I updated the analysis logic in this new version of my tool 1768.py to analyze Cobalt Strike beacons.
There’s a new option -c (–csv) to output the config values in CSV format.
And now with option -r (–raw), identical configs are de-duplicated.
1768_v0_0_5.zip (https)
MD5: 83D7A867B93FAC13BA24F17DDA994A9A
SHA256: CBCB84B9C4D8C1ED05983C2A211E3EA6029E69782FDDD6E15181EE4F47383EB5
This new version of pecheck.py, my tool to analyze PE files, outputs the hash of the embedded Authenticode signature.
pecheck-v0_7_13.zip (https)
MD5: 5B5179FFBE7530AA60C7182B830B54AB
SHA256: 4CFAF98CC8F3B06E3BBD7D6F37040B47641C38E49BD2975165FB328D50D3F08C
I use my tool nsrl.py to match a list of hashes with the Reference Data Set of the National Software Reference Library.
This is a Python 3 update and small change to support a change in RDS ZIP file structure.
nsrl_V0_0_3.zip (https)
MD5: A86E3EB076B467C64A520256556EDADA
SHA256: 8760B20A918CD135B7D79F7567C240AEF4840325BE9656D684BFD119A017E86F
This new version of oledump.py brings an update to plugin plugin_biff to help with the recovery of protection passwords.
oledump_V0_0_60.zip (https)
MD5: BC7631059077294223BB225D16FB7186
SHA256: D847E499CB84B034E08BCDDC61ADDADA39B90A5FA2E1ABA0756A05039C0D8BA2
This new version of re-search.py, my tool to search files with a builtin library of regular expressions, brings an update to the url and url-domain regexes to match hostnames with underscores (_) and a Python 3 fix.
re-search_V0_0_16.zip (https)
MD5: 21A7096116F50CCA051A152066B2DB50
SHA256: 4A3AC1B1BED68660316011F14EFC84B344BE3FF7E335CDFA8F1AAA2C0D2D06B0
This new version of oledump.py has a small change in the XML detection logic, and adds options –hexrecord and –xordeobfuscate to plugin plugin_biff.py.
oledump_V0_0_59.zip (https)
MD5: 89CC85EDADA0BB6978A75BA37065A65D
SHA256: BE62B45AE20D3BF5B3C335742F08067297079F6B8431A5CC82401BF67BFA50F6
This new version brings an update to the Pascal feature of strings.py, my tool to extract strings from arbitrary files.
I had to analyze compiled Lua code (compiled with Lua 5.2): Lua 5.2 byte code stores strings like C strings and Pascal strings.
The strings are terminated by a NULL byte, like C strings, and they are prefixed with a length counter, like Pascal strings. Since the length includes the NULL byte, my strings.py tool didn’t match compiled Lua 5.2 strings:
I need to subtract 1 from the counter, so that it matches the length of the string without NULL byte. This can now be done as follows:
strings_V0_0_7.zip (https)
MD5: 2533BF3E7CBD5526718CDE5E150039D2
SHA256: FFBE686A2E41B22858023898580419806A789349D408C24EF25E8BEBCD33A418
This is a new version of my tool to search with regular expression, adds a -F (–filter) option to filter search results.
re-search_V0_0_15.zip (https)
MD5: E68D42F9F943335961C12BED7AD459A7
SHA256: 47F837C198CC3033B9C07086EA4FD0484BC40CE850723B4F6A849FB237D9A7E0
This is a new version of my tool to search with regular expression, that adds a new regular expression to the embedded dictionary: detection of domain names that end with a valid TLD:
re-search_V0_0_14.zip (https)
MD5: 53CDB34174E6EFE211872D6BC64533CC
SHA256: 3F55E6EA7272BFC780E159BA886932F96DC055CF533B0B3C3A5CCBAF0229682E
Here is a bug fix version for my Python template (binary files).
I use these templates as a starting point for new tools or for quick development of ad-hoc tools.
python-templates_V0_0_4.zip (https)
MD5: 0ED3B69594A5BCD5069391177A6C1F79
SHA256: 15DBE4FD16F19FEBF4CB9381E4D59A1B7ECC11C43B48AE96FADD75FC53BB189F
