This new version of rtfdump.py adds object extraction (-E) and can also handle objects obfuscated with \dde0000…
Saturday 25 February 2017
Wednesday 22 February 2017
After searching with base64dump for encoded strings in this maldoc sample, I decided to add an option to base64dump to check all encodings automatically.
Use option -e with value all to try out all encodings, and report all found strings ordered by increasing length. And with option -u, you can limit the output to unique decoded strings.
zipdump.py -s 5 -d output.docx.vir.zip | base64dump.py -e all -u
Tuesday 31 January 2017
A small feature in this new version: start the -E option value with # to count and group.
C:\Demo>zipdump.py -E “#%HEADASCII%;%HEADHEX%” Book1.xlsm
1: <xml xmlns:v=”ur;3c786d6c20786d6c6e733a763d227572
12: <?xml version=”1;3c3f786d6c2076657273696f6e3d2231
Sunday 29 January 2017
I released this new version of FileScanner at the end of 2015, but forgot to announce it here on my blog.
This new version also scans Alternate Data Streams.
Saturday 28 January 2017
This new version of byte-stats.py adds statistics for hexadecimal and base64 characters:
$byte-stats.py all.bin Byte ASCII Count Pct 0x00 1 0.39% 0x01 1 0.39% 0x02 1 0.39% 0x03 1 0.39% 0x04 1 0.39% ... 0xfb 1 0.39% 0xfc 1 0.39% 0xfd 1 0.39% 0xfe 1 0.39% 0xff 1 0.39% Size: 256 File(s) Entropy: 8.000000 Unique bytes: 256 100.00% NULL bytes: 1 0.39% Control bytes: 27 10.55% Whitespace bytes: 6 2.34% Printable bytes: 94 36.72% High bytes: 128 50.00% Hexadecimal bytes: 22 8.59% BASE64 bytes: 65 25.39%
Wednesday 28 December 2016
I added option -k to search for keys in dictionaries. A usage example can be found in blog post “PDF Analysis: Back To Basics“.
Wednesday 14 December 2016
It contains a cab file with 2 executables, which are executed after extraction (no surprise):
Monday 12 December 2016
Just a small change in this version: an indicator (O) for streams containing OLE 1.0 embedded data:
And plugin_http_heuristics also detects XOR-encoding starting with the second character of the key.
Friday 9 December 2016
This new version displays information about the signature (provided pyasn1 is installed), and adds option -g to extract data (pefile.get_data) from the pefile like resources.
Options -x, -a, -D and -S can be used to dump data (hex, ascii, binary and strings).
Sunday 27 November 2016
This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.