Didier Stevens

Monday 30 October 2017

Update: pdfid.py Version 0.2.2

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

I regularly get ideas to improve my tools when I give (private) training, and last week was not different.

This new version of pdfid.py adds a /URI counter, to help identify PDF documents with embedded URLs, used for phishing or social-engineering users into clicking on links.

I did not hardcode this new counter into the source code of pdfid.py, but it is listed in a new config file: pdfid.ini. You too can add your own identifiers to this configuration file.

pdfid_v0_2_2.zip (https)
MD5: 20614B44D97D48813D867AA8F1C87D4E
SHA256: FBF668779A946C70E6C303417AFA91B1F8A672C0293F855EF85B0E347D3F3259

Sunday 29 October 2017

Update: pdf-parser.py Version 0.6.8

Filed under: My Software,PDF,Update — Didier Stevens @ 15:32

This is a bugfix version.

pdf-parser_V0_6_8.zip (https)
MD5: 7702EEA1C6173CB2E91AB88C5013FAF1
SHA256: 3424E6939E79CB597D32F405E2D75B2E42EF7629750D5DFB39927D5C132446EF

Saturday 21 October 2017

Update: base64dump.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 20:24

This new version of base64dump adds support to decode strings like UNICODE strings (-t).

base64dump_V0_0_8.zip (https)
MD5: 1B379A08FBC6E7686A89AF099699B076
SHA256: A81AE1AACCB168787CAF6355D582BB5096760893F5CB60E93E408A0475B4FDAC

Monday 16 October 2017

Update: oledump.py Version 0.0.29

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump adds support to decode strings like UNICODE strings (-t), and can dump strings (-S).

oledump_V0_0_29.zip (https)
MD5: 7F98DB95E0E9FF645B8411F421387214
SHA256: E00567490A48A7749DF07F0E7ECD8FD24B3C90DC52E18AFE36253E0B37A543C5

Sunday 17 September 2017

Quickpost: Update: Infinite Control For Bash Bunny

Filed under: Bash Bunny,Hardware,My Software,Quickpost,Update — Didier Stevens @ 16:39

This is an update to my Bash Bunny payload Infinite Control: it sends a CONTROL keypress every 10 seconds. I changed the LED colors, and if you uncomment line 27 the BREAK key will be used (function key 15, as some people suggested).

You can find it on HAK5’s GitHub Bash Bunny repository too.

# Title:         Infinite Control
# Author:        Didier Stevens (https://DidierStevens.com)
# Version:       0.0.2 2017/09/02
# History:       0.0.1 2017/04/08 start
#                0.0.2 2017/09/02 changed LED colors, added BREAK
# Hit the CONTROL key every 10 seconds in an infinite loop,
# while blinking the CYAN LED with every keypress.
# Can be used to prevent a machine from sleeping or auto-locking.
# Some users have suggested to hit F15 (BREAK) in stead of CTRL.
# This can be done by uncommenting line #INFINITE_KEY=BREAK.
# WARNING: Do not type on the machine's keyboard while this script
#          is running, or your keystrokes might become commands,
#          for example CTRL-Q: Quit
# Cyan ..............Hitting CONTROL key
# Yellow Blinking ...Sleeping
# Red Blinking.......Wow! We broke out of the infinite while loop!



# infinite while loop
while true
	sleep 1
	sleep 9

# this code will never be reached


Quickpost info

Wednesday 6 September 2017

Update: re-search.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 21:37

A new option in this version: -x (–hex) to produce hexadecimal output.

re-search_V0_0_9.zip (https)
MD5: E9BC3AFF3FA3D6ED0F14EC4941955C2D
SHA256: 4AA92E513A478D02DD12110D3759FFCB2996A3E8A5D2D812124922C5023C3B50

Saturday 12 August 2017

Update: byte-stats.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 13:00

This new version of byte-stats.py adds option -r (–ranges). This option will print out extra information on the range of byte values (contiguous byte value sequences) found in the analyzed files.

