD5: 1906873950C1DC55665072C7F3529D7F
SHA256: 2B9847E49C08021C61B8FA09C9DD400FC41E817F65E1C2BAC64ABBD87D49E238

This new version of base64dump.py adds some extra info for the encoded strings.

In -e all mode, a new column Chars tells you how many unique characters are used for that encoded string:

For example, the last line is recognized as a syntactically valid variant of BASE85 (b85), but it uses only 63 unique characters (85 unique characters is the maximum). So this is probably not b85, or else the encoded data has low entropy.

And there is also new info when you select a string for info:

base64dump_V0_0_22.zip (http)
MD5: B38E4F454FAE219D771742B44D60A428
SHA256: 32695EEDDADAE9B1AFA1CAA70A69E2A0434E2264CEF836DE172BC5254C8E6281

This new version adds option -l to provide a short list via an option, in stead of using a file. And there’s a Python 3 bug fix.

python-per-line_V0_0_8.zip (http)
MD5: C7A61FE8FF701BC3A49CF7C093FB290D
SHA256: 63AEBD847D26A9B25F401D8734FBED646E7BB3F9DF2238EF49ACEAB2E1EF5AFA

This new version of oledump.py brings extra info variables %CTIME% %MTIME% %CTIMEHEX% and %MTIMEHEX% to view the creation time & modification time of storages (UTC).

And there’s a new plugin (plugin_olestreams) to parse the OLE data found in streams like \001Ole, \003LinkInfo and \003ObjInfo:

oledump_V0_0_68.zip (http)
MD5: 82222BC363C660CE427125261B111FE9
SHA256: 83665E0CF40D43FE96DD6115D7FC0619A284CB141D7C1654B2CB4F64997174AC

Some small updates to my Python templates.

python-templates_V0_0_7.zip (http)
MD5: 46EE756206A0A941F7B29C3551FF48FF
SHA256: 5158046371E8E925AB7A158827496BA971F24F5FE0A232AC0FDF0B10427DB98B

Here is a small update of my tool to analyze Cobalt Strike beacons.

1768_v0_0_14.zip (http)
MD5: 6E8494125F4DDB044556182C8A196DD1
SHA256: D8CFCC735666D90BB160E30C7AD7100B0520FAC2929277E7B1DAD1CFFD0B3EC8