Didier Stevens

Sunday 8 March 2020

Update: oledump.py Version 0.0.47

Filed under: My Software,Update — Didier Stevens @ 22:22

This new version of oledump.py brings Root Entry listing with option –storages and %CLDISDESC% extra parameter.

plugin_biff.py is updated to be faster and has new options -X and -d (pure hexadecimal dump and binary dump).

plugin_clsid.py is a new plugin.

More details in coming blog posts and ISC diary entries.


oledump_V0_0_47.zip (https)
MD5: E851ED7240C08E9E9E3EBA4A412A46A4
SHA256: F35997537D5C4596E413D08C35A83EBD55CAF587D2D9898DAA9285BC83CAF287

Saturday 7 March 2020

Contextual Grepping: Proxmark3 Key Scan Example

Filed under: My Software — Didier Stevens @ 0:00

Recently I had to extract hexadecimal numbers from a Proxmark3 hf 14a command to use with mfkey. The Proxmark3 forum has a discussion on how to do this.

Here is an example of what I need:

I started doing this manually, and later I wrote a script based on my Python text template.

This is a very specialized script, and I prefer to have more generic scripts. My “algorithm” is the following: search for lines with string AUTH-A, and then look at 2 lines before that line, and the 3 lines following that line. This can almost be done with a grep command using option context, but then the line itself and the line before that would also be selected, and I don’t need them.

My Python text template (process-text-file.py) is not only a template to start developing new scripts that reads text files, but it is also a stand-alone program, that can do grepping, for example. After some time, I realized how I could make a more generic script: add a context option to my Python text template to specify the lines to select as offsets from the grepped line.

Option –grep AUTH-A selects each line from text file forum-example.txt that contains the string AUTH-A. If I only use this option, then only lines with string AUTH-A would be the output of my command.

But because I use option –context, I can specify which lines to select relative to the “grepped” line (e.g. containing string AUTH-A).

Option “–context -2,1-3” means that I want to output the line 2 lines before the grepped line (-2) and the 3 lines following the grepped line (1-3). The grepped line itself is no part of the output. If I want that too, I would reference (0) it like this: “–context -2,0,1-3”.



Tuesday 3 March 2020

Overview of Content Published in February

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in February:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO blog posts:

Sunday 23 February 2020

Update: Python Templates Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

Here is an update to my Python templates (binary and text files).

I’ll explain the updates to each template in upcoming blog posts.

python-templates_V0_0_2.zip (https)
MD5: 082812485D24AD0E3D12F1618BC44367
SHA256: 98DE8BEC508C7E678D294DD630466DA175524D4180C1E8C3A6C06EE11587981E

Saturday 22 February 2020

Update: translate.py Version 0.2.7

Filed under: My Software,Update — Didier Stevens @ 20:29

This update for translate.py, a tool to “Translate bytes according to a Python expression”, adds a new function for XOR multy-byte-key encoding/decoding.

translate_v2_5_7.zip (https)
MD5: 886C1B4C518EA58F972F87980994B976
SHA256: 01E4239E050DE4853AC53020CCE44C9804003A4A2C195974B5B16AEDD1B8E1B1

Monday 17 February 2020

Update: format-bytes.py Version 0.0.13

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of format-bytes.py brings a new option when extracting bitstreams: producing a stream of 0s & 1s, like this:

Join specifier j:b (option “-f bitstream=…”) produces a bitstream of 0s & 1s, that I can then process further:

The png file I analyze in this example, was created with PHP Stegger on the Geocaching Toolbox site.

format-bytes_V0_0_13.zip (https)
MD5: E7A7A344B3B8753553FC5B2E4084D8DA
SHA256: 1F22A1D784DCF1269FFD12E2C9467EE0FB93B0895CC24D04CBBD9696D50945DB

Sunday 16 February 2020

Update: hex-to-bin.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This version of hex-to-bin.py, a simple tool to convert hexadecimal data to binary, can also handle bitstreams (option -b) with this update. If necessary, the bitstream is right-padded with 0s to make the bitstream length a multiple of 8.


hex-to-bin_V0_0_4.zip (https)
MD5: CBD3D27A2BC703F51FB23F757084BBE1
SHA256: CD70D7644BB353C64DD37AA0717B14967176A1A5E35E5DC6AE163D929BE13AAD

Tuesday 11 February 2020

Update: xmldump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of xmldump.py, a tool to parse and display xml content, has a new command: pretty.

As its name implies, this command performs a pretty print of the xml content.

xmldump_V0_0_4.zip (https)
MD5: A97F4048226BD9A0BE47D1ABDEC5D770
SHA256: 2636D10294C5BCD8B1E97DFE30745FF91496FB9F87ABB8D99371B379AA711B25

Monday 10 February 2020

Update: oledump.py Version 0.0.45

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py has a feature to display Ad Hoc YARA rules using option –verbose.

In this example, I show a string Ad Hoc YARA rule to search for string attri (-y #s#attri). By including option –verbose, the YARA rule generated by oledump for string attri is displayed first:

Plugin plugin_http_heuristics has a new option: -c –contains.

By default, plugin_http_heuristics looks for (obfuscated) strings that start with keywords (http:// and https:// by default). Option -c changes this behavior: when this option is used, the keywords are searched in the entire string, and not just at the start.

In this example, I use this feature to search for the filename of the dropped executable (strings containing “.exe”):

And I also include plugin_vba: this is an old plugin that I failed to release. It searches for string concatenation in VBA code.


oledump_V0_0_45.zip (https)
SHA256: FB75B1E19E5067751E2DE1AD21826245B7E11EDBE03278566484754F606F3965

Sunday 2 February 2020

Update: pecheck.py Version 0.7.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a Python 3 bug fix version for pecheck.py, a tool to analyze PE files.

pecheck-v0_7_9.zip (https)
MD5: F69709C475D513A8D2031C21EEC13284
SHA256: 99E71A9FC917BB27CDD893F14AE77F2E810A4C7BB56A6E975BB619C978B12D47

« Previous PageNext Page »

Blog at WordPress.com.