Didier Stevens

Didier Stevens Suite

I bundled most of my software in a ZIP file and GitHub repository. Some software that requires installation (Ariad) or triggers too much anti-virus programs on VirusTotal was not included.

I update this ZIP file and repository each time I release a new version or a new program (excluding beta versions).

Last update: 2022/12/29

If you get errors running one of my programs, read this first.

DidierStevensSuite.zip (http)
MD5: 67579518D3A1462E2232264CE2AA306D
SHA256: 66CA7B6B5B8893BC3D30637AC55DD3AAB928098F395BA546392D28EFE20ADE85

28 Comments »

  1. […] bundled most of my software in a ZIP file. In all modesty, I call it Didier Stevens […]

    Pingback by Didier Stevens Suite | Didier Stevens — Thursday 8 January 2015 @ 20:14

  2. Great stuff

    Comment by Anonymous — Thursday 19 November 2015 @ 10:04

  3. Fyi, Palo Alto Wildfire blocked download of zip due to AnalyzePESig-crt-auto-x86.exe detected as malware

    Comment by Anonymous — Friday 25 November 2016 @ 13:47

  4. Thanks, ‘really a painstaking job.

    Comment by Anonymous — Monday 18 September 2017 @ 10:41

  5. Didier – Is there a way we can submit fixes or improvements, since it says you don’t accept pull requests on Github.

    Thanks,

    Comment by Anonymous — Tuesday 30 October 2018 @ 23:16

  6. Yes, for what program?

    Comment by Didier Stevens — Tuesday 30 October 2018 @ 23:19

  7. Hi dear,
    I’m looking for something that verify URLs reachability. But not just that. I have an URL filtering appliance, so the URL check script had to discriminate between appliance blocking (“this site is blocked” message) and anything else.

    Have you any suggestions for me please?

    Kind regards
    Gian

    Comment by Gian — Wednesday 12 June 2019 @ 7:15

  8. Yes, I have something that I will release soon: wgets.py

    Comment by Didier Stevens — Friday 14 June 2019 @ 8:26

  9. Greeeat! Just love you 😉

    Comment by Gian Matteo Esposito — Friday 14 June 2019 @ 8:51

  10. […] go so well. But thanks to @killamjr’s help, updating all of Didier Steven’s tools, and this SANS blog post, it all worked out fine. Let’s work through […]

    Pingback by Crimson Rat (02-24-2020): VelvetSweatshop and shellcode – Click All the Things! — Thursday 27 February 2020 @ 12:54

  11. […] of them are written in Python (a free, open-source programming language).These tools can be found here and on […]

    Pingback by Analyzing a “multilayer” Maldoc: A Beginner’s Guide – NVISO Labs — Wednesday 6 April 2022 @ 8:22

  12. Hello Didier,
    Thank you for the great tools. What version of Python should I install to use these tools? I have 3.9 installed but it gives error when I run them, Traceback (most recent call last):

    Comment by TheMantis — Wednesday 21 September 2022 @ 11:25

  13. What tool are you using? Because your paste did’t work

    Comment by Didier Stevens — Wednesday 21 September 2022 @ 18:11

  14. Hello Didier,

    I was trying to use zipdump.
    Thank you for your quick response.

    Comment by Anonymous — Wednesday 21 September 2022 @ 20:15

  15. Zipdump is a tool I have upd ted many times the last year, so it is Python 3.

    Comment by Didier Stevens — Wednesday 21 September 2022 @ 20:17

  16. Can you post the error?

    Comment by Didier Stevens — Wednesday 21 September 2022 @ 20:17

  17. This is the error when I run zipdump.py
    “line 519
    exec open(decoder, ‘r’) in globals(), globals()
    ^
    SyntaxError: invalid syntax

