Didier Stevens

Saturday 2 January 2016

Update: shellcode2vba.py Version 0.4

Filed under: Update,My Software,Shellcode — Didier Stevens @ 13:33

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 3 new options:

Option –nocreatethread allows you to instruct the program not to add the VBA code to create a new thread.

Option –writememory: from now on, the VBA code uses RtlMoveMemory in stead of WriteProcessMemory. To use WriteProcessMemory, use option –writememory process

Option –start allows you to specify the name of the start function (ExecuteShellCode by default).

shellcode2vba_v0_4.zip (https)
MD5: DA1580DEF5B5CFF08ACF5FA921AF0822
SHA256: BDC0A5EC3E918B3DA27C392E1B2F909B7BDAD319C43A4250689DD38C81FF876F

Monday 21 December 2015

Update: oledump.py Version 0.0.22

Filed under: maldoc,My Software,Update — Didier Stevens @ 16:27

Some changes when you use the –raw option. Now plugins can also be used when the VBA code is corrupted.

oledump_V0_0_22.zip (https)
MD5: CA91850BBC92E82D705F707704000F82
SHA256: 16763BCF15BFB3301FFAE0BDA26F18EE2946EDD7478994B798127DBBEF5FF9E7

Sunday 29 November 2015

Update: oledump.py Version 0.0.21

Filed under: My Software,Update — Didier Stevens @ 11:15

A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-0x100 select the whole stream except the last 256 bytes.

oledump_V0_0_21.zip (https)
MD5: F72CBB797CE8FB810ACE5E54DC832129
SHA256: 016C772575DF381C274F6408B242945DE35679904B7C8B1B693ABFB2B3C023FB

Saturday 28 November 2015

Update: virustotal-search.py Version 0.1.3

Filed under: My Software,Update — Didier Stevens @ 9:29

A small update: I added option -s (separator) so that you can choose your CSV separator.

virustotal-search_V0_1_3.zip (https)
MD5: 6D93F6CCE56AA74C830D66F9AE2E88C0
SHA256: 09D3BA6BCE1A69E8292AD0D44FB216FBCBF5686EA3C64DCD5FC877E91D4141F4

Sunday 22 November 2015

Update: emldump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-5 select the whole file except the last 5 bytes.

emldump_V0_0_5.zip (https)
MD5: 5FAEDF1459114306D57FEABEF3CDDEFD
SHA256: B3D08E1768E1211C44680DD502AC096A324FF209330657F4ABC0CD09B888254C

Saturday 21 November 2015

Update: nsrl.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to my nsrl.py program: the CSV output now includes the ApplicationType.

nsrl_V0_0_2.zip (https)
MD5: 816DD5BEF94D289F489399A95824083D
SHA256: 65C4AF8F139651942062EB78D820AD3BE5DBEE2C4331B3105BAE62B220CD4F44

Sunday 15 November 2015

Update: find-file-in-file.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

A very small change to find-file-in-file:

find-file-in-file.py contained containing
0x00000000 0x00000014 (50%) (End of containing file)
Remaining 20 (50%)

When the tool reaches the end of the containing file, a message is printed to signal this: (End of containing file)

And I also added option -r (regular): to handle a ZIP file as a regular file.

find-file-in-file_v0_0_5.zip (https)
MD5: 1463DBAB808BBE40AC7919BC9A77303D
SHA256: C269B1995B61F0EDE24E4E9C64D5DD64E79B5ED6DD2126E94AF52E15D90C427F

Saturday 14 November 2015

Update: cut-bytes.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 8:50

A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-5 select the whole file except the last 5 bytes.

 cut-bytes_V0_0_2.zip (https)
MD5: B70F851CE74859B38AC3ABA9688593EB
SHA256: 1A0BD64334DA90B21888020B383004A18C3BAEE211D24AA91FF12719F8581AE9

Friday 13 November 2015

Update: emldump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

I’m adding the new -E option to my dump tools, this time it’s emldump’s turn. As announced with version 0.0.20 of oledump, option -E (extra) allows the user to specify which extra info needs to be displayed.

