Didier Stevens

Saturday 19 December 2020

Update: strings.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 9:22

This new update to strings.py, my tool to extract strings, brings statistics with a new option: -a.

This option can be used together with other filtering options:

strings_V0_0_6.zip (https)
MD5: C4633CDAF3AEADE23738AA9356F50298
SHA256: 93A87F515103A0C9DA01D6DA034CE7FB5CC7E562B095EFF614EF09C8DD92D455

Saturday 12 December 2020

Update: numbers-to-string.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 16:50

This new version of numbers-to-string.py, my tool to convert decimal numbers to strings, has a new option: -l (–line).

This option is used to select a particular input line (using its line number) for processing.

numbers-to-string_v0_0_11.zip (https)
MD5: 6824639FFEE290B83DBA328021355476
SHA256: 0E748886E97E351B64BD288D3EC6F322FFB7B1AA89410897E6B2BA03701EA852

Update: oledump.py version 0.0.57

Filed under: My Software,Update — Didier Stevens @ 13:30

This new version of oledump brings an update to plugin_stream_o, to handle /o form streams with multiple entries.

If more than one entry is found in a /o form stream, a counter will precede the output, like in this example with 2 entries:

oledump_V0_0_57.zip (https)
MD5: E0C9C8706EFC3AB86EEBED03A4CCF555
SHA256: 1C4588B48A494D0C7BD6AD9600EA9F46AD472DC62BF8D58D6EA635AE7CB02502

Sunday 6 December 2020

Update: pecheck.py Version 0.7.12

Filed under: My Software,Update — Didier Stevens @ 13:28

This new version of my PE file analysis tool pecheck.py brings more info when locating PE files inside arbitrary files (option -l P).

2 columns are added to the list of located PE files: original filename (version information) and DLL name (export section).

This can be used, for example, to detect Cobalt Strike beacons inside process dumps. Like in the following example, where the DLL name is beacon.dll:

 

pecheck-v0_7_12.zip (https)
MD5: 0AF2A99DD5AF742C9B688466EE3087C5
SHA256: 10B3B6903AB52381F7C8687F8284270CE060983CA001B4FC5DD88174744B705F

Saturday 5 December 2020

Update: oledump.py Version 0.0.56

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump includes a few Python 3 fixes, and an update version of plugin_biff.py

plugin_biff now detects BIFF5/BIFF7 format and reports the file encryption mode (FILEPASS record).

oledump_V0_0_56.zip (https)
MD5: B26A75D36F3D47611F1D98200739EBB8
SHA256: C6C691E021273E75741EB1163F7FB70743EF2EC07C710EE7F15DFF513E38DAD4

Sunday 29 November 2020

Update: emldump.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 21:50

This is the Python 3 version of my email file analysis tool (eml).

emldump_V0_0_11.zip (https)
MD5: 09408ED0C2183178BEA71459CE001995
SHA256: 01B3543CCBAE806E1536BF55E62DF7D30885737909DB4322348AC521138660CC

Saturday 28 November 2020

Update: disitool.py Version 0.4

Filed under: My Software,Update — Didier Stevens @ 11:08

This is a Python 3 update for my disitool.

disitool_v0_4.zip (https)
MD5: 3A41D8805340716913FAECE7C79B10A7
SHA256: 51EBFB0759FEEA69FFFB643659FD74DC5043338719A91CE36E427D175196661A

Sunday 15 November 2020

Update: oledump.py Version 0.0.55

Filed under: My Software,Update — Didier Stevens @ 13:49

This new version of oledump.py brings extra JSON support and a new indicator.

Existing option -j (–jsonoutput) produces JSON output: a JSON object with the content of each individual stream (BASE64 encoded).

This option (-j) can now be used together with option -v (–vbadecompress) to produce a JSON object with the VBA code (BASE64 encoded) of each VBA module stream.

And there is a new indicator (!) :

This indicator is used for VBA module streams for which oledump is not able to recognize “normal” VBA source code (e.g. starting with something else than attributes). Here is an example of a sample that would cause this ! indicator to appear: AV Cleaned Maldoc.

oledump_V0_0_55.zip (https)
MD5: 499B66DC3BAF86BDA4BC0370E3C18A1A
SHA256: ABEABFF0F1F5AA2239AFCDE73A676D4E8D9BA2F82C03B8663FFAB6F8D3A360E7

Wednesday 11 November 2020

Update: translate.py Version 2.5.10

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a Python 3 bug fix version.

translate_v2_5_10.zip (https)
MD5: DB9574D664257263C51FE7C74C7B281E
SHA256: E8993B3F2C25A92A9F4583636E1CEF79D79649B29FFF56EAA9AF8A30FCF9B9A6

Thursday 22 October 2020

Update: strings.py Version 0.0.5 Pascal Strings

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of strings.py, my tool to extract strings from arbitrary files, adds option -P to add support for Pascal strings.

A Pascal string is a string that is internally stored with a length-prefix: an integer that counts the number of characters inside the string.

The Unix strings command, and my strings.py tool, can extract Pascal strings without any problem, because they just search for a sequence of characters, without looking for a terminating NULL character (C-string) or a length-prefix (P-string ot Pascal string).

But with option -P, you can direct my tool strings.py to only extract Pascal strings, by checking if character sequences are prefixed with an integer that is equal to the number of characters inside the string. Strings that do not match that requirement are ignored.

Since an integer can be represented internally with different byte formats, you have to provide a value to option -P that indicates how the integer is stored internally. I use the same format as Python’s struct module to represent that format. For example, “<I” is a little-endian, unsigned 32-bit integer. That is how a string is represented in Delphi, as can be seen in this example of a Delphi malware sample:

The strings you see here are all found inside the sample, and are prefixed by their length. If you wouldn’t use option -P, then these strings would also be extracted, but they would not stand out amid the other strings that are not prefixed by their length.

Delphi also supports the ShortString type: one byte to encode the length. These can be found with option -P “<B”: little-endian, unsigned 8-bit integer:

strings_V0_0_5.zip (https)
MD5: A4BF314BE0A72972ECA7B14B558610E6
SHA256: 30E9E9BB618006445483AA78F804766D8FFA518974B81F9B68FF534BEA30B072

« Previous PageNext Page »

Blog at WordPress.com.