    Comment by Anonymous — Thursday 22 September 2022 @ 11:22

  18. You are running an old version for Python 2

    Comment by Didier Stevens — Thursday 22 September 2022 @ 21:08

  19. Use the latest version

    Comment by Didier Stevens — Thursday 22 September 2022 @ 21:08

  20. I got the errors below when I ran with the latest Python version 3.10.7
    Traceback (most recent call last):
    File “C:\Users\…\Desktop\Cyber\DidierStevensSuite\zipdump.py”, line 5457, in
    Main()
    File “C:\Users\…\Desktop\Cyber\DidierStevensSuite\zipdump.py”, line 5452, in Main
    ZIPDump(args[0], options)
    File “C:\Users\…\Desktop\Cyber\DidierStevensSuite\zipdump.py”, line 5097, in ZIPDump
    file = oZipfile.open(oZipInfo, ‘r’, C2BIP3(zippassword))
    File “C:\Program Files\Python310\lib\zipfile.py”, line 1571, in open
    return ZipExtFile(zef_file, mode, zinfo, pwd, True)
    File “C:\Program Files\Python310\lib\zipfile.py”, line 800, in __init__
    self._decompressor = _get_decompressor(self._compress_type)
    File “C:\Program Files\Python310\lib\zipfile.py”, line 699, in _get_decompressor
    _check_compression(compress_type)
    File “C:\Program Files\Python310\lib\zipfile.py”, line 679, in _check_compression
    raise NotImplementedError(“That compression method is not supported”)
    NotImplementedError: That compression method is not supported

    Comment by Anonymous — Friday 23 September 2022 @ 12:12

  21. Are you trying to analyze a ZIP file with AES encrypted content?

    Comment by Didier Stevens — Friday 23 September 2022 @ 13:45

  22. I was trying to follow one of your videos, https://isc.sans.edu/diary/Video%3A+Analyzing+Obfuscated+VBS+with+CyberChef/29058.

    Comment by Anonymous — Friday 23 September 2022 @ 17:02

  23. Ah ok. So you got the sample from Malware Bazaar? Malware Bazaar uses AES encryption in zip files, and that is not supported by Python. You need to install an extra module for this to work, like this: pip.exe install pyzipper

    Comment by Didier Stevens — Friday 23 September 2022 @ 17:04

  24. Didier Stevens,
     
    Regarding simple_listener.py — I have been using this with success, however, there is an issue with how lines sometimes get written to the log.  It seems they are not always flushed correctly and multiple events end up on the same line when saved to the log file (see examples below with sanitized IPs):
     
    127.0.0.1 = replaced honeypot IP
    127.0.0.2 = replaced adversary IP
     
    Two TCP connections on same line in log
    20230116-230133: 127.0.0.2:64016-127.0.0.1:9587 TCP connection20230116-230133: 127.0.0.2:63426-127.0.0.1:9542 TCP connection
     
    TCP connection, TCP closed, TCP data events all on same line in log
    20230116-230133: 127.0.0.2:63638-127.0.0.1:9522 TCP connection20230116-230133: 127.0.0.2:64991-127.0.0.1:9627 TCP closed20230116-230133: 127.0.0.2:63070-127.0.0.1:9531 TCP data b’\x03\x00\x00/*\xe0\x00\x00\x00\x00\x00Cookie: mstshash=Administr\r\n\x01\x00\x08\x00\x03\x00\x00\x00′
     
    The code that appears to be performing this action looks correct from what I can see cOutput.Line() but the issue is still here somewhere.  Any ideas on what may be causing this?  I’m continuing to investigate but not seeing the issue just yet.
     
    Regards

    Comment by Travis Mathison (@ciph34block) — Tuesday 17 January 2023 @ 20:20

  25. Interesting, I’ve never onserved this.
    But it means that I should use a synchronisation object, like a lock.I’ll add that to my todo list.

    Comment by Didier Stevens — Tuesday 17 January 2023 @ 22:34

  26. Can you replace the __init__ and Line methods of the cOutput object with the below code, and let me know if it fixes your problem?
    I just added a synchronisation lock (self.oLock)

    class cOutput():
    def __init__(self, filename=None, bothoutputs=False):
    self.filename = filename
    self.bothoutputs = bothoutputs
    self.oLock = threading.Lock()
    if self.filename and self.filename != ”:
    self.f = open(self.filename, ‘w’)
    else:
    self.f = None

    def Line(self, line):
    self.oLock.acquire()
    if not self.f or self.bothoutputs:
    print(line)
    if self.f:
    try:
    self.f.write(line + ‘\n’)
    self.f.flush()
    except:
    pass
    self.oLock.release()

    Comment by Didier Stevens — Thursday 19 January 2023 @ 21:27

  27. Didier, I implemented the synchronization lock in the cOutput class and have not seen this issue in our honeypot since; this does appear to fix the issue. Thank you!

    Comment by Travis Mathison (@ciph34block) — Wednesday 25 January 2023 @ 18:39

  28. Great, I’ll release the new version

    Comment by Didier Stevens — Wednesday 25 January 2023 @ 19:48


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.