Didier Stevens

Sunday 21 May 2017

Update: zipdump.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 14:48

Added handling of zlib errors when performing a dictionary attack.

zipdump_v0_0_8.zip (https)
MD5: 51B971B57800D126B2067DC53303355A
SHA256: 095EE6000E99B9193C830B8BA11139907CB9445FD7D94D81E3F97A8B458D5D16

Saturday 20 May 2017

Update: zipdump.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 8:05

After adding support for password lists in zipdump, I decided to add an internal password list to zipdump, based on John’s public domain password list.

This internal password list (a few thousand passwords) can be used by providing filename . (a single dot) to options -P and –passwordfilestop.

zipdump_v0_0_7.zip (https)
MD5: 7B3D165B68B4E66D7EFCF54B25E08115
SHA256: DC794679CFDEA57AC532E11BC338F6823EECC26A36CB844B29EF15F93B6BA1C1

Thursday 18 May 2017

Update: re_search.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of re-search.py has a build-in regular expression for bitcoin addresses, together with a Python function to validate the address.

re-search_V0_0_7.zip (https)
MD5: 38EBBC6B45476AA2FB03DC9604D2F7EE
SHA256: 7BE3B986126C3E40A886A66A08EA360EEE01A29F064F2D3235A1311C4FB4E45E

Saturday 13 May 2017

Update: re_search.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 10:41

When I used my re-search.py tool to extract Bitcoin addresses from the latest WCry samples, I found a small bug. This version is a bugfix (bug introduced in version 0.0.4).

re-search_V0_0_5.zip (https)
MD5: A03CBBA9F2C5900A368BC064D3CC3D00
SHA256: 940B12CA8E3ADCC0266BC788B5A7AE2C830115BDB9FC04C3A7A178FDD7D44F02

Thursday 11 May 2017

Crack A ZIP Password, And Fly To Dubai …

Filed under: My Software,Update — Didier Stevens @ 0:00

We had to crack a password protected ZIP file, to discover that just few hours later, we would fly to Dubai for our NVISO team building event.

This inspired me to update my zipdump.py tool. This tool can handle password protected ZIP files. Using default password “infected”, or a password that can be provided with option -p.

In this new version, you can provide a list of password in a text file using option -P. Turns out that this simple dictionary attack just using Python is surprisingly quick (at least to me): 8000 passwords per second on an average machine.

 

 

zipdump_v0_0_6.zip (https)
MD5: B605DEABFC5458488B6487B1E9104085
SHA256: DDC2CE94D250CBDE62AD1EBE650654E4A50C51F97CADF412B16A553242819772

Monday 10 April 2017

Update: re-search.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This version has one new option: -G or –grepall.

re-search_V0_0_4.zip (https)
MD5: 965C484CC5BF447B390BA4E176698972
SHA256: D2F3A52F7590CD38E796B6F6209FC87A1BD6451F1787010557FA39E25AFDBC2F

Tuesday 7 March 2017

Update: oledump.py Version 0.0.27

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds some extra features for YARA rule scanning.

oledump.py declares 2 external variables that can be used in your YARA rules.

External variable streamname is a string with the stream name, as printed in oledump’s report.

External variable VBA is a boolean that is set to true when the data to scan is VBA source code. Previous versions of oledump would scan the raw stream content with YARA, but this new version also decompresses all streams with VBA macros, and concatenates them together to scan them after all streams have been scanned.

Example of a rule using external variable VBA:

rule VBA_Autorun
{
    strings:
        $a = "AutoExec" nocase fullword
        $b = "AutoOpen" nocase fullword
        $c = "DocumentOpen" nocase fullword
        $d = "AutoExit" nocase fullword
        $e = "AutoClose" nocase fullword
        $f = "Document_Close" nocase fullword
        $g = "DocumentBeforeClose" nocase fullword
        $h = "Document_Open" nocase fullword
        $i = "Document_BeforeClose" nocase fullword
        $j = "Auto_Open" nocase fullword
        $k = "Workbook_Open" nocase fullword
        $l = "Workbook_Activate" nocase fullword
        $m = "Auto_Close" nocase fullword
        $n = "Workbook_Close" nocase fullword
    condition:
        VBA and any of ($*)
}

The condition of this rule is true when external variable VBA is true and when at least one of the strings are found:

20170306-184258

This rule is included in a new set of YARA rules I included with oledump.py: vba.yara.

I made a video to illustrate this:

And there is also a new plugin: plugin_str_sub. It tries to de-obfuscate strings with padded characters:

oledump_V0_0_27.zip (https)
MD5: A6C6728E20AE46A4FECC5F3976AF33BF
SHA256: 54FE550D5102A0E9428F6BD9B5170B50797EDA2076601634519CDBB574004A3C

Monday 6 March 2017

Update: cut-bytes.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

I just updated the manual of this version, to explain here documents.

cut-bytes_V0_0_5.zip (https)
MD5: B20B9758D50C846CD0E0AEB9E0B15101
SHA256: B12D1E1C510ED4CC820C5D2F62897DF71E567B0D3B23AC36653236D30104157F

Sunday 5 March 2017

Update: re-search.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

A very small update to re-search.py: I added a regular expression for strings to the library:

20170303-224430

re-search_V0_0_3.zip (https)
MD5: 6C4F59C4BA5DAC1D16D3E09D1E333FD0
SHA256: BFB019F1350F7D63FB3704322F62894A4B17D8EE03CC186156F2A97045E47F58

Sunday 26 February 2017

Update: translate.py Version 2.4.0

Filed under: My Software,Update — Didier Stevens @ 9:19

I added a feature similar to “here files” to translate.py. It’s something I already did in xor-kpa.py.

In stead of using an input filename, the content can also be passed in the argument. To achieve this, precede the text with character #.
If the text to pass via the argument contains control characters or non-printable characters, hexadecimal (#h#) or base64 (#b#) can be used.

Example:
translate.py #h#89B5B4AEFDB4AEFDBCFDAEB8BEAFB8A9FC “byte ^0xDD”
Output:
This is a secret!

translate_v2_4_0.zip (https)
MD5: B33830C68D8A8A7534AF178243658E70
SHA256: A01AB10FCE42664869C4E31DB1AB2E1E0237172D0AE9685549A09BF866D7F885

Next Page »

Blog at WordPress.com.