New functions and classes have been added to process-binary-file.py.
python-templates_V0_0_9.zip (http)MD5: 7C5E8602F225735015E9A431C5818762
SHA256: CAEEEBB1E402E5127A431446A01BBE607B22AA0EB1F6FA12B8E7703275BE6F15
Sunday 22 January 2023
Update: process-binary-file Version 0.0.8
MD5: 7C5E8602F225735015E9A431C5818762
SHA256: CAEEEBB1E402E5127A431446A01BBE607B22AA0EB1F6FA12B8E7703275BE6F15
New Tool: onedump.py
This is a new tool (based on my Python template for binary files) to analyze OneNote files.
This version is limited to handling embedded files (for the moment).
As I might still make significant changes to the user interface, I’ve put this tool in my GitHub beta repository.
Monday 2 January 2023
Overview of Content Published in 2022
Here is an overview of content I published in 2022:
Blog posts:
- Update: jpegdump.py Version 0.0.9
- Windows Explorer: Improper Exif Data Removal
- Beta: smtp-honeypot.py
- Update: oledump.py Version 0.0.63
- Update: 1768.py Version 0.0.12
- Update: oledump.py Version 0.0.64
- New Tool: xlsbdump.py
- spring4shell Capture File
- Power Consumption Of A Philips Hue lamp In Off State
- .ISO Files With Office Maldocs & Protected View in Office 2019 and 2021
- New Tool: myjson-filter.py
- Update: cut-bytes.py Version 0.0.14
- Update: 1768.py Version 0.0.13
- New Tool: pngdump.py (Beta)
- Update: re-search.py Version 0.0.19
- Update: oledump.py Version 0.0.65
- Quickpost: Machine Code Infinite Loop
- Update: oledump.py Version 0.0.66
- Update: cs-parse-traffic.py Version 0.0.5
- Update: zipdump.py Version 0.0.22
- Update: oledump.py Version 0.0.67
- Update: base64dump.py Version 0.0.21
- Update: pecheck.py Version 0.7.15
- Update: re-search.py Version 0.0.20
- Update: pdf-parser.py Version 0.7.6
- Update: 1768.py Version 0.0.14
- Update: Python Templates Version 0.0.7
- PoC: Cobalt Strike mitm Attack
- Update: oledump.py Version 0.0.68
- Update: python-per-line.py Version 0.0.8
- New Tool: dns-query-async.py
- Discovering A Forensic Artifact
- Update: base64dump.py Version 0.0.22
- New Tool: sortcanon.py
- Another Exercise In Encoding Reversing
- Examples Of Encoding Reversing
- Quickpost: Cracking PDF Owner Passwords
- Update: cut-bytes.py Version 0.0.15
- Update: format-bytes.py Version 0.0.14
- simple_listener.py
- Quickpost: Standby Power Consumption Of My USB Chargers
- Update: base64dump.py Version 0.0.23
- Update: sortcanon Version 0.0.2
- Update: oledump.py Version 0.0.69
- Update: re-search.py Version 0.0.21
- Quickpost: Standby Power Consumption Of My USB Chargers (120V vs 230V)
- Quickpost: iPad Pro Charging ? Power Consumption
- Update: 1768.py Version 0.0.15
- Update: 1768.py Version 0.0.16
- Quickpost: Standby Power Consumption Of My Bosch 18V Chargers
- Update: jpegdump.py Version 0.0.10
- Update: oledump.py Version 0.0.70
- Update: translate.py Version 2.5.12
- Update: xor-kpa.py Version 0.0.6
- Update: hex-to-bin.py Version 0.0.6
- Quickpost: Sun Drying Biodegradable Waste
- Quickpost: Dolmen du roc de l?Arca
- Maldoc Analysis Video ? Rehearsed & Unrehearsed
- Quickpost: An Inefficient Powerbank
- Update: virustotal-search.py Version 0.1.7
- New Tool: split-overlap.py
- Update: strings.py Version 0.0.8