I’ve also made a video for oledump (the -E option is the same across my dump tools):

emldump_V0_0_4.zip (https)
MD5: 79DF66048849439E6034F082606A37A1
SHA256: B4AFDE89B6F3B025595A6FD1ACC5F60498BF900D18E624F134F618115DAC0E08

Tuesday 10 November 2015

Update: oledump V0.0.20

Filed under: My Software,Update — Didier Stevens @ 0:00

Option -c calculates extra data per stream. This data is displayed per stream. Only the MD5 hash of the content of the stream is calculated.
Example:
C:\Demo>oledump.py -c Book1.xls
1:      4096 ‘\x05DocumentSummaryInformation’ ff1773dce227027d410b09f8f3224a56
2:      4096 ‘\x05SummaryInformation’ b46068f38a3294ca9163442cb8271028
3:      4096 ‘Workbook’ d6a5bebba74fb1adf84c4ee66b2bf8dd

In stead of adding more calculations to option -c, I added option -E (extra) which allows the user to specify which extra info needs to be displayed. From the man page:

If you need more data than the MD5 of each stream, use option -E
(extra). This option takes a parameter describing the extra data that
needs to be calculated and displayed for each stream. The following
variables are defined:
  %INDEX%: the index of the stream
  %INDICATOR%: macro indicator
  %LENGTH%': the length of the stream
  %NAME%: the printable name of the stream
  %MD5%: calculates MD5 hash
  %SHA1%: calculates SHA1 hash
  %SHA256%: calculates SHA256 hash
  %ENTROPY%: calculates entropy
  %HEADHEX%: display first 20 bytes of the stream as hexadecimal
  %HEADASCII%: display first 20 bytes of the stream as ASCII
  %TAILHEX%: display last 20 bytes of the stream as hexadecimal
  %TAILASCII%: display last 20 bytes of the stream as ASCII
  %HISTOGRAM%: calculates a histogram
                 this is the prevalence of each byte value (0x00 through 0xFF)
                 at least 3 numbers are displayed separated by a comma:
                 number of values with a prevalence > 0
                 minimum values with a prevalence > 0
                 maximum values with a prevalence > 0
                 each value with a prevalence > 0
  %BYTESTATS%: calculates byte statistics
                 byte statistics are 5 numbers separated by a comma:
                 number of NULL bytes
                 number of control bytes
                 number of whitespace bytes
                 number of printable bytes
                 number of high bytes

The parameter for -E may contain other text than the variables, which
will be printed. Escape characters \n and \t are supported.
Example displaying the MD5 and SHA256 hash per stream, separated by a
space character:
C:\Demo>oledump.py -E "%MD5% %SHA256%" Book1.xls
  1:      4096 '\x05DocumentSummaryInformation' ff1773dce227027d410b09f8f3224a56 2817c0fbe2931a562be17ed163775ea5e0b12aac203a095f51ffdbd5b27e7737
  2:      4096 '\x05SummaryInformation' b46068f38a3294ca9163442cb8271028 2c3009a215346ae5163d5776ead3102e49f6b5c4d29bd1201e9a32d3bfe52723
  3:      4096 'Workbook' d6a5bebba74fb1adf84c4ee66b2bf8dd 82157e87a4e70920bf8975625f636d84101bbe8f07a998bc571eb8fa32d3a498

If the extra parameter starts with !, then it replaces the complete
output line (in stead of being appended to the output line).
Example:
C:\Demo>oledump.py -E "!%INDEX% %MD5%" Book1.xls
1 ff1773dce227027d410b09f8f3224a56
2 b46068f38a3294ca9163442cb8271028
3 d6a5bebba74fb1adf84c4ee66b2bf8dd

To include extra data with each use of oledump, define environment
variable OLEDUMP_EXTRA with the parameter that should be passed to -E.
When environment variable OLEDUMP_EXTRA is defined, option -E can be
ommited. When option -E is used together with environment variable
OLEDUMP_EXTRA, the parameter of option -E is used and the environment
variable is ignored.

oledump_V0_0_20.zip (https)
MD5: 715B33E8E090F2A061DB2EA5A913055F
SHA256: 056CC911AEDFFB48B756F1B941E14660EBA8B613C65B1026F5DA77FB3047DAE3

« Previous PageNext Page »

Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 456 other followers