Didier Stevens

Sunday 12 February 2023

Update: pdf-parser.py Version 0.7.8

Filed under: My Software,Update — Didier Stevens @ 12:15

A small feature update for pdf-parser.py Statistics include unreferenced objects now:

pdf-parser_V0_7_8.zip (http)
MD5: 7BBEA9497666397CBBB88B012A710210
SHA256: FE393865861E00B48124B99CD5AEBBB5A632F1FBD883F4E4044DF8C8FA75BE9D

Saturday 4 February 2023

Overview of Content Published in January

Filed under: Announcement — Didier Stevens @ 18:22
Here is an overview of content I published in January:

Blog posts: SANS ISC Diary entries:

Sunday 22 January 2023

Analyzing Malicious OneNote Documents

Filed under: My Software — Didier Stevens @ 18:09

About a week ago, I was asked if I had tools for OneNote files.

I don’t, and I had no time to take a closer look.

But last Thursday night, I had some time to take a look. I looked at this OneNote maldoc sample.

I opened the file in the binary editor I use often (010 Editor):

I expected to see some magic header, a special sequence of byte that would tell me which file type is used. I didn’t see that, but I noticed that the first 16 bytes look random. And they were the same for another sample. So this could be a GUID. GUIDs in Microsoft’s representation are a mix of little- and big-endian hexadecimal integers. That’s why 010 Editor has an entry for GUIDs in its inspector tab:

This is the GUID represented as a string: {7B5C52E4-D88C-4DA7-AEB1-5378D02996D3}

Looking this up with Google:

That’s great, Microsoft has a document [MS-ONESTORE] describing this file format.

Unfortunately, I did a quick search but didn’t find a pure Python module to read this file format. Maybe it exists, but I didn’t find it.

Next I tried my pecheck.py tool to locate the executable inside the onenote sample. That worked well:

At position 0x2aa4, here’s an embedded PE file. Taking a look with the binary editor:

I see the MZ header, and 36 bytes in front of that, another random looking sequence of 16 bytes. Maybe another GUID:


A bit of Google search:

Turns out that this is a FileDataStoreObject structure.

So looking for this GUID in any file, one can find (and extract) embedded files. So that’s what I quickly coded using my Python template for binary files (there are some issues with this GUID-search method, I’ll address these in an upcoming blog post or video)

A new tool: onedump.py

Update: process-binary-file Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 9:27

New functions and classes have been added to process-binary-file.py.

python-templates_V0_0_9.zip (http)
MD5: 7C5E8602F225735015E9A431C5818762
SHA256: CAEEEBB1E402E5127A431446A01BBE607B22AA0EB1F6FA12B8E7703275BE6F15

New Tool: onedump.py

Filed under: maldoc,Malware,My Software — Didier Stevens @ 9:24

This is a new tool (based on my Python template for binary files) to analyze OneNote files.

This version is limited to handling embedded files (for the moment).

As I might still make significant changes to the user interface, I’ve put this tool in my GitHub beta repository.

Monday 2 January 2023

Overview of Content Published in 2022

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in 2022:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts: NVISO Videos:

Sunday 1 January 2023

Overview of Content Published in December

Filed under: Announcement — Didier Stevens @ 9:44
Here is an overview of content I published in December:

Blog posts: SANS ISC Diary entries:

Saturday 31 December 2022

Combining zipdump, file-magic And myjson-filter

Filed under: maldoc,Malware — Didier Stevens @ 9:38

In this blog post, I show how you can combine my tools zipdump.py, file-magic.py and myjson-filter.py to select and analyze files of a particular type.

I start with a daily batch of malware files published by Malware Bazaar.

I let it produce JSON output using option –jsonoutput, that can be consumed by some of my tools, like file-magic.py, my tool to identify files based on the content using the libmagic library.

In the output above, we can see that most files are PE files (Windows executables).

For this example, I’m interested in Office files (ole files). I can filter the output of file-magic.py for that with option -r. Libmagic identifies this type of file as “Composite Document File …”, thus I filter for Composite:

This gives me a list of malicious Office documents. I want to extract URLs from them, but I don’t want to extract all of these files from the ZIP container to disk, and do the URL extraction file per file.

I want to do this with a one-liner. 🙂

What I’m going to do, is use file-magic’s option –jsonoutput, so that it augments the json output of zipdump with the file type, and then I use my tool myjson-filter.py to filter that json output for files that are only of a type that contains the word Composite. With this command:

This produces JSON output that contains the content of each file of type Composite, found inside the ZIP container.

This output can be consumed by my tool strings.py, to extract all the strings.

Side note: if you want to know first which files were selected for processing, use option -l:

Let’s pipe the filtered JSON output into strings.py, with options to produce a list of unique strings (-u) that contain the word http (-s http), like this:

I use my tool re-search.py to extract a list of unique URLs:

I filter out common URLs found in Office documents:

And finally, I sort the URLs by domain name using my tool sortcanon.py:

The adobe URLs are not malicious, but the other ones could be.

This one-liner allows me to quickly process daily malware batches, looking for easy IOCs (cleartext URLs in Office documents) without writing any malicious file to disk.

zipdump.py --jsonoutput 2020-10-24.zip | file-magic.py --jsoninput --jsonoutput | myjson-filter.py -t Composite | strings.py --jsoninput -u -s http | re-search.py -u -n url -F officeurls | sortcanon.py -c domain

Remark that by using an option to search for strings with the word http (-s http), I reduce the output of strings to be processed by re-search.py, so that the search is faster. But that limits you (mostly) to URLs with protocol http or https.

Leave out this option if you want to search for all possible protocols, or try -s “://”.

Thursday 29 December 2022

Update: zipdump.py Version 0.0.24

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to option -W of zipdump.py.

Next to value vir, you can now also specify values hash and hashvir.

hash: write each file with name equal to the SHA256 of the content of the file.

hashvir: write each file with name equal to the SHA256 of the content of the file plus extension .vir.

zipdump_v0_0_24.zip (http)
MD5: 33E7B7602263CB2C23D59C7EDEC8666C
SHA256: 1BEF40A9B567DAE84563FEA1B4DE8E0BD7F5926F7FCFF6D7086D2643133FBACE

Wednesday 28 December 2022

Powerstrip With Neon Lamp Switch

Filed under: Elec,Hardware — Didier Stevens @ 0:00

There are powerstrips with a switch that lights up when the switch is turned on. Like this one:

These switches (certainly older models) often use a neon lamp as light source.

I measured the electric energy consumption of a powerstrip with switch on and neon lamp burning (without anything plugged into the powerstrip’s outlets).

It consumed 7,8582 Wh over 24 hours, thus it drew on average 0,327 W.

That’s about 6 times more than the standby power of my Apple USB charger A2347 (0,0530 W).

FYI: although the switch is turned on in the above picture, you don’t see the neon lamp burning.

That’s because of the AC power here in Belgium is 230V and 50Hz.

50Hz means that the current is 0 A 100 times per second, and thus the neon lamp does not light up around these 0 A current values.

So the picture above was taken at a moment that the lamp wasn’t lighting up because the current was (almost) 0 A.

I will go into more details in an upcoming blog post.

I did not conduct tests with powerstrips that use LEDs in stead of neon lamps yet, because all the powerstrips with LEDs I have, also have a builtin USB charger, and that draws power too.

« Previous PageNext Page »

Blog at WordPress.com.