- Update: My Python Templates Version 0.0.8
- Quickpost: Tuning The Electric Energy Consumption Of My TV
- Taking A Look At PNG Files with pngdump.py Beta Version 0.0.3
- Update: rtfdump.py Version 0.0.11
- Quickpost: Standby Power Consumption Of An Old Linear Power Supply
- Update: base64dump.py Version 0.0.24
- Update: rtfdump.py Version 0.0.12
- Quickpost: Testing A Lemon Battery
- Update: byte-stats.py Version 0.0.9
- The Making Of: qa-squeaky-toys.docm
- Quickpost: BruCON Travel Charger
- Quickpost: Testing A USB Fridge
- Update: pdf-parser.py Version 0.7.7
- Update: oledump.py Version 0.0.71
- Quickpost: Testing A USB Fridge (Update)
- Update: what-is-new.py Version 0.0.2
- Update: python-per-line.py Version 0.0.9
- Extracting Certificates For Defender
- Update: count.py Version 0.3.1
- Update: hash.py Version 0.0.9
- Update: virustotal-search.py Version 0.1.8
- Update: zipdump.py Version 0.0.23
- New tool: teeplus.py
- Update: filescanner Version 0.0.0.8
- Update: InteractiveSieve Version 0.9.2.0
- Update: nsrl.py Version 0.0.4
- Update: file-magic.py Version 0.0.5
- Update: myjson-filter.py Version 0.0.3
- Update: dnsresolver.py Version 0.0.2
- New Tool: dns-pydivert.py
- Combining dns-pydivert And dnsresolver
- Powerstrip With Neon Lamp Switch
- Update: zipdump.py Version 0.0.24
- Combining zipdump, file-magic And myjson-filter
- YARA’s Console Module
- Quick & Dirty Shellcode Analysis – CVE-2017-11882
- TShark & Multiple IP Addresses
- Maldoc Cleaned by Anti-Virus
- curl, json & jo
- Method For String Extraction Filtering
- Office Protects You From Malicious ISO Files
- Maldoc .DOCX MSDT Inside Sandbox
- Decoding Obfuscated BASE64 Statistically
- Another Exercise In Encoding Reversing
- Maldoc: non-ASCII VBA Identifiers
- 1768.py’s Sanity Check
- James Webb JPEG With Malware
- VBA Maldoc & UTF7 (APT-C-35)
- An Obfuscated Beacon – Extra XOR Layer
- Maldoc Analysis: Rehearsed vs. Unrehearsed
- Analyzing Obfuscated VBS with CyberChef
- Grep & Tail -f With Notepad++
- Analysis of a Malicious HTML File (QBot)
- PNG Analysis
- PNG + mimikatz.exe
- Extracting Information From “logfmt” Files With CyberChef
- Extracting Information From “logfmt” Files With InteractiveSieve
- YARA?s Console Module
- MSBuild & Cobalt Strike
- Quick & Dirty Shellcode Analysis ? CVE-2017-11882
- TShark & Multiple IP Addresses
- Maldoc Cleaned by Anti-Virus
- curl, json & jo
- Method For String Extraction Filtering
- Office Protects You From Malicious ISO Files
- Maldoc .DOCX MSDT Inside Sandbox
- RTF & ms-msdt & Preview Pane
- Decoding Obfuscated BASE64 Statistically
- Maldoc: non-ASCII VBA Identifiers
- 1768.py?s Sanity Check
- James Webb JPEG With Malware
- VBA Maldoc & UTF7 (APT-C-35)
- An Obfuscated Beacon ? Extra XOR Layer
- Analyzing Obfuscated VBS with CyberChef
- Grep & Tail -f With Notepad++
- Analysis of a Malicious HTML File (QBot)
- PNG Analysis
- PNG + mimikatz.exe
- Extracting Information From ?logfmt? Files With CyberChef
- Expect Regressions
- TShark & jq
- Extracting Cobalt Strike Beacons from MSBuild Scripts
- YARA’s Console Module
- Power over Ethernet and Thermal Imaging
- Wireshark 3.6.2 Released
- Video: YARA’s Console Module
- Sending an Email to an IPv4 Address?
