This update to strings.py brings option -V to add extra statistics for the 10 longest strings when option -a –stats is used.
strings_V0_0_9.zip (http)This new version of myjson-filer brings a new choice for option -W (–write): hashext.
This write files where the filename is the sha256 hash + provided extension. For example, option -W hash:jpeg will create files with extension .jpeg, and the name is the sha256 hash of the content of the file.
myjson-filter_V0_0_6.zip (http)This new version of hash.py adds JSON input support: –jsoninput.
hash_V0_0_12.zip (http)I’ve added opion -B –bin to move analyzed files into folders per detected file type.
file-magic_V0_0_8.zip (http)This is an update for the entropy calculation.
If the number of bytes to calculate statistics for is less than 256, the tool will also provide a normalized entropy calculation:
This new version adds an experimental mode (option -e), to decode alternative datastructures for stored and runtime config.
More details can be found in SANS ISC diary entry “1768.py’s Experimental Mode” I wrote.
1768_v0_0_21.zip (http)This new version of oledump brings updates to .msg plugins plugin_msg and plugin_msg_summary.
Plugin plugin_msg_summary can now produce JSON output for attachments (plugin option -J).
Plugin plugin_msg now parses porperty streams.
More details can be found in my SANS ISC diary entry “Analyzing MSG Files“.
oledump_V0_0_76.zip (http)metatool.py is a tool to help with the analysis of Metasploit or Cobalt Strike URLs.
I added option -a to provide URLs via the command-line.
metatool_V0_0_4.zip (http)This update to 1768.py, my Cobalt Strike beacon analysis tool, adds “runtime configuration” extraction.
Although 1768.py could already search for beacon configurations inside process memory dumps, the dump was just processed as a raw file.
With this update, 1768.py will also search for the runtime configuration inside a process memory dump. The runtime configuration, is a C/C++ array with integers and pointers, that is created in the heap by the beacon’s C/C++ code from the obfuscated configuration (e.g., XOR 0x2E).
Because this requires pointer calculations for the heap, Python module minidump is required. A warning will be displayed if it is not installed and it is needed.
The hexadecimal dump screenshots in this blog post show a runtime configuration.
Example of 1768.py finding a runtime configuration:
This is a 32-bit runtime config.
As the runtime config uses pointers, its structure is different for 32-bit and 64-bit beacons (because pointer size is different).
In this process memory dump, 1768.py only found the runtime config, not the embedded config.
Here is an example where both configs are found:
This new version of format-bytes.py adds IPv6 representations:
Big-endian (b), little-endian (l) and 4 32-bit little-endian unsigned integers (l4).
And if you use a # to pass on literal data (here in hexadecimal: #h#), then the data is also printed.
format-bytes_V0_0_15.zip (http)
Didier Stevens 