Didier Stevens

Wednesday 27 June 2018

Quickpost: Decoding Certutil Encoded Files

Filed under: My Software,Quickpost — Didier Stevens @ 0:00

As I showed a colleague, it’s easy to analyze a file encoded with certutil using my base64dump.py tool:

Just use option -w to ignore all whitespace, and base64dump.py will detect and decode the base64 string.

As can be seen in the screenshot, it’s a file starting with MZ: probably a PE file.

We can confirm this with my YARA rule to detect PE files:

Or use pecheck.py:

 


Quickpost info


Tuesday 26 June 2018

Update: zipdump.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds option -t (translate), like some of my other tools. This option can be used to specify a codec when dumping the content of a file.

Here I used it to dump a Unicode file for a page of an XPS document:

zipdump_v0_0_12.zip (https)
MD5: 7110FB8B873BFDCF10E4A1C2AB89ACC2
SHA256: EA2D852C132DEF7947EBA0FFDB3E4CC8C69032413D36E67BBB3F943FA7B44B18

Friday 22 June 2018

Update: jpegdump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to indicate a file was decompressed:

jpegdump_V0_0_6.zip (https)
MD5: 14FFB9016A9181DB3A59370B2E0DAFF2
SHA256: 13B610A9BDE68CDB64E482AADBC522DDAABD6F6D746AA032C6FEDDAF6BF4169B

Thursday 21 June 2018

Validating Your Downloads

Filed under: Announcement,My Software — Didier Stevens @ 0:00

Occasionally, a comment is posted on my blog to report that the posted hash of a file doesn’t match the hash of the downloaded file. Often, it’s because the reader calculated the hash of my program, and not the hash of the downloaded ZIP file, containing the program.

Let’s clarify this. Here is an example of download details I use in my blog posts:

hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2

First you have the HTTP download link to the file, and then you have the HTTPS download link of the same file.

Next, you have the MD5 hash and SHA256 hash of the hosted file, e.g. the ZIP file.

The links and hashes are served by one host (blog.didierstevens.com), and the file is served by another host (didierstevens.com).

To validate that the file you downloaded has not been tampered with, or corrupted during the download, you have to calculate the hash of the downloaded file (if it’s a ZIP file, calculate the hash of the ZIP file, not of the archived files) and compare this with the hash I published.

If you don’t have a tool to do this, you can use my hash.py tool like this:

Wednesday 20 June 2018

Update: hash.py version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds option -v to validate hashes, and an indicator when archive files are decompressed.

Compression:

Validation:

hash_V0_0_5.zip (https)
MD5: 2A4D61F692D935E27E4BECA642F19D97
SHA256: 5DA5B59EBC6EB0FADEA868E631057BF14C29486405F75D8183C48FE4631B81A2

Tuesday 19 June 2018

Update: cut-bytes.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This too is a minor update for #e# expressions.

More details in this video:

cut-bytes_V0_0_7.zip (https)
MD5: 95CF8E5D2BC2790B25101FC2BFF769FB
SHA256: F1112C96872D15C2CD3F6AF9828C7E39F5EB115D20FB62AAD1C1357D75E3485B

Monday 18 June 2018

Update: translate.py Version 2.5.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a minor update for #e# expressions.

More details in this video:

translate_v2_5_4.zip (https)
MD5: C07B37F7AFA0386315843E6A493721C1
SHA256: A2203C643FC8BC64A98DCA3EE1F9444BE16F5D5C2036AC0200A6BA657786C5EC

Friday 15 June 2018

Update: jpegdump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update to jpegdump.py, my tool to analyze the structure of jpeg files.

The man page (option -m) has been updated.

jpegdump_V0_0_5.zip (https)
MD5: D7157E7FDEEA4257220F60E0081EE138
SHA256: D6940A82CDECEB9D1FB27561E7B748837D666568FC857AEB6680E135D08E897C

Thursday 14 June 2018

“Here Files” and my Tools

Filed under: My Software,Update — Didier Stevens @ 0:00

Several of my tools, that accept more than one filename as arguments, also accept a “here file” (cfr. here documents). A here file is a text file with a list of filenames, one per line. My tools recognize a here file by prefixing the filename of the here file with character @.

Let’s take for example a text file with filename list.txt and following content:

sample-1.bin
sample-5.bin
sample-7.bin

When using this file (list.txt) in the following command:

hash.py @list.txt

hash.py will calculate the hashes of the following files: sample-1.bin, sample-5.bin and sample-7.bin.

A here file can also be provided via stdin. Just type character @ (without filename) as argument to hash.py and provide a list of files via stdin, like in this example:

I will explain this any many more features of my tools in a workshop at BruCON. During this workshop, I will provide the templates I use to create my tools.
This is BruCON’s 10th edition, and I’m happy I’ll do my 10th workshop for this anniversary edition.

hash_V0_0_4.zip (https)
MD5: 6DAC25432338BEA40B9141A791B8A958
SHA256: D66BF64B91B1BCBA5EA99EA03439A12835C5427BB1C447E6B515F94D9F468137

Tuesday 12 June 2018

Update: pecheck.py Version 0.7.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version handles errors in PEiD’s userdb files better.

pefile does not support the full syntax used by PEiD, hence errors might occur, like this:

pecheck-v0_7_3.zip (https)
MD5: 480C9AC4BEE09CAAFB1593E214A39832
SHA256: 359A44751BAA34450B2DA92539AB425507EBB90F8F57CF50E561CCE111809637

« Previous PageNext Page »

Blog at WordPress.com.