- Windows, Fixed IPv4 Addresses and APIPA
- Video: Quick & Dirty Shellcode Analysis – CVE-2017-11882
- TShark & Multiple IP Addresses
- oledump’s Extra Option
- Video: TShark & Multiple IP Addresses
- ICMP Messages: Original Datagram Field
- YARA 4.2.0 Released
- Curl on Windows
- SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5)
- MGLNDD_* Scans
- Maldoc Cleaned by Anti-Virus
- Wireshark 3.6.3 Released
- Video: Maldoc Cleaned by Anti-Virus
- Quickie: Parsing XLSB Documents
- curl 7.82.0 Adds –json Option
- jo
- Method For String Extraction Filtering
- Video: Method For String Extraction Filtering
- Office Protects You From Malicious ISO Files
- Video: Office Protects You From Malicious ISO Files
- Sysmon’s RegistryEvent (Value Set)
- Analyzing a Phishing Word Document
- YARA 4.2.1 Released
- Detecting VSTO Office Files With ExifTool
- Quick Analysis Of Phishing MSG
- Wireshark 3.6.5 Released
- Huge Signed PE File
- Huge Signed PE File: Keeping The Signature
- Extracting The Overlay Of A PE File
- Analysis Of An “ms-msdt” RTF Maldoc
- “ms-msdt” RTF Maldoc Analysis: oledump Plugins
- Quickie: Follina, RTF & Explorer Preview Pane
- Decoding Obfuscated BASE64 Statistically
- Wireshark 3.6.6 Released
- Video: Decoding Obfuscated BASE64 Statistically
- More Decoding Analysis
- My Paste Command
- YARA 4.2.2 Released
- 7-Zip & MoW
- 7-Zip & MoW: “For Office files”
- 7-Zip Editing & MoW
- Python: Files In Use By Another Process
- Adding Your Own Keywords To My PDF Tools
- Maldoc: non-ASCII VBA Identifiers
- Video: Maldoc: non-ASCII VBA Identifiers
- Wireshark 3.6.7 Released
- VBA Maldoc & UTF7 (APT-C-35)
- YARA 4.2.3 Released
- Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01
- Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
- Update: VBA Maldoc & UTF7 (APT-C-35)
- James Webb JPEG With Malware
- Video: James Webb JPEG With Malware
- Video: VBA Maldoc & UTF7 (APT-C-35)
- Quickie: Grep & Tail -f With Notepad++
- Analysis of an Encoded Cobalt Strike Beacon
- Analyzing Obfuscated VBS with CyberChef
- Maldoc With Decoy BASE64
- Wireshark 3.6.8 and 4.0.0rc1 Released
- Word Maldoc With CustomXML and Renamed VBAProject.bin
- Video: Analyzing Obfuscated VBS with CyberChef
- Video: Grep & Tail -f With Notepad++
- Maldoc Analysis Info On MalwareBazaar
- Downloading Samples From Takendown Domains
- PNG Analysis
- Sysmon v14.1 Release
- Wireshark 4.0.0 Released
- Curl’s resolve Option
- Wireshark: Specifying a Protocol Stack Layer in Display Filters
- Analysis of a Malicious HTML File (QBot)
- Video: Analysis of a Malicious HTML File (QBot)
- rtfdump’s Find Option
- Video: PNG Analysis
- Quickie: CyberChef & Microsoft Script Decoding
- Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11
- IPv4 Address Representations
- Update: IPv4 Address Representations
- Extracting Information From “logfmt” Files With CyberChef
- Finger.exe LOLBin
- VLC’s Check For Updates: No Updates?
- Open Now: 2022 SANS Holiday Hack Challenge & KringleCon
- Quickie: CyberChef Sorting By String Length
- CyberChef & Entropy
- YARA v4.3.0-rc1 –print-xor-key
Sunday 1 January 2023
Overview of Content Published in December
Here is an overview of content I published in December:
Blog posts:
- Update: python-per-line.py Version 0.0.9
- Extracting Certificates For Defender
- Update: count.py Version 0.3.1
- Update: hash.py Version 0.0.9
- Update: virustotal-search.py Version 0.1.8
- Update: zipdump.py Version 0.0.23
- New tool: teeplus.py
- Update: filescanner Version 0.0.0.8
- Update: InteractiveSieve Version 0.9.2.0
- Update: nsrl.py Version 0.0.4
- Update: file-magic.py Version 0.0.5
- Update: myjson-filter.py Version 0.0.3
- Update: dnsresolver.py Version 0.0.2
- New Tool: dns-pydivert.py
- Combining dns-pydivert And dnsresolver
- Powerstrip With Neon Lamp Switch
- Update: zipdump.py Version 0.0.24
- Combining zipdump, file-magic And myjson-filter
Saturday 31 December 2022
Combining zipdump, file-magic And myjson-filter
In this blog post, I show how you can combine my tools zipdump.py, file-magic.py and myjson-filter.py to select and analyze files of a particular type.
