Didier Stevens

This is just a bugfix version.

zipdump_v0_0_22.zip (http)
MD5: 68F9F3809E4E1F9ADE4A4C3835CDF475
SHA256: 92ED372579001C826D5AF31615B8334CC798FF2DA4AF8B7C46267BF7D995C757

In this update for cs-parse-traffic.py, my tool to decrypt & parse Cobalt Strike traffic, I added some error handling.

cs-parse-traffic_V0_0_5.zip (http)
MD5: CFF6D97E816B23065F051D91B0F101A6
SHA256: 69763EB4D3A163824B417A0E23131B318F5E97198F255ECE449A65D4360C6302

This new version of oledump.py brings some fixes and an update to plugin plugin_vbaproject to decode and display the password for plaintext passwords:

oledump_V0_0_66.zip (http)
MD5: 20D89F0477ED7B533C2B0C6D27EC4255
SHA256: F67051EF2FA3FD42206C5ADFAC807C94ECD5F7F0F6427433B366217F675D3195

This new version of oledump.py brings a new plugin (plugin_metadata) and Python 3 fixes for 2 plugins (plugin_msi and plugin_ppt).

The new plugin is actually an old unpublished plugin, that I updated recently.

This plugin parses Office document metadata as defined in document [MS-OLEPS].

I started to write this in 2015 to parse the metadata of Word documents, but soon I figured out that this functionality was already present in olefile, and I introduced option -M to call this functionality.

But recently, I had to parse metadata that isn’t (yet) parsed by olefile, so I updated and released plugin_metadata.

oledump_V0_0_65.zip (http)
MD5: 319894D211E0C6F41DCEBD5DBBBE3D33
SHA256: 35786C01AC74BE8604E96B528B7EB8EEFBB0D63407D3C78CC31D058528EF20D7

This is a Python3 stdin fix for re-search.py, my tool to search with regular expressions.

re-search_V0_0_19.zip (http)
MD5: 4007A3E5540871221B55591B50E2239B
SHA256: 263236ABE75B93F1F999474D690A9EB2575EBE42CED8F369FF98B349A5116D11

This new version of 1768.py brings option -H to include file hashes, introduces shellcode type detection and has updated statistics.

1768_v0_0_13.zip (http)
MD5: F7E85586045AA76C573E010E6FF5F701
SHA256: 33B43A5AB059556C17083E824D407891CD14544B5CA416223020076C5878D310

This new version of cut-bytes.py adds access to the read data for Python expressions in prefix and suffix options.

cut-bytes_V0_0_14.zip (http)
MD5: EC3434DAAEE06C6F35BD57B77F86833F
SHA256: BCCCE7A73C921BD2CC195155A3A709FBAD7ADC0A267288A4F7F58695A2F103D1

This new version of oledump brings option -u. This option is used to look for data past the end of the streams.

oledump_V0_0_64.zip (http)
MD5: D2FE33398A2BA85A760518972C0207D3
SHA256: C44F11D31CDCFDE0E7207363A9F35ED07A98A69A4A4228A8CA49292BA8EE9683

I included a new Cobalt Strike 4.5 private key in this released, shared with me by a user.

Further, ZIP files with AES encryption are supported. And a few other bug fixes

1768_v0_0_12b.zip (https)
MD5: C1675CD1CD5E817BDBC4B10D8850D6DD
SHA256: 0694F52EFA2332E8FCFFA739AD123ABF4A75F20ACB5DE3174376FE5D816DE071

This is a bug fix update for oledump.py.

It fixes a bug that occurred when you calculated the hash of decompressed VBA code:

oledump_V0_0_63.zip (https)
MD5: 52440972347843FF56B8F754910BFE4A
SHA256: F92660FFA0F484B46A14944A8B7B475C3D34E80D9C197FA1E99C444CA9ED533B