I bundled most of my software in a ZIP file and GitHub repository. Some software that requires installation (Ariad) or triggers too much anti-virus programs on VirusTotal was not included.
I update this ZIP file and repository each time I release a new version or a new program (excluding beta versions).
Last update: 2023/05/02
If you get errors running one of my programs, read this first.
DidierStevensSuite.zip (http)
MD5: 764404FE8449A7EC04FF9BA0186E4B68
SHA256: 27547CC1C90B6F27A241EC13A52E27277E6166BCBFCB145755AA0766B33A2D3C
Didier Stevens 
[…] bundled most of my software in a ZIP file. In all modesty, I call it Didier Stevens […]
Pingback by Didier Stevens Suite | Didier Stevens — Thursday 8 January 2015 @ 20:14
Great stuff
Comment by Anonymous — Thursday 19 November 2015 @ 10:04
Fyi, Palo Alto Wildfire blocked download of zip due to AnalyzePESig-crt-auto-x86.exe detected as malware
Comment by Anonymous — Friday 25 November 2016 @ 13:47
Thanks, ‘really a painstaking job.
Comment by Anonymous — Monday 18 September 2017 @ 10:41
Didier – Is there a way we can submit fixes or improvements, since it says you don’t accept pull requests on Github.
Thanks,
Comment by Anonymous — Tuesday 30 October 2018 @ 23:16
Yes, for what program?
Comment by Didier Stevens — Tuesday 30 October 2018 @ 23:19
Hi dear,
I’m looking for something that verify URLs reachability. But not just that. I have an URL filtering appliance, so the URL check script had to discriminate between appliance blocking (“this site is blocked” message) and anything else.
Have you any suggestions for me please?
Kind regards
Gian
Comment by Gian — Wednesday 12 June 2019 @ 7:15
Yes, I have something that I will release soon: wgets.py
Comment by Didier Stevens — Friday 14 June 2019 @ 8:26
Greeeat! Just love you 😉
Comment by Gian Matteo Esposito — Friday 14 June 2019 @ 8:51
[…] go so well. But thanks to @killamjr’s help, updating all of Didier Steven’s tools, and this SANS blog post, it all worked out fine. Let’s work through […]
Pingback by Crimson Rat (02-24-2020): VelvetSweatshop and shellcode – Click All the Things! — Thursday 27 February 2020 @ 12:54
[…] of them are written in Python (a free, open-source programming language).These tools can be found here and on […]
Pingback by Analyzing a “multilayer” Maldoc: A Beginner’s Guide – NVISO Labs — Wednesday 6 April 2022 @ 8:22
Hello Didier,
Thank you for the great tools. What version of Python should I install to use these tools? I have 3.9 installed but it gives error when I run them, Traceback (most recent call last):
Comment by TheMantis — Wednesday 21 September 2022 @ 11:25
What tool are you using? Because your paste did’t work
Comment by Didier Stevens — Wednesday 21 September 2022 @ 18:11
Hello Didier,
I was trying to use zipdump.
Thank you for your quick response.
Comment by Anonymous — Wednesday 21 September 2022 @ 20:15
Zipdump is a tool I have upd ted many times the last year, so it is Python 3.
Comment by Didier Stevens — Wednesday 21 September 2022 @ 20:17
Can you post the error?
