Didier Stevens

Friday 10 November 2017

Update: numbers-to-string.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 22:56

This version has a man page now.

I use this tool to decode obfuscated strings in malicious scripts:

Usage: numbers-to-string.py [options] [expression [[@]file ...]]
Program to convert numbers into a string

@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -e, --error           Generate error when error occurs in Python expression
  -i, --ignore          Ignore numbers greater than 255
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers (3 by default)
  -j, --join            Join output


numbers-to-string.py is a Python program that reads texts files (as
arguments on the commandline, @here files or stdin), extract numbers
from these files and converts these to strings.
The first argument of numbers-to-string.py is a Python expression.
This Python expression can use variable n that represents each
extracted number.

Here is an example, with a script file (test.js) containing a list of

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)

Running this script file through numbers-to-string.py with an empty
expression ("") converts the numbers to a string:

C:\Demo>numbers-to-string.py "" test.js

68 is the ASCII number of letter D, 105 is the ASCII number of letter
i, ...
numbers-to-string.py converts each number it extracts to a character,
and concatenates them into one string per line.

The same result can be obtained by using Python expression n, where n
represents the extracted numbers:

C:\Demo>numbers-to-string.py n test.js

The advantage of using a Python expression becomes obvious when the
numbers have been altered to obfuscate their meaning.

In the next example, 1 has been added to each number, making
straightforward conversion generate an unintelligible string:

a = (105, 117, 117, 113, 116, 59, 48, 48, 69, 106, 101, 106, 102, 115,
84, 117, 102, 119, 102, 111, 116, 47, 100, 112, 110)

C:\Demo>numbers-to-string.py n test.js

If we use the Python expression to substract 1 from each number (n -
1), then we can decode the string:

C:\Demo>numbers-to-string.py "n - 1" test.js

For more complex operations, a lambda expression can be used. The
argument of the lambda expression is the list of numbers.
Here is an example from a real malicious document:

C:\Demo>numbers-to-string.py "lambda l: [b - 40 + i*2 for i, b in
enumerate(l)]" test.js

numbers-to-string.py will work line per line, as illustrated with this

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)
b = (83, 116, 101, 118, 101, 110, 115)

C:\Demo>numbers-to-string.py n test.js

With option -j, the output strings can be concatenated:

C:\Demo>numbers-to-string.py -j n test.js

Output can be written to a file using option -o.

numbers-to-string.py needs at least 3 numbers per line to start
extracting. Lines with less than 3 numbers are ignored. 3 numbers is
the default minimum value, and can be changed using option -n.

Errors that occur when evaluating the Python expression will be
silently ignored. To have the tool raise these errors, use option -e.

If the resulting value of the expression is more than 255, an error
will be generated, unless option -i is used to ignore these errors.

numbers-to-string_v0_0_3.zip (https)
MD5: 6FD49062058E6A03A4A7BF3A3D26408A
SHA256: 9457AFA699B61DA52F07921D3F7AB486585036654D64AD126B933345E71BC07F

Monday 6 November 2017

Update: oledump.py Version 0.0.30

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py detects and analyses orphaned streams. More info on orphaned streams can be found in this blogpost.

oledump_V0_0_30.zip (https)
MD5: BBD53C65FC40891E2125B9808F507E4A
SHA256: 78CDC8C8BCD651A3578F567D24FD88300600E02520B2D75F45448E4FB480FEB0

Sunday 5 November 2017

Update: pecheck.py Version 0.7.1

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck.py adds support for option -g to select a section:


pecheck-v0_7_1.zip (https)
MD5: D5907442424C527A9937CFA65377C9BD
SHA256: BF2F162D108F17F350111645B8DFFE5D3641065CB6EE3CE318FCBEC83507917B

Saturday 4 November 2017

Update: cut-bytes.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of cut-bytes.py brings a small cosmetic change to the way a hex/ASCII dump is displayed:

An extra space is added between the 8th and 9th byte of the hexdump. This was suggested to me by an attendee of the last private training I gave.
cut-bytes_V0_0_6.zip (https)
MD5: 7F726219F6F601018B4BD39E9A407728
SHA256: BFD80EF00455CD938A05A18EAA33551ABEC6B0298A0AEE81052E6F5A12BB86F7

Friday 3 November 2017

Update: byte-stats.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 20:59

My tool byte-stats.py calculates statistics for the files it analyzes. With option -l (and -p) , it produces a list of values for different parts of the file (buckets), for example a list of entropy values. With this, one can have an idea how the entropy changes inside a file.

