Didier Stevens

Thursday 25 April 2019

Update: python-per-line.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

In this new version of python-per-line, I introduce libraries.

Custom Python code can be stored in a “library file”, i.e. a text file with name python-per-line.library. This file is loaded automatically upon execution when it is found in the current directory or in the same directory as the script (or both).

Currently, the distributed library file contains a small Python function to defang URLs: Defang.

It can be used like this:

If you just want to apply a function to each line, you don’t have to type a full expression like in the example above (Defang(line)).

You can also use option -n and just type the function name, like this:

python-per-line_V0_0_6.zip (https)
SHA256: E7496229BF64B2772AF5C49E4BC065281F06043192453E96A783808F6F3E61D1

Sunday 21 April 2019

Update: translate.py Version 2.5.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This is just a small update to the man page.

translate_v2_5_6.zip (https)
MD5: 9615167810202129C0CFC3D5125CC354
SHA256: F926E474B966790A1077B76C029F912100128C4F1CE848781C14DF4B628395D7

Monday 25 March 2019

Update: pecheck.py Version 0.7.6

Filed under: My Software,Update — Didier Stevens @ 0:00

During recent malware analysis, I had a need to quickly extract overlays from a bunch of PE files. This can be done with this new version: use option “-g o” to get the overlay:

Option -A (rle ASCII dump) is also new.

And option -y (yara) supports regex (#r#) and hexadecimal (#x#) ad-hoc rules.


pecheck-v0_7_6.zip (https)
MD5: C07704E37FB1C18B769BB5336CD2478A
SHA256: 312E730F6DE784808B6E5BE355752803F281F7DC838E4B9C6B3FE924622F47F8

Wednesday 13 March 2019

Update: oledump.py Version 0.0.42

Filed under: My Software,Update — Didier Stevens @ 0:00

This version comes with a major update of the BIFF plugin (for Excel files). New features for plugin_biff.py will be discussed in detail in next blog post.

And there are 2 minor changes to oledump itself.

A warning is displayed when an Office file format without macro-support is selected, like .docx files:

In prior versions, no output was produced at all when files like .docx files were processed.

And there’s a bug fix when selecting non-existing streams:

oledump_V0_0_42.zip (https)
MD5: C5CCF18F9F10CB6916CC74C002C78EDE
SHA256: 14A1FDA4AB57B09729AEB2697818782FAE498369A760FEC8AEE5CFB0A0E9D126

Monday 11 March 2019

Update: re-search.py Version 0.0.13

Filed under: My Software,Update — Didier Stevens @ 0:00

In this update, you can also save your library with custom regular expressions in the working directory (in prior versions, it would only take it from the application directory).

Here is an example with a regular expression for MAC addresses:

And there’s a small fix for URL regex: a – character was not considered to be part of the query of a URL.

re-search_V0_0_13.zip (https)
MD5: 241464482856756FF1C0C2386AF84CD5
SHA256: 9409EC639C4C6E988ADFC2401CA89200712BE171894D214B56E4ACC84C32E489

Wednesday 6 March 2019

Update: pdf-parser.py Version 0.7.1

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bug fix version for statistics (-a).

pdf-parser_V0_7_1.zip (https)
MD5: 1480D3BF602686C9E7C2FE82AC6C963B
SHA256: D2C8E0599A84127C36656AA2600F9668A3CB12EF306D28752D6D8AC436A89D1A

Thursday 28 February 2019

Update: pdf-parser.py Version 0.7.0

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This new version of pdf-parser brings support for analysis of stream objects (/ObjStm). Use new option -O to enable this mode.

Stream objects (/ObjStm) are objects that contain other objects: they have a stream, containing other objects. These contained objects can not have a stream.

pdfid.py detects the presence of stream objects:

But pdfid can not look inside a stream, to figure out what objects are inside. That’s why I always say to use pdf-parser to select and decompress stream objects, and then pipe this through pdfid:

When pdf-parser parses a stream object, it does not parse the content of its stream:

This changes with this new version of pdf-parser. When option -O is used, pdf-parser extracts objects from /ObjStm streams and handles them like normal objects. In the following example, object 2 is contained in object 1:

pdf-parser provides statistics for a PDF’s content with option -a:

Combining option -a with option -O includes objects present inside stream objects (this is an alternative for combining both tools: pdf-parser -s objstm -f a.pdf | pdfid -f):

This output shows that /JavaScript can be found in object 7. We need to use option -O to find object 7 “hiding” in object 1:

If we forget to use option -O, object 7 is not found:

Here is a video showing this new feature:

pdf-parser_V0_7_0.zip (https)
SHA256: 219FF0BB729C4478679A79163CA9942296ACF49E4EC06D128CBC53FBEE25FF05

Wednesday 27 February 2019

Update: translate.py Version 2.5.5

Filed under: My Software,Update — Didier Stevens @ 0:00

I added function ZlibRawD to translate.py to decompress Zlib compression without header (ZlibD already exists, and is for Zlib compression with header).

This compression is sometimes used in malicious PowerShell scripts:

translate_v2_5_5.zip (https)
MD5: 0BBB0E7E569BCB08D5A9278C974A3EE6
SHA256: 78E0BAC87DF47D06BB9C351FBF3CA623EE10B3993E071E7C9A0C9C4DB0FFF1D4

Monday 18 February 2019

Update: oledump.py Version 0.0.41

Filed under: My Software,Update — Didier Stevens @ 0:00

This is just an update to the cut option (-C), to support UNICODE searches, as shown in blog post “Update: cut-bytes.py Version 0.0.9“.

I show how to use this option in a malicious document analysis video below. If you want to jump straight to the point where I use option -C with a UNICODE string, go to 9:16.

oledump_V0_0_41.zip (https)
MD5: 4FD7E627F5078245705526EBE09D7989
SHA256: 0793CA920DA8B4BD09A040FEE12463BE7D8AF8AE6DFB0968CADCE478BC153CD8

Sunday 17 February 2019

Update: cut-bytes.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version supports searching for UNICODE strings: u’…’.

Example: [u’Programmé’]:0x100l

This will look for UNICODE string “Programmé” and select 256 bytes starting from the first instance of this string.

cut-bytes_V0_0_9.zip (https)
MD5: 3D11868F238AF4369372CA083303716D
SHA256: AB3EA61B0F519AB99E659F73C263A0F4C2C9DB851314C49C5DA5A5F434E0CA4E

Next Page »

Blog at WordPress.com.