I start with a daily batch of malware files published by Malware Bazaar.
I let it produce JSON output using option –jsonoutput, that can be consumed by some of my tools, like file-magic.py, my tool to identify files based on the content using the libmagic library.
In the output above, we can see that most files are PE files (Windows executables).
For this example, I’m interested in Office files (ole files). I can filter the output of file-magic.py for that with option -r. Libmagic identifies this type of file as “Composite Document File …”, thus I filter for Composite:
This gives me a list of malicious Office documents. I want to extract URLs from them, but I don’t want to extract all of these files from the ZIP container to disk, and do the URL extraction file per file.
I want to do this with a one-liner. 🙂
What I’m going to do, is use file-magic’s option –jsonoutput, so that it augments the json output of zipdump with the file type, and then I use my tool myjson-filter.py to filter that json output for files that are only of a type that contains the word Composite. With this command:
This produces JSON output that contains the content of each file of type Composite, found inside the ZIP container.
This output can be consumed by my tool strings.py, to extract all the strings.
Side note: if you want to know first which files were selected for processing, use option -l:
Let’s pipe the filtered JSON output into strings.py, with options to produce a list of unique strings (-u) that contain the word http (-s http), like this:
I use my tool re-search.py to extract a list of unique URLs:
I filter out common URLs found in Office documents:
And finally, I sort the URLs by domain name using my tool sortcanon.py:
The adobe URLs are not malicious, but the other ones could be.
This one-liner allows me to quickly process daily malware batches, looking for easy IOCs (cleartext URLs in Office documents) without writing any malicious file to disk.
zipdump.py --jsonoutput 2020-10-24.zip | file-magic.py --jsoninput --jsonoutput | myjson-filter.py -t Composite | strings.py --jsoninput -u -s http | re-search.py -u -n url -F officeurls | sortcanon.py -c domainRemark that by using an option to search for strings with the word http (-s http), I reduce the output of strings to be processed by re-search.py, so that the search is faster. But that limits you (mostly) to URLs with protocol http or https.
Leave out this option if you want to search for all possible protocols, or try -s “://”.
Thursday 29 December 2022
Update: zipdump.py Version 0.0.24
A small update to option -W of zipdump.py.
Next to value vir, you can now also specify values hash and hashvir.
hash: write each file with name equal to the SHA256 of the content of the file.
hashvir: write each file with name equal to the SHA256 of the content of the file plus extension .vir.
zipdump_v0_0_24.zip (http)MD5: 33E7B7602263CB2C23D59C7EDEC8666C
SHA256: 1BEF40A9B567DAE84563FEA1B4DE8E0BD7F5926F7FCFF6D7086D2643133FBACE
Wednesday 28 December 2022
Powerstrip With Neon Lamp Switch
There are powerstrips with a switch that lights up when the switch is turned on. Like this one:
These switches (certainly older models) often use a neon lamp as light source.
I measured the electric energy consumption of a powerstrip with switch on and neon lamp burning (without anything plugged into the powerstrip’s outlets).
It consumed 7,8582 Wh over 24 hours, thus it drew on average 0,327 W.
That’s about 6 times more than the standby power of my Apple USB charger A2347 (0,0530 W).
FYI: although the switch is turned on in the above picture, you don’t see the neon lamp burning.
That’s because of the AC power here in Belgium is 230V and 50Hz.
50Hz means that the current is 0 A 100 times per second, and thus the neon lamp does not light up around these 0 A current values.
So the picture above was taken at a moment that the lamp wasn’t lighting up because the current was (almost) 0 A.
I will go into more details in an upcoming blog post.
I did not conduct tests with powerstrips that use LEDs in stead of neon lamps yet, because all the powerstrips with LEDs I have, also have a builtin USB charger, and that draws power too.
Tuesday 27 December 2022
Combining dns-pydivert And dnsresolver
I use my tools dns-pydivert and dnsresolver.py for dynamic analysis of software (malware and benign software).
On the virtual machine where I’m doing dynamic analysis, I disable IPv6 support.