But as the saying goes, a picture is worth a thousand words, so I added option -g to produce a very simple graph of these values (just a line, no axis or scale). This does not require any extra Python module, I use Python’s TkInter module, the standard GUI for Python.

byte-stats_V0_0_7.zip (https)
MD5: 9991B5C5BEB3CB7989FE6DC30789EB49
SHA256: 82198195EA9C92832027CC8E2E3ABE161787551A06750E042096CF2DF0AC9384

Monday 30 October 2017

Update: pdfid.py Version 0.2.2

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

I regularly get ideas to improve my tools when I give (private) training, and last week was not different.

This new version of pdfid.py adds a /URI counter, to help identify PDF documents with embedded URLs, used for phishing or social-engineering users into clicking on links.

I did not hardcode this new counter into the source code of pdfid.py, but it is listed in a new config file: pdfid.ini. You too can add your own identifiers to this configuration file.

pdfid_v0_2_2.zip (https)
MD5: 20614B44D97D48813D867AA8F1C87D4E
SHA256: FBF668779A946C70E6C303417AFA91B1F8A672C0293F855EF85B0E347D3F3259

Sunday 29 October 2017

Update: pdf-parser.py Version 0.6.8

Filed under: My Software,PDF,Update — Didier Stevens @ 15:32

This is a bugfix version.

pdf-parser_V0_6_8.zip (https)
MD5: 7702EEA1C6173CB2E91AB88C5013FAF1
SHA256: 3424E6939E79CB597D32F405E2D75B2E42EF7629750D5DFB39927D5C132446EF

Saturday 21 October 2017

Update: base64dump.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 20:24

This new version of base64dump adds support to decode strings like UNICODE strings (-t).

base64dump_V0_0_8.zip (https)
MD5: 1B379A08FBC6E7686A89AF099699B076
SHA256: A81AE1AACCB168787CAF6355D582BB5096760893F5CB60E93E408A0475B4FDAC

Monday 16 October 2017

Update: oledump.py Version 0.0.29

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump adds support to decode strings like UNICODE strings (-t), and can dump strings (-S).

oledump_V0_0_29.zip (https)
MD5: 7F98DB95E0E9FF645B8411F421387214
SHA256: E00567490A48A7749DF07F0E7ECD8FD24B3C90DC52E18AFE36253E0B37A543C5

Sunday 17 September 2017

Quickpost: Update: Infinite Control For Bash Bunny

Filed under: Bash Bunny,Hardware,My Software,Quickpost,Update — Didier Stevens @ 16:39

This is an update to my Bash Bunny payload Infinite Control: it sends a CONTROL keypress every 10 seconds. I changed the LED colors, and if you uncomment line 27 the BREAK key will be used (function key 15, as some people suggested).

You can find it on HAK5’s GitHub Bash Bunny repository too.

# Title:         Infinite Control
# Author:        Didier Stevens (https://DidierStevens.com)
# Version:       0.0.2 2017/09/02
# History:       0.0.1 2017/04/08 start
#                0.0.2 2017/09/02 changed LED colors, added BREAK
# Hit the CONTROL key every 10 seconds in an infinite loop,
# while blinking the CYAN LED with every keypress.
# Can be used to prevent a machine from sleeping or auto-locking.
# Some users have suggested to hit F15 (BREAK) in stead of CTRL.
# This can be done by uncommenting line #INFINITE_KEY=BREAK.
# WARNING: Do not type on the machine's keyboard while this script
#          is running, or your keystrokes might become commands,
#          for example CTRL-Q: Quit
# Cyan ..............Hitting CONTROL key
# Yellow Blinking ...Sleeping
# Red Blinking.......Wow! We broke out of the infinite while loop!



# infinite while loop
while true
	sleep 1
	sleep 9

# this code will never be reached


Quickpost info

Next Page »

Blog at WordPress.com.