Didier Stevens

This is a Python 3 update for my tool to analyze RTF files. There are some new features, like option -O, to produce an overview:

More details in upcoming maldoc analysis posts.

rtfdump_V0_0_10.zip (https)
MD5: E7D235AC14A83DAABCD433DE1948E989
SHA256: 750430C0DA0B9D25B0BBBB972F107D1459FEAF45A2D61EAB6C10E84CB8AA01F8

This is an update of my tool to analyze Cobalt Strike beacons.

Option -l can be used to generate YARA rules to search for Cobalt Strike beacons with a given license ID.

1768_v0_0_4.zip (https)
MD5: 35779393F2DC6171731446F8E0AC361B
SHA256: 59148C2DA13BE4DB203F9444E837911476BDE74E41E5A82C865E9729101336D2

This is an update to my tool base64dump.py: a tool to detect and decode encodings like base64, hexadecimal, …

A new decoding option was added with version 0.0.13: dec (decimal).

base64dump_V0_0_13.zip (https)
MD5: B322C1E55108FB1559009FC4C1CF12DE
SHA256: EE6527B4F558439916D9854980D6980EECA9F130F37BBF4034453ABBD8BF3260

This is a Python 3 bug fix version of my tool to analyze ZIP files.

zipdump_v0_0_21.zip (https)
MD5: 9B2839C1028FA5D07F2E07FDB56306D9
SHA256: 48653BB2B3009241C4C536BF64D16A6DFDA4B66D6658EC6BCFA79647AE4D5FA8

This is a Python 3 version of my byte-stats.py tool to produce statistics for arbitrary binary input.

byte-stats_V0_0_8.zip (https)
MD5: 2F6E672D821356EDBDA51A83662075E8
SHA256: 23A108A849FEB84002505463101D7DC47C52D12C80F812465B25996DBB34775C

This is a bug fix version for cut-bytes.py, my tool to select (cut) bytes from binary input.

cut-bytes_V0_0_13.zip (https)
MD5: E16C2B6358A2AA642BCC9CC9B033FAEC
SHA256: 2276257173FD1DF65338CFA53DDE5522ED8A7D7E94BCC302117F535F584F14CF

This version adds bit shift functions shl and shr. There’s also a bug fix.

translate_v2_5_11.zip (https)
MD5: CB3B7F284B2F5C73FC583BB8E91B33AA
SHA256: 99717783D1225E1B95EE721AA2C7F3A09AE02647E28E7C6337776363B9BFFC33

This new update to strings.py, my tool to extract strings, brings statistics with a new option: -a.

This option can be used together with other filtering options:

strings_V0_0_6.zip (https)
MD5: C4633CDAF3AEADE23738AA9356F50298
SHA256: 93A87F515103A0C9DA01D6DA034CE7FB5CC7E562B095EFF614EF09C8DD92D455

This new version of numbers-to-string.py, my tool to convert decimal numbers to strings, has a new option: -l (–line).

This option is used to select a particular input line (using its line number) for processing.

numbers-to-string_v0_0_11.zip (https)
MD5: 6824639FFEE290B83DBA328021355476
SHA256: 0E748886E97E351B64BD288D3EC6F322FFB7B1AA89410897E6B2BA03701EA852

This new version of oledump brings an update to plugin_stream_o, to handle /o form streams with multiple entries.

If more than one entry is found in a /o form stream, a counter will precede the output, like in this example with 2 entries:

oledump_V0_0_57.zip (https)
MD5: E0C9C8706EFC3AB86EEBED03A4CCF555
SHA256: 1C4588B48A494D0C7BD6AD9600EA9F46AD472DC62BF8D58D6EA635AE7CB02502