Didier Stevens

Monday 20 May 2024

Wireshark Lua Fixed Field Length Dissector: fl-dissector

Filed under: My Software,Networking,Reverse Engineering,Wireshark — Didier Stevens @ 11:58

I developed a Wireshark dissector (fl-dissector) in Lua to dissect TCP protocols with fixed field lengths. The dissector is controlled through protocol preferences and Lua script arguments.

The port number is an essential argument, if you don’t provide it, default port number 1234 will be used.

Example for TCP port 50500: -X lua_script1:port:50500.

The protocol name (default fldissector) can be changed with argument protocolname: -X lua_script1:protocolname:firmware.

The length of the fields can be changed via the protocol preferences dialog:

Field lengths are separated by a comma.

Field lengths can also be defined by Lua script argument fieldlengths, like this: -X lua_script1:fieldlengths:1,1,2:L,2:L.

When field lengths are defined via a Lua script argument, this argument takes precedence over the settings in the protocol preferences dialog. fieldlengths can also specify the field type, but only via Lua script argument, not via protocol preferences (this is due to a Lua script dissector design limitation: protocol preferences can only be read after dissector initialization, and fields have to be defined before dissector initialization). Field types are defined like this: length:type. Type can be L (or l) and defines a little-endian integer, or B (or b) and defines a big-endian integer. The length of the integer (8, 16, 24 or 32 its) is inferred from the fieldlength. Fields without a defined type ate byte fields.

The length of the last field is not specified, it contains all the remaining bytes (if any).

Field names are specified with Lua script argument fieldnames: -X lua_script1:fieldnames:Function,Direction,Counter,DataLength,Data.

fl_dissector_V0_0_1.zip (http)
MD5: F3DDC28F8D470DC4F9037644D3AF919A
SHA256: BF7406BCD36334E326BF4A6650DECD1D955EB4BD9D9563332AA4AE38507B29D4

Sunday 14 April 2024

Overview of Content Published in March

Filed under: Announcement — Didier Stevens @ 10:38
Here is an overview of content I published in March:

Blog posts: SANS ISC Diary entries:

Sunday 24 March 2024

Update: metatool.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 11:46

metatool.py is a tool to help with the analysis of Metasploit or Cobalt Strike URLs.

I added option -a to provide URLs via the command-line.

metatool_V0_0_4.zip (http)
MD5: 374B30DD3D92557A7F8DAA97B81CEE0E
SHA256: D627AF2462610AE0B8CC5AB2BA0A4325D1386BB06F96DC2827DDD22430499192

Thursday 7 March 2024

Overview of Content Published in February

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in February:

SANS ISC Diary entries:

Saturday 2 December 2023

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 8:00
Here is an overview of content I published in November:

Blog posts: SANS ISC Diary entries:

Saturday 25 November 2023

Update: 1768.py Version 0.0.20

Filed under: My Software,Update — Didier Stevens @ 10:09

This update to 1768.py, my Cobalt Strike beacon analysis tool, adds “runtime configuration” extraction.

Although 1768.py could already search for beacon configurations inside process memory dumps, the dump was just processed as a raw file.

With this update, 1768.py will also search for the runtime configuration inside a process memory dump. The runtime configuration, is a C/C++ array with integers and pointers, that is created in the heap by the beacon’s C/C++ code from the obfuscated configuration (e.g., XOR 0x2E).

Because this requires pointer calculations for the heap, Python module minidump is required. A warning will be displayed if it is not installed and it is needed.

The hexadecimal dump screenshots in this blog post show a runtime configuration.

Example of 1768.py finding a runtime configuration:

This is a 32-bit runtime config.

As the runtime config uses pointers, its structure is different for 32-bit and 64-bit beacons (because pointer size is different).

In this process memory dump, 1768.py only found the runtime config, not the embedded config.

Here is an example where both configs are found:

1768_v0_0_20.zip (http)
MD5: EFEFF856FEAD08DE8F9F27056E729351
SHA256: 2F71EA23F64403C26B64CA32E8FA025CAB1F941790D746E8906AA87401900AAC

Friday 24 November 2023

Overview of Content Published in October

Filed under: Announcement — Didier Stevens @ 16:57
Here is an overview of content I published in October:

Blog posts: SANS ISC Diary entries:

Saturday 7 October 2023

Update: format-bytes.py Version 0.0.15

Filed under: My Software,Update — Didier Stevens @ 9:05

This new version of format-bytes.py adds IPv6 representations:

Big-endian (b), little-endian (l) and 4 32-bit little-endian unsigned integers (l4).

And if you use a # to pass on literal data (here in hexadecimal: #h#), then the data is also printed.

format-bytes_V0_0_15.zip (http)
MD5: 42DBC44DA7F7ACB09AD353976CD7FA2F
SHA256: 2AF5BFB8A263BCA935CB3B73669B458D229B3E6FBCE3CA2F6E32CFDCE5B73723

Update: 1768.py Version 0.0.19

Filed under: My Software,Update — Didier Stevens @ 0:00

Some extra information when signature is found.

1768_v0_0_19.zip (http)
MD5: FCF07B2AEDDBB4911520152531C5F107
SHA256: 5EE73B9311578D202246011FAF3216674387894833E759148F6C5356B646686F

Friday 6 October 2023

Update: simple_listener.py Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This update adds ZIP support for binary files, and a –prompt option.

When this option is used, the user is prompted after each request, and processing of new requests is suspended until the user reacts to the prompt.

simple_listener_v0_1_4.zip (http)
MD5: 85A9E47B6243CD860D20E483F162DEA0
SHA256: 72FB2E7783315BFD21D74829BAECC1364A404A2B3853DBFD9B29DB2A9322F20B
« Previous PageNext Page »

Blog at WordPress.com.