Didier Stevens

This update to re-search.py, my tool to search text files with regular expressions, brings several new regular expressions.

There are 4 new regular expressions for cryptographic hashes: md5, sha1, sha256, sha512. And one new name that groups these 4 regular expressions: hashes.

You can use it like this: re-search.py -n hashes sample.txt

These regular expressions not only match strings of hexadecimal characters of the appropriate length (with a boundary: \b), they also check each extracted hash with a Python function (HashValidate in re-extra.py) that is designed to eliminate strings that accidentally look like a hash (example: 32 times letter A).

HashValidate checks the following:

• that the hash is not a mix of lowercase and uppercase letters
• that there are more than 5 different hexadecimal digits
• that there are more than 10 instances of a character and the next character, that are different

These simple rules are designed to detect hexadecimal strings that are too uniform, and thus probably not a hash digest.

And I also added regular expressions for strings delimited by single quotes: str-s, str-se str-su, str-seu.

re-search_V0_0_22.zip (http)
MD5: BF72647B93D30D0D9CD75EEFED85D21E
SHA256: FCF7D6EF2A5C8AEC5FC84D2CF588FCD8DAD3923E10905D3350AAD7975D926553

A small update to plugin_msi_info to change the output format a bit. And you can select your preferred hash algorithm with environment variable DSS_DEFAULT_HASH_ALGORITHMS.

oledump_V0_0_74.zip (http)
MD5: FD4D73F0C1A6BE43406381C13C128D5E
SHA256: 1683635FD3250DF43E2CA31C60C2C81B507B1E233C5D91C2671D147C7FD8BD14

In this update, I add option -W to write items to disk.

Option -W takes a value. Possible values are: vir, hash, hashvir and idvir.

This value determines the filename for each item written to disk.

vir: filename is item name + extension vir
hash: filename is sha256 hash
hashvir: filename is sha256 hash + extension vir
idvir: filename is item id + extension vir

For an example, take a look at my SANS ISC diary entry “Extracting Multiple Streams From OLE Files“.

myjson-filter_V0_0_4.zip (http)
MD5: 7CFB64BDE6A60DB44EBEA18DD4B966D3
SHA256: B8128DC14DC7235710AB4DF9B0B2A55C43FA2035140D5CBCDC09D9079AB6D6DA

This is an update to python-per-line.py, my tool to execute a Python expression one each line of a text file.

New options are –regex –join –split. And there are new string reversal functions: Reverse and ReverseFind.

More details in the man page.

python-per-line_V0_0_10.zip (http)
MD5: 54BFA2E593A024E3FBAA76757D63847E
SHA256: D12E5FE10F71011C480EA332E0E183AE904024CEBC22128775197481152B9C1E

A small update to plugin_msi_info to provide extra info on streams.

Indicator ! marks PE and CAB files.

Indicator ? marks files that are not images (and are not marked with !).

The idea is to first inspect streams marked with ! and ?.

The plugin also provides an overview of the files contained inside the CAB file.

oledump_V0_0_73.zip (http)
MD5: 0CAFC87E62E5BC069568B78C1CEE720D
SHA256: CA67FCFA1F4C79668C9ED0C791AFA9D5EEF370AD58DDC542E2204A080A58F9A5

This update brings a new plugin to analyze MSI files: plugin_msi_info

oledump_V0_0_72.zip (http)
MD5: 27CBB0D67EA90DD02875081785B50CB4
SHA256: 3E20C06B40222DAB69951D13159E063E9AF8766291D15362C0E39026B3923DC2

This is a bug fix update.

python-templates_V0_0_10.zip (http)
MD5: 29806A562411E4584455746C8CE41BAB
SHA256: CC520C26BE6E59F48AEA639EC477983333D75F91FFE295915DB4711C275E26DB

In this new version of cut-bytes.py, I add support for custom Python transforms (options -P and -S), pyzipper and fixed a bug.

cut-bytes_V0_0_16.zip (http)
MD5: 04E6E0E46C6698127BAE443AF5CEF0F6
SHA256: 0657F6A6837CEC9F3E9E50551F8861D19B70305A4B7C3C409D561C3462550D24

I added extra plaintexts for the modulus of Cobalt Strike’s public RSA key.

xor-kpa_V0_0_7.zip (http)
MD5: FB8155E56234648CC3AFFD890BFE9043
SHA256: 069DCA2A1901D448DBF2CF202B5CE49846EFCBAACB73BF35B20AA085AAB31BA9

This new version of file-magic.py adds a definition to identify OneNote .one files:

And adds support for pyzipper.

file-magic_V0_0_6.zip (http)
MD5: 2C564E9B215672BA9352934C8B91B0EC
SHA256: 6102CE6788EB17B17AB3C0AB054FE9ECA2C557E9349A7ACF9612759CC5C6CA97