Didier Stevens

Sunday 10 December 2017

Update: rtfdump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 10:31

This new version of rtfdump.py adds extra information when analyzing the content of an RTF file:

  • Extra info for objects
  • Size longest contiguous hexadecimal string

rtfdump_V0_0_6.zip (https)
MD5: B4F9264F2431322F52BAAB834A5A144D
SHA256: C15918E89313D03F01BC8A3BCB68376B6E21558567BDFD81889F48196DC80986

Monday 27 November 2017

Update: pdfid.py Version 0.2.3

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

In this new version of pdfid.py, a new option was added: -n.

With this option, you can suppress output for names with a count of zero:

pdfid_v0_2_3.zip (https)
MD5: 65966E8BBF932D3C0830B755FDE094FE
SHA256: 9482176D173EFA6F2F33EE409B091BFA45685FC285B87F7219A4E9418B47F739

Monday 20 November 2017

Update: pcap-rename.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

pcap-rename.py is a program to rename pcap files with the timestamp of the first packet in the pcap file.

This new version supports big-endian pcap files.

pcap-rename_V0_0_2.zip (https)
MD5: 6EFFA5313946DEAF3363835B1D3C684E
SHA256: 3BA23CC936B49AF83306E486B0BFC9ABAF5BD0B5E3DEF81D8564BCC3810C06B9

Friday 10 November 2017

Update: numbers-to-string.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 22:56

This version has a man page now.

I use this tool to decode obfuscated strings in malicious scripts:

Usage: numbers-to-string.py [options] [expression [[@]file ...]]
Program to convert numbers into a string

@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -e, --error           Generate error when error occurs in Python expression
  -i, --ignore          Ignore numbers greater than 255
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers (3 by default)
  -j, --join            Join output


numbers-to-string.py is a Python program that reads texts files (as
arguments on the commandline, @here files or stdin), extract numbers
from these files and converts these to strings.
The first argument of numbers-to-string.py is a Python expression.
This Python expression can use variable n that represents each
extracted number.

Here is an example, with a script file (test.js) containing a list of

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)

Running this script file through numbers-to-string.py with an empty
expression ("") converts the numbers to a string:

C:\Demo>numbers-to-string.py "" test.js

68 is the ASCII number of letter D, 105 is the ASCII number of letter
i, ...
numbers-to-string.py converts each number it extracts to a character,
and concatenates them into one string per line.

The same result can be obtained by using Python expression n, where n
represents the extracted numbers:

C:\Demo>numbers-to-string.py n test.js

The advantage of using a Python expression becomes obvious when the
numbers have been altered to obfuscate their meaning.

In the next example, 1 has been added to each number, making
straightforward conversion generate an unintelligible string:

a = (105, 117, 117, 113, 116, 59, 48, 48, 69, 106, 101, 106, 102, 115,
84, 117, 102, 119, 102, 111, 116, 47, 100, 112, 110)

C:\Demo>numbers-to-string.py n test.js

If we use the Python expression to substract 1 from each number (n -
1), then we can decode the string:

C:\Demo>numbers-to-string.py "n - 1" test.js

For more complex operations, a lambda expression can be used. The
argument of the lambda expression is the list of numbers.
Here is an example from a real malicious document:

C:\Demo>numbers-to-string.py "lambda l: [b - 40 + i*2 for i, b in
enumerate(l)]" test.js

numbers-to-string.py will work line per line, as illustrated with this

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)
b = (83, 116, 101, 118, 101, 110, 115)

C:\Demo>numbers-to-string.py n test.js

With option -j, the output strings can be concatenated:

C:\Demo>numbers-to-string.py -j n test.js

Output can be written to a file using option -o.

numbers-to-string.py needs at least 3 numbers per line to start
extracting. Lines with less than 3 numbers are ignored. 3 numbers is
the default minimum value, and can be changed using option -n.

Errors that occur when evaluating the Python expression will be
silently ignored. To have the tool raise these errors, use option -e.

If the resulting value of the expression is more than 255, an error
will be generated, unless option -i is used to ignore these errors.

numbers-to-string_v0_0_3.zip (https)
MD5: 6FD49062058E6A03A4A7BF3A3D26408A
SHA256: 9457AFA699B61DA52F07921D3F7AB486585036654D64AD126B933345E71BC07F

Monday 6 November 2017

Update: oledump.py Version 0.0.30

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py detects and analyses orphaned streams. More info on orphaned streams can be found in this blogpost.

oledump_V0_0_30.zip (https)
MD5: BBD53C65FC40891E2125B9808F507E4A
SHA256: 78CDC8C8BCD651A3578F567D24FD88300600E02520B2D75F45448E4FB480FEB0

Sunday 5 November 2017

Update: pecheck.py Version 0.7.1

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck.py adds support for option -g to select a section:


pecheck-v0_7_1.zip (https)
MD5: D5907442424C527A9937CFA65377C9BD
SHA256: BF2F162D108F17F350111645B8DFFE5D3641065CB6EE3CE318FCBEC83507917B

Saturday 4 November 2017

Update: cut-bytes.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of cut-bytes.py brings a small cosmetic change to the way a hex/ASCII dump is displayed:

An extra space is added between the 8th and 9th byte of the hexdump. This was suggested to me by an attendee of the last private training I gave.
cut-bytes_V0_0_6.zip (https)
MD5: 7F726219F6F601018B4BD39E9A407728
SHA256: BFD80EF00455CD938A05A18EAA33551ABEC6B0298A0AEE81052E6F5A12BB86F7

Friday 3 November 2017

Update: byte-stats.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 20:59

My tool byte-stats.py calculates statistics for the files it analyzes. With option -l (and -p) , it produces a list of values for different parts of the file (buckets), for example a list of entropy values. With this, one can have an idea how the entropy changes inside a file.

But as the saying goes, a picture is worth a thousand words, so I added option -g to produce a very simple graph of these values (just a line, no axis or scale). This does not require any extra Python module, I use Python’s TkInter module, the standard GUI for Python.

byte-stats_V0_0_7.zip (https)
MD5: 9991B5C5BEB3CB7989FE6DC30789EB49
SHA256: 82198195EA9C92832027CC8E2E3ABE161787551A06750E042096CF2DF0AC9384

Monday 30 October 2017

Update: pdfid.py Version 0.2.2

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

I regularly get ideas to improve my tools when I give (private) training, and last week was not different.

This new version of pdfid.py adds a /URI counter, to help identify PDF documents with embedded URLs, used for phishing or social-engineering users into clicking on links.

I did not hardcode this new counter into the source code of pdfid.py, but it is listed in a new config file: pdfid.ini. You too can add your own identifiers to this configuration file.

pdfid_v0_2_2.zip (https)
MD5: 20614B44D97D48813D867AA8F1C87D4E
SHA256: FBF668779A946C70E6C303417AFA91B1F8A672C0293F855EF85B0E347D3F3259

Sunday 29 October 2017

Update: pdf-parser.py Version 0.6.8

Filed under: My Software,PDF,Update — Didier Stevens @ 15:32

This is a bugfix version.

pdf-parser_V0_6_8.zip (https)
MD5: 7702EEA1C6173CB2E91AB88C5013FAF1
SHA256: 3424E6939E79CB597D32F405E2D75B2E42EF7629750D5DFB39927D5C132446EF

« Previous PageNext Page »

Blog at WordPress.com.