I install dnslib and run dnsresolver.py with a command like this, for example:
dnsresolver.py "type=resolve,label=example.com,answer=. 1 IN A 127.0.0.1" "type=forwarder,server=8.8.8.8"
The first command is a resolve command: DNS A queries for example.com will be resolved to IPv4 address 127.0.0.1 with TTL 1 minute.
The second command is a forwarder command: all DNS requests not handled by other commands, are forwarded to 8.8.8.8. Make sure that the IPv4 address of the DNS server you forward requests to, is different from the VM’s default DNS server, otherwise this forwarding will be redirected by dns-pydivert too.
I don’t use this second resolver command if the VM is isolated from the Internet, I only use it when I want to allow some interaction with the Internet.
Then I install pydivert and run dns-pydivert.py as administrator.
You can’t run dns-pydivert.py properly without administrative permissions:
When dns-pydivert.py and dnsresolver.py are running, DNS traffic is altered according to our settings.
For example (picture above), when I issue a “ping google.com” command inside the VM, dns-pydivert sees this first DNS packet and configures itself with the addresses in this packet: 192.168.32.129 is the IPv4 address of the Windows VM and 192.168.32.2 is the IPv4 address of this Windows VM’s DNS server.
It alters this first request to be redirected to the VM itself (192.168.32.2 -> 192.168.32.129).
Then dnsresolver receives this packet, and forwards it to DNS server 8.8.8.8. It receives a reply from DNS server 8.8.8.8, and forwards it to the Windows VM (192.168.32.129).
Then dns-pydivert sees this reply, and changes its source from 192.168.32.129 to 192.168.32.2, so that it appears to come from the Windows VM’s default DNS server.
When I do the same (picture above) for example.com (ping example.com), the query is redirected to dnsresolver, which resolves this to 127.0.0.1 with a TTL of 1 minute (per resolve commands configuration).
Thus the ping command pings the localhost, instead of example.com’s web server.
And when I kill dns-pydivert (picture above) and issue a “ping example.com” again after waiting for 1 minute, the query is no longer redirected and example.com’s web server is pinged this time.
I used ping here to illustrate the process, but often it’s HTTP(S) traffic that I want to redirect, and then I also use my simple-listener.py tool to emulate simple web servers.
Remark that this will only redirect DNS traffic (per the configuration). This does not redirect traffic “directed” at IPv4 addresses (as opposed to hostnames).
This can be done too with pydivert, and I will probably release a tool for that too.
Monday 26 December 2022
New Tool: dns-pydivert.py
dns-pydivert is a tool that uses WinDivert, a “user-mode packet capture-and-divert package for Windows” to divert IPv4 DNS packets to and from the machine it is running on.
This tool requires admin rights.
When started, it listens for IPv4 UDP packets with source and/or destination port equal to 53.
When this tools processes its first UDP packet with destination port 53, it considers the source address of this packet as the DNS client’s IPv4 address (e.g., the Windows machine this tool is running on) and the destination address to be the IPv4 address of the DNS server used by the client.
From then on, all IPv4 UDP packets with source or destination port 53 (including that first packet) are altered by the tool.
All IPv4 UDP packets with destination port 53, have their destination address changed to the IPv4 address of the client.
All IPv4 UDP packets with source port 53, have their source address changed to the IPv4 address of the DNS server.
This tool can be used to redirect all DNS IPv4 traffic to the machine itself, where a tool like dnsresolver.py can handle the DNS requests.
Caveats:
- This tool does not handle IPv6.
- This tool does not check if the UDP packets to and/or from port 53 are actual DNS packets.
- This tool ignores DNS traffic over TCP.
- This tool does not handle queries to multiple DNS servers (different IPv4 addresses) correctly.
MD5: BEAB8F9D180E15B27EB86CBEF7429216
SHA256: 7CB4BA7A4ABC0788AB8CE3F2DD1006DF86AD5D80943A4716FC3E62F1FA2100F6
Sunday 25 December 2022
Update: dnsresolver.py Version 0.0.2
This update to dnsresolver.py, my custom DNS server, adds a command to forward DNS request.
With this forward command, all requests that are not handled by other commands, are forwarded to the provided DNS server.
dnsresolver_V0_0_2.zip (http)MD5: D96EA9517E106C4C9E3668AB6799B150
SHA256: 611C1540FE7FA2016E38689A153681428BBF3EAFC927A62342310A93022B3EC4
Didier Stevens 