Didier Stevens

Sunday 18 December 2022

Update: zipdump.py Version 0.0.23

Filed under: My Software,Update — Didier Stevens @ 0:00

Option -W can be used to write all files to disk. The only accepted value for -W is vir (for the moment). When this option is provided, all files are written to the local disk (ignoring contained paths) with their original name, and appended extension .vir.

To print out properties line per line, use separator *.

And more parsing for PK records has been added (with option -f). This is a work in progress, more info will provided in an upcoming blog post.

zipdump_v0_0_23.zip (http)
MD5: B37E6A25B736CB4396DEB2DC8A0853C6
SHA256: 68B7E11B4456A8A9A5A9733EE9B1945A03EBA64A13903B98FAC838BDB828BD02

Saturday 17 December 2022

Update: virustotal-search.py Version 0.1.8

Filed under: My Software,Update — Didier Stevens @ 0:00

This update to virustotal-search brings new options:

  1. -D don’t send queries to VT, just use the local database
  2. –sleep before starting: provide an integer with suffix s (seconds), m (minutes), h (hours) or d (days). Or provide a local time: 01:00:00
virustotal-search_V0_1_8.zip (http)
MD5: 69A4504E06E97585EDBA4BBD60EAC36C
SHA256: 16FA2F9748959A88BE38B4A2FF006FC658FB4FF8932F3EC2E2568F48EB9FAE85

Friday 16 December 2022

Update: hash.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

Options validate and skip support here files now.

And when validating hashes, a summary is displayed at the end of the report.

hash_V0_0_9.zip (http)
MD5: E1BEFF0A256002949B084F7ED410C5A5
SHA256: 84F846D6CFE93ADA77C5DE0C318CEA36C3F92F22A3D0A7FE829DB88D7CE31FA0

Thursday 15 December 2022

Update: count.py Version 0.3.1

Filed under: My Software,Update — Didier Stevens @ 0:00

This update to count.py, my tool to count items, adds totals and options for:

  1. singles: a single is an item that appears only once
  2. multiples: a multiple is an item that appears more than once
count_v0_3_1.zip (http)
MD5: 1B36247FE910FE5FB4E3253B65E440A1
SHA256: 9C99627F07E1B366DCEB000A56C4C3D358C3408D36531A921514B4F3809F45D1

Monday 5 December 2022

Extracting Certificates For Defender

Filed under: Malware — Didier Stevens @ 0:00

A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list.

The procedure involves right-clicking the EXE in Windows Explorer, selecting properties to view the digital signature, and so on …

But I don’t like procedures where one has to click on malware.

So I looked for a PowerShell command, and found this.

Get-AuthenticodeSignature .\malware.exe.vir | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath SignerCertificate.cer

Sunday 4 December 2022

Update: python-per-line.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update to add the lineNumber variable.

python-per-line_V0_0_9.zip (http)
MD5: CD9FC344E4C5F649E4043BD703CDCA52
SHA256: BD6713A7DF86AC75ADC2A6742A453919F56583D8CC5EB3B82B736608D2A52619

Saturday 3 December 2022

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 9:52

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Wednesday 23 November 2022

Update: what-is-new.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This update of what-is-new-.py, my tool that reports what lines inside files are new (e.g., never seen before) has a new option: -a –action. It allows me to launch a command when something new is detected.

I use this for example to be alerted via TelegraM; More details in an upcoming blog post.

what-is-new_V0_0_2.zip (http)
MD5: 458B06FAF21F6BB150087196CCFEFAC2
SHA256: D020205346A778A4EE31B9C645F31BD4E14B465DC0B37BABD1DEEDFB6F347232

Saturday 12 November 2022

Quickpost: Testing A USB Fridge (Update)

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

I performed some extra tests with my USB fridge (see Quickpost: Testing A USB Fridge).

Here is how the temperature evolved when I put a can with cold water (around 12° C) in the USB fridge:

The temperature increased around 2° C over a period of 12 hours (room temperature was around 17 °C).

That required around 57 Wh.

And the temperature at the top of the can increased more than at the bottom:

For reference, here is how the temperature evolves of a cooled can of water left on the desk in that same room (so not inside the USB fridge):


Quickpost info

Friday 11 November 2022

Update: oledump.py Version 0.0.71

Filed under: Uncategorized — Didier Stevens @ 0:00

A new plugin and an updated plugin.

Plugin plugin_dttm is a plugin for Word documents: it searches for Dop structures. They contain DTTM timestamps.

And plugin plugin_metadata has been updated to parse digital signatures (option -s).

oledump_V0_0_71.zip (http)
MD5: BA1142136F28DB218BADEAA642EA0EA9
SHA256: FA09766D138A1AA60523B487D947BF29222D409CF1FCE078DE61BF62768A5950
« Previous PageNext Page »

Blog at WordPress.com.