Comment by Didier Stevens — Wednesday 21 September 2022 @ 20:17
This is the error when I run zipdump.py
“line 519
exec open(decoder, ‘r’) in globals(), globals()
^
SyntaxError: invalid syntax
Comment by Anonymous — Thursday 22 September 2022 @ 11:22
You are running an old version for Python 2
Comment by Didier Stevens — Thursday 22 September 2022 @ 21:08
Use the latest version
Comment by Didier Stevens — Thursday 22 September 2022 @ 21:08
I got the errors below when I ran with the latest Python version 3.10.7
Traceback (most recent call last):
File “C:\Users\…\Desktop\Cyber\DidierStevensSuite\zipdump.py”, line 5457, in
Main()
File “C:\Users\…\Desktop\Cyber\DidierStevensSuite\zipdump.py”, line 5452, in Main
ZIPDump(args[0], options)
File “C:\Users\…\Desktop\Cyber\DidierStevensSuite\zipdump.py”, line 5097, in ZIPDump
file = oZipfile.open(oZipInfo, ‘r’, C2BIP3(zippassword))
File “C:\Program Files\Python310\lib\zipfile.py”, line 1571, in open
return ZipExtFile(zef_file, mode, zinfo, pwd, True)
File “C:\Program Files\Python310\lib\zipfile.py”, line 800, in __init__
self._decompressor = _get_decompressor(self._compress_type)
File “C:\Program Files\Python310\lib\zipfile.py”, line 699, in _get_decompressor
_check_compression(compress_type)
File “C:\Program Files\Python310\lib\zipfile.py”, line 679, in _check_compression
raise NotImplementedError(“That compression method is not supported”)
NotImplementedError: That compression method is not supported
Comment by Anonymous — Friday 23 September 2022 @ 12:12
Are you trying to analyze a ZIP file with AES encrypted content?
Comment by Didier Stevens — Friday 23 September 2022 @ 13:45
I was trying to follow one of your videos, https://isc.sans.edu/diary/Video%3A+Analyzing+Obfuscated+VBS+with+CyberChef/29058.
Comment by Anonymous — Friday 23 September 2022 @ 17:02
Ah ok. So you got the sample from Malware Bazaar? Malware Bazaar uses AES encryption in zip files, and that is not supported by Python. You need to install an extra module for this to work, like this: pip.exe install pyzipper
Comment by Didier Stevens — Friday 23 September 2022 @ 17:04
Didier Stevens,
Regarding simple_listener.py — I have been using this with success, however, there is an issue with how lines sometimes get written to the log. It seems they are not always flushed correctly and multiple events end up on the same line when saved to the log file (see examples below with sanitized IPs):
127.0.0.1 = replaced honeypot IP
127.0.0.2 = replaced adversary IP
Two TCP connections on same line in log
20230116-230133: 127.0.0.2:64016-127.0.0.1:9587 TCP connection20230116-230133: 127.0.0.2:63426-127.0.0.1:9542 TCP connection
TCP connection, TCP closed, TCP data events all on same line in log
20230116-230133: 127.0.0.2:63638-127.0.0.1:9522 TCP connection20230116-230133: 127.0.0.2:64991-127.0.0.1:9627 TCP closed20230116-230133: 127.0.0.2:63070-127.0.0.1:9531 TCP data b’\x03\x00\x00/*\xe0\x00\x00\x00\x00\x00Cookie: mstshash=Administr\r\n\x01\x00\x08\x00\x03\x00\x00\x00′
The code that appears to be performing this action looks correct from what I can see cOutput.Line() but the issue is still here somewhere. Any ideas on what may be causing this? I’m continuing to investigate but not seeing the issue just yet.
Regards
Comment by Travis Mathison (@ciph34block) — Tuesday 17 January 2023 @ 20:20
Interesting, I’ve never onserved this.
But it means that I should use a synchronisation object, like a lock.I’ll add that to my todo list.
Comment by Didier Stevens — Tuesday 17 January 2023 @ 22:34
Can you replace the __init__ and Line methods of the cOutput object with the below code, and let me know if it fixes your problem?
I just added a synchronisation lock (self.oLock)
class cOutput():
def __init__(self, filename=None, bothoutputs=False):
self.filename = filename
self.bothoutputs = bothoutputs
self.oLock = threading.Lock()
if self.filename and self.filename != ”:
self.f = open(self.filename, ‘w’)
else:
self.f = None
def Line(self, line):
self.oLock.acquire()
if not self.f or self.bothoutputs:
print(line)
if self.f:
try:
self.f.write(line + ‘\n’)
self.f.flush()
except:
pass
self.oLock.release()
Comment by Didier Stevens — Thursday 19 January 2023 @ 21:27
Didier, I implemented the synchronization lock in the cOutput class and have not seen this issue in our honeypot since; this does appear to fix the issue. Thank you!
Comment by Travis Mathison (@ciph34block) — Wednesday 25 January 2023 @ 18:39
Great, I’ll release the new version
Comment by Didier Stevens — Wednesday 25 January 2023 @ 19:48