Didier Stevens

Saturday 21 August 2021

Update: AnalyzePESig Version

Filed under: My Software,Update — Didier Stevens @ 11:52

This new version of AnalyzePESig, my tool to analyze the digital signature of PE files, brings some major updates:

  • Support for UNICODE filenames
  • Reintroduction of the capability to verify the signature of non-PE files, like .MSI files

And several bug fixes.

AnalyzePESig_V0_0_0_8.zip (https)
MD5: C14A2C8AA91D34F534B4F76E7014E3A9
SHA256: BCCF90BF6E4C26C33BF16DA20CF220DAE8D748B942224659DC720B35BB8EFE86

Friday 20 August 2021

Update: pdf-parser.py Version 0.7.5

Filed under: My Software,PDF,Uncategorized,Update — Didier Stevens @ 0:00

This is a bug fix version.

pdf-parser_V0_7_5.zip (https)
MD5: D39E98981E6FEA48BF61CA2F78ED0B09
SHA256: 5D970AFAC501A71D4FDDEECBD63060062226BF1D587A6A74702DDA79B5C2D3FB

Update: pdfid.py Version 0.2.8

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bug fix version

pdfid_v0_2_8.zip (https)
MD5: 9DDE1D9010D860303B03F3317DAF07B4
SHA256: 0D0AA12592FA29BC5E7A9C3CFA0AAEBB711CEF373A0AE0AD523723C64C9D02B4

Tuesday 17 August 2021

Update: oledump.py Version 0.0.62

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version brings a bug fix and an update to plugin_biff’s XOR deobfuscation.

oledump_V0_0_62.zip (https)
MD5: F16DB945970B49A60155443ED82CDE29
SHA256: 4AE5DF2CC8E8F5A395027A8056B1A33B8F05C0AB6FC18D56D46DC151BB4302FB

Saturday 17 July 2021

Update: base64dump.py Version 0.0.16

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of base64dump.py brings bug fixes and support for BASE85 RFC 1924 encoding.

If you want to know how I go about adding a new decoding to base64dump.py, watch this video:

Here is version, with bug fixes but without base85:

base64dump_V0_0_15.zip (https)
MD5: 95C78B0DC830C6240F2A56A3BA0C483F
SHA256: F011136B2CF4F54647AB4B699CE7F3575925B2BD09EED409E4BBE34FEB8C570A

And here is version with base85:

base64dump_V0_0_16.zip (https)
MD5: 91E283BDF292C463E349DC535EF50535
SHA256: E85345971D209559ED6602F16C6DBBF526816848B2F15B44C06A7DE7B28F2F8C

Tuesday 13 July 2021

Update: FileScanner Version

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of FileScanner brings bug fixes and new features, like UNICODE filename support and an embedded man page.

FileScanner_V0_0_0_7.zip (https)
MD5: D3294BE258F5E2CD9ADF60035D5FB444
SHA256: 8D9349A2056CF400DF55D0407287144A038B6268E40919F248866B4C8BC3FD0A

Sunday 4 July 2021

Update: xmldump.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This update to xmldump.py, a tool to help with viewing XML files, adds option -j (–jsoninput) to handle JSON output produced by zipdump.py.

With this option, shared strings from OOXML spreadsheets will be used with command celltext.

I will explain more in an upcoming blog post.

xmldump_V0_0_7.zip (https)
MD5: 20FBBC1A053B2528AC4200B917637876
SHA256: 0D7850CEEDEB7EFD9E8645CF8DD59F1912E9EB3C135346F98AF3E3A7BAAE2B68

Monday 21 June 2021

Update: oledump.py Version 0.0.61

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py comes with Excel 4 formula parsing improvements in the plugin_biff plugin.

oledump_V0_0_61.zip (https)
MD5: 6DC34FFAF4ED0066696ED230878AEED9
SHA256: 41A68ABA19BBA74DAE653BE62D4A63A5AE409FB6DC1DAEEB2D419AA1B493728A

Tuesday 15 June 2021

Update: 1768.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

There are no code changes to this version of 1768.py, my tool to analyze Cobalt Strike beacons.

What is new, is file 1768.json: this file contains statistical data for license IDs.

Over a period of one month, I collected license ID information from these sources: threatviewio and @cobaltstrikebot.

For each license ID that is found on more than one IP address / hostname, I include simple statistics: the number of unique IP addresses / hostnames and the number of unique public keys.

When analyzing malicious Cobalt Strike beacons, I often see recurring license IDs. That’s why I decided to add logic and a JSON file to my tool, with license IDs I’ve seen before. And now this has evolved to a small repository of often seen license IDs.

Here is an example with a sample we discussed on the Internet Storm Center diary:

The license ID is 1873433027 and this ID is associated with 18 unique IP addresses / hostnames, and 15 unique public keys. This is a clear indication that this license ID is used by malicious actors. License IDs that have been seen only once, could belong to red teams, that is why they are not included in file 1768.json. The more often a license ID is seen, the higher the chance it is used by malicious actors. Of course, it is not excluded that there are legitimate license IDs from red teams in this list, but I expect they will have low frequencies.

Takeaway: if your sample has a license ID that appears in 1768.json, then it has been seen before (at least twice), and you’re likely not dealing with a pentest.

1768_v0_0_7.zip (https)
MD5: D93AC5707FD0B5315A1225121071C7F2
SHA256: B417790451681643B2269AC516A99F3CEE9F7F374AB529FD53D5702A70F79409

Friday 11 June 2021

Update: Python Templates Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 10:14

Here is an update to my Python templates.

I use these templates as a starting point for new tools or for quick development of ad-hoc tools.

I also recorded a video showing how to use my template to create your own tool: ssdeep Python Example Based On My Templates.

python-templates_V0_0_5.zip (https)
MD5: 137878F4D7F799436F76C0119E6BB621
SHA256: 5A68B115B5616BC35CFB4DDEA64C029BF10DDCD6BFF5E4B9D3D4DBBC0FBD6651
Next Page »

Blog at WordPress.com.