Example for BASE64 data:

Number of ranges: 5
Fir. Last Len. Range
0x2b        1: +
0x2f 0x39  11: /0123456789
0x3d        1: =
0x61 0x7a  26: abcdefghijklmnopqrstuvwxyz

In this example, 5 ranges are reported: they can be thought of as a kind of fingerprint for BASE64 data.
Each range is characterized by 4 properties:
Fir. (First) is the first byte value in the range.
Last is the last byte value in the range (this value is not displayed for ranges of a single byte).
Len. (length) is the number of unique byte values in the range.
Range is the printout of the byte values in the range (. is printed if the byte value is not printable).

byte-stats_V0_0_6.zip (https)
MD5: CA729FF05E314A9CF5C348CB4A720F13
SHA256: 11E41F51EC9911741D71C8BC3278FA22AADBD865F2BF7BE4E73E82A7736A8FA8

Monday 31 July 2017

Update: translate.py Version 2.5.0

Filed under: maldoc,My Software,Update — Didier Stevens @ 20:17

I analyzed a malicious document send by a reader of the Internet Storm Center, and to decode the payload I wanted to use my tool translate.py.

But an option was lacking: I had to combine 2 byte streams to result in the decoded payload, while translate will only accept one byte stream (file, stdout, …).

I solved my problem with a small custom Python script, but then I updated translate.py to accept a second file/byte stream (option -2).

This is how I use it to decode the payload:


translate_v2_5_0.zip (https)
MD5: 768F895537F977EF858B4D82E0E4387C
SHA256: 5451BF8A58A04547BF1D328FC09EE8B5595C1247518115F439FC720A3436519F

Thursday 27 July 2017

Update: count.py Version 0.2.0

Filed under: My Software,Update — Didier Stevens @ 18:49

count is a simple program: it takes text files as input and counts how many times each lines appears.

A couple of years ago, I made a video:

count.py uses a Python dictionary to count items, but that requires a lot of memory to process gigabytes of data.

This new version helps with this problem by providing a count method using a database (sqlite3). By default, a dictionary is still used. But counting with a database can be selected with option -c. With option -c you can provide the name of the database to use: if the name is :memory:, the database will be created in memory. Counting with a sqlite3 database in memory requires less memory than counting with a Python dictionary, but is slower. If the name is a filename, the database will be created on disk. This is of course way slower than in memory, but can process even larger files.


count_v0_2_0.zip (https)
MD5: ACF1982045ABEF86FCDBA87A84F5F588
SHA256: 373DDA0B2C176624998B5907261477943F677855CCECCDD42D6BEB758F8E7B79

Sunday 23 July 2017

Update: python-per-line.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 19:48

python-per-line is a tool to apply a Python expression on each line of input.

I updated it because I had to process large credential dumps (I’ll blog about this later).

This new version can process .gz files too, and includes three new predefined Python functions: IFF, RIN and SBC.

From the man page:

IFF is a predefined Python function that implements the if Function
(IFF = IF Function). It takes three arguments: expression, valueTrue,
valueFalse. If expression is true, then valueTrue is returned,
otherwise valueFalse is returned.

RIN is a predefined Python function that uses the repr function if
needed (RIN = Repr If Needed). When a string contains characters that
need to be escaped to be used in Python source code, repr(string) is
returned, otherwise the string itself is returned.

SBC is a predefined Python function that helps with selecting a value
from lines with values and separators (Separator Based Cut = SBC). SBC
takes five arguments: data, separator, columns, column, failvalue.
data is the data we want to parse (usually line), separator is the
separator character, columns is the number of columns per line, column
is the value we want to select (cut) starting from 0, and failvalue is
the value that SBC needs to return if the function fails (for example
because there are less columns in the line than specified by the
columns value).
Here is an example. We use this file with credentials (creds.txt):

And this is the command to extract the passwords:
python-per-line.py "SBC(line, ':', 2, 1, [])" creds.txt

The result:

If a line contains more separators than specified by the columns
argument, then everything past the last expected separator is
considered the last value (this includes the extra separator(s)). We
can see this with line "username3:pass:word". The password is
pass:word (not pass). SBC returns pass:word.
If a line contains less separators than specified by the columns
argument, then the failvalue is returned. [] makes python-per-line
skip an output line, that is why no output is produced for user2.

python-per-line_V0_0_2.zip (https)
MD5: AB2377D366AB33992A535AF1EE489CBD
SHA256: 045F398FBCF6DDFF4A25B38007ADDF89B3256C21C8808B58FBC96855D55E6171

« Previous PageNext Page »

Blog at WordPress.com.