Didier Stevens

Sunday 22 April 2018

Update: python-per-line.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 10:46

This new version brings new output features. For example, you can use the output option (-o) to output simultaneously to the console and a file:

Explanation:

-o result.txt will write the output to file result.txt, and nothing to the console

-o #c#result.txt will write the output to file result.txt and to the console

For all the details, consult the man page: python-per-line.py -m

python-per-line_V0_0_4.zip (https)
MD5: FE8E875E2A7B8CD89FCAAB3B5830206C
SHA256: 7A6DACBAFC13DDE164F2AAB49DA766613F23BE78FF9BCAF5392EEA01F71620D0

Thursday 19 April 2018

Update: Patched SpiderMonkey

Filed under: My Software,Update — Didier Stevens @ 0:00

I was showing a colleague how to use my patched SpiderMonkey to analyze obfuscated JavaScript, when I realized I had not yet released my latest version.

SpiderMonkey is an opensource JavaScript interpreter. I modified it to help with malware analysis. For example, my version will dump the argument of the eval function, and I’ve implemented document.write and window.navigate (dumping arguments too).

This latest version was developed a couple of years ago (that’s why it’s still based on SpiderMonkey 1.7) to dump arguments to stdout. Previous versions of my patched SpiderMonkey dump arguments to files, in this latest version, you can choose were to dump the arguments. A method was added to object document: document.output(arg). This output method takes one argument: a string. The following values may be used as argument:

  • ‘a’ ASCII/HEX dump
  • ‘x’ HEX dump
  • ‘d’ raw dump
  • ‘A’ pure ASCII/HEX dump
  • ‘x’ pure HEX dump
  • ‘d’ pure raw dump
  • ‘f’ file dump

The ZIP file you can download contains source code and executables for Windows, Linux and OSX. There are 2 versions: js-ascii.exe and js-file.exe. Both are identical, except for their default output behavior. js-file.exe will output arguments by default to files (and thus behave like previous versions of SpiderMonkey) and js-ascii.exe will output arguments by default as ASCII/HEX dump to the console.

I prefer to use js-ascii.exe now, and I’ve renamed it to js.exe (like previous versions).

The ASCII/HEX dump allows me to see exactly, at the byte-level, what is passed as argument to eval.

js-1.7.0-mod-c.zip (https)
MD5: B14B522E81366D6AAF3B7EB235B62707
SHA256: 2CCB2F57DF706A8EE689C54B18A0EA7BB052EF08BA233F1319119825DB32927B

Tuesday 17 April 2018

Update: hash.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of hash.py brings a small change to the output for option -c and adds option -s to skip specified hashes.

hash_V0_0_3.zip (https)
MD5: CB4BCB40CA50ED23AC7E47510B308811
SHA256: 6C3C44C5B98C7C7415E332D15B6EA887CD54170DADDDC726B3544F1696F4E324

Monday 16 April 2018

Update: XORSelection.1sc Version 4.0

Filed under: 010 Editor,My Software,Update — Didier Stevens @ 0:00

XORSelection is a 010 Editor script I wrote some time ago, and it is included in the 010 Editor script repository. You provided it with an XOR key (ASCII or HEX), and then it will XOR-encode the file (or selection) open in 010 Editor.

I discovered it will not work properly if the hexadecimal key contains a NULL byte (0x00). This is fixed in this new version.

This new version also allows whitespace characters when an hexadecimal key is provided (hexadecimal keys start with 0x).

XORSelection_V4_0.zip (https)
MD5: 1B3DB8C8DA51224DDE7CA0E4BDAAC945
SHA256: 22E60E10BC99BD24A408C12CC674858DB6F318088CD34B7C70782833401AACF2

Monday 2 April 2018

Update: xmldump.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small bugfix version.

xmldump_V0_0_3.zip (https)
MD5: 70D67100DDD30F6178C3E06B7CE97329
SHA256: C0A3199EA69494962CAC6EC3BA3AD47130BE5BB3D9D7D330579856AC9C314BF0

Tuesday 20 February 2018

Update: pecheck.py Version 0.7.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version.

pecheck-v0_7_2.zip (https)
MD5: 2A501CD2D15E1108B909B7FCEDFBDA13
SHA256: 9CACA5A41A84049FE6B0D5807A31B7FC5B1A5AC71B3FD3BE4EAC71A96BBDFB3E

Monday 19 February 2018

Update: oledump.py Version 0.0.33

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump can output the content of all streams in JSON format, and has a new plugin for MSI files: plugin_msi.py.

oledump_V0_0_33.zip (https)
MD5: E5F879766B5C1C899E75E2F2A8ED9533
SHA256: 2B7C9565880F14E8A431F7819926EE801DE129458E682FAAF99FEF41AFA49934

Sunday 18 February 2018

Update: translate.py Version 2.5.3

Filed under: My Software,Update — Didier Stevens @ 0:00

I had to be sure that every 4th byte in a file was identical:

After some thinking, I thought I could use my translate program to select every 4th byte (position % 4 == 3) and then calculate byte statistics. But actually, translate.py can use a (complex) Python expression/program to translate each byte of a file, but it can not be used to select particular bytes. So I made a small change: if the Python expression used with translate.py returns value None (in stead of a numeric value), then the result is not send to output. This way, input bytes can be dropped/deleted.

translate_v2_5_3.zip (https)
MD5: F3C01FCA74A84F1712BAF187E9FE479F
SHA256: 4CA311456EDE5A43097D4E567F225CFF2A68D47B96A261FC935F2A0F1CD4EB0F

Monday 12 February 2018

Update: pdfid.py Version 0.2.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a bug fix version for  bugs reported by different users, more details in history.

pdfid_v0_2_4.zip (https)
MD5: 36D5554BC881E7E21382ADA1305ED6F4
SHA256: C1DA287C9C06E3158F79CECF9C2E9A7773FC57FC92021F17B79DDD4B1E5DBB2A

Sunday 11 February 2018

Update: jpegdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of jpegdump adds option -e: extract jpeg images to disk.

jpegdump_V0_0_4.zip (https)
MD5: 496B6F2B0C0EEF919F7C6E20B9C1ADF6
SHA256: 5D150AE050610B6DB11FBE8B44E385A80800971AF1810F67531BB17A1373C770

Next Page »

Blog at WordPress.com.