This is a bug fix version for my nsrl.py script, a tool to check hashes with the NSRL list.
nsrl_V0_0_4.zip (http)MD5: 6F72B03493C73E88CB3771C860BC76D0
SHA256: D68039B8654C1D52CD1C12670C7E885E462B72BF23892E86BE86E6381C95B669
Thursday 22 December 2022
Update: nsrl.py Version 0.0.4
MD5: 6F72B03493C73E88CB3771C860BC76D0
SHA256: D68039B8654C1D52CD1C12670C7E885E462B72BF23892E86BE86E6381C95B669
Wednesday 21 December 2022
Update: InteractiveSieve Version 0.9.2.0
New features:
- Loading files from command line arguments
- Column index to right click-menu
- “Hide (if equal to prev and next)” to right click-menu
- “Values separator…” to right click-menu
- “Hide duplicates” to right click-menu
- Added column filtering when loading files
MD5: 74A4019A36199C5057207184341FB639
SHA256: D9481C99F44FCEA0729F526B70E307881E2128FB1EB23DF135790EDB4392CB4A
Tuesday 20 December 2022
Update: filescanner Version 0.0.0.8
This new version brings extra statistics with option -f (fullread): counter for unique bytes, control bytes, printable bytes, high bytes. And lengths of the longest ASCII string, ASCII hexadecimal string and ASCII base64 string.
Remark that no check is made for hex string length being a multiple of 2 and base64 string length being a multiple of 4.
Rule DMP for minidumps was added.
And option -e now accepts multiple extensions (comma separated).
FileScanner_V0_0_0_8.zip (http)MD5: 20201A4336F3E5298896EE0962C6C287
SHA256: F0EAE8F989A65509EE2AC793EB23C3FED3F333D10C62C30FF047EE45CD308190
Monday 19 December 2022
New tool: teeplus.py
This new tool, teeplus.py, is an extension of the tee command.
The tools takes (binary) data from stdin, and sends it to stdout, while also writing the data to a file on disk.
While the tee command requires a filename as argument, teeplus.py takes no arguments (only options).
By default, teeplus.py will write the data to a file on disk, with filename equal to the sha256 of the data and extension .vir.
And it will also log this activity in a log file (teeplus.log by default).
Here is an example.
I run curl with a request to ipify to get my current public IPv4 address:
Then I pipe this output to teeplus.py:
This results in the creation of two files inside the current directory:
The first file it the output of the curl command:
The filename is the SHA256 hash of the data with extension .vir:
The second file, teeplus.log, is a log file:
Each line in teeplus.log has 4 fields (comma separated):
- The ISO timestamp when the activity was logged
- The length in bytes of the data
- The SHA256 hash of the data
- An error message (empty string when no error occured)
A line is created for each invocation of the teeplus.py command:
When the IPv4 address changes:
And the command is executed again, a new .vir file is created (since the received data changed):
And this is reflected in the log file:
This allows you to create a log of your public IPv4 address, for example (by scheduling this command as a recurrent task).
I use it for monitoring websites, and saving a copy of the HTML page I downloaded. I will explain how in an upcoming blog post.
teeplus.py has a couple of options: you can change the extension of the saved file, and the filename of the log file. And you can also us option -n to prevent the data to be piped to stdout (or you could redirect to /dev/null).
This is something I would do when the teeplus.py command is not followed by another command.
MD5: 0A3704CD56BD6B3A1FF2B92FD87476FB
SHA256: 9E3CBE7323D83FFC588FD67F7B762F53189391A43EDF465C64BD0E4D8E7E8990
Sunday 18 December 2022
Update: zipdump.py Version 0.0.23
Option -W can be used to write all files to disk. The only accepted value for -W is vir (for the moment). When this option is provided, all files are written to the local disk (ignoring contained paths) with their original name, and appended extension .vir.
To print out properties line per line, use separator *.
And more parsing for PK records has been added (with option -f). This is a work in progress, more info will provided in an upcoming blog post.
zipdump_v0_0_23.zip (http)MD5: B37E6A25B736CB4396DEB2DC8A0853C6
SHA256: 68B7E11B4456A8A9A5A9733EE9B1945A03EBA64A13903B98FAC838BDB828BD02
Saturday 17 December 2022
Update: virustotal-search.py Version 0.1.8
This update to virustotal-search brings new options:
- -D don’t send queries to VT, just use the local database
- –sleep before starting: provide an integer with suffix s (seconds), m (minutes), h (hours) or d (days). Or provide a local time: 01:00:00
MD5: 69A4504E06E97585EDBA4BBD60EAC36C
SHA256: 16FA2F9748959A88BE38B4A2FF006FC658FB4FF8932F3EC2E2568F48EB9FAE85
Friday 16 December 2022
Update: hash.py Version 0.0.9
Options validate and skip support here files now.
And when validating hashes, a summary is displayed at the end of the report.
hash_V0_0_9.zip (http)MD5: E1BEFF0A256002949B084F7ED410C5A5
SHA256: 84F846D6CFE93ADA77C5DE0C318CEA36C3F92F22A3D0A7FE829DB88D7CE31FA0
Thursday 15 December 2022
Update: count.py Version 0.3.1
This update to count.py, my tool to count items, adds totals and options for:
- singles: a single is an item that appears only once
- multiples: a multiple is an item that appears more than once
MD5: 1B36247FE910FE5FB4E3253B65E440A1
SHA256: 9C99627F07E1B366DCEB000A56C4C3D358C3408D36531A921514B4F3809F45D1
Monday 5 December 2022
Extracting Certificates For Defender
A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list.
The procedure involves right-clicking the EXE in Windows Explorer, selecting properties to view the digital signature, and so on …
But I don’t like procedures where one has to click on malware.
So I looked for a PowerShell command, and found this.
Get-AuthenticodeSignature .\malware.exe.vir | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath SignerCertificate.cer
Sunday 4 December 2022
Update: python-per-line.py Version 0.0.9
This is a small update to add the lineNumber variable.
MD5: CD9FC344E4C5F649E4043BD703CDCA52
SHA256: BD6713A7DF86AC75ADC2A6742A453919F56583D8CC5EB3B82B736608D2A52619
Didier Stevens 