Didier Stevens

Sunday 29 May 2016

Update: pecheck.py Version 0.5.1

Filed under: My Software,Update — Didier Stevens @ 10:12

This version offers more info about the overlay:

20160529-115403

pecheck-v0_5_1.zip (https)
MD5: F045A67AC1ECCF129030DFCE316383A9
SHA256: 9F6EFD34455D530BD3A867FEDD40C1E9538E8B7299E538AAC73D936EDF9904EF

Saturday 21 May 2016

Update: pecheck.py Version 0.5.0

Filed under: My Software,Update — Didier Stevens @ 20:46

This version of pecheck adds support for YARA rules and overlays.

20160521-223253

pecheck-v0_5_0.zip (https)
MD5: B873F8B5F6D408E4026010F010EA5FC4
SHA256: 7FCE12A8B10BEFF0C991B652CEDE376C187E74F23C603BF1A9250C9E7756AB48

Monday 16 May 2016

New YARA Rule: PE_File_pyinstaller

Filed under: Malware,My Software — Didier Stevens @ 0:00

This is a YARA rule to detect PE files that were created with PyInstaller (a tool to convert Python programs to binary executables).

More info in my ISC Diary entry: Python Malware – Part 1.

/*
  Version 0.0.1 2016/05/14
  Source code put in public domain by Didier Stevens, no Copyright
  https://DidierStevens.com
  Use at your own risk

  Shortcomings, or todo's ;-) :

  History:
    2016/05/14: start
*/

import "pe"

rule PE_File_pyinstaller
{
    meta:
        author = "Didier Stevens (https://DidierStevens.com)"
        description = "Detect PE file produced by pyinstaller"
    strings:
        $a = "pyi-windows-manifest-filename"
    condition:
        pe.number_of_resources > 0 and $a
}

yara-rules-V0.0.8.zip (https)
MD5: 83D10B0A18D3F8E2C744B8FEA10F5E67
SHA256: 2D47165757F909440F6D1A95FF5C0EA1355B355AE7475D2A0CF821D3B9A6235A

Sunday 15 May 2016

Update: emldump.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 11:29

Small changes in this version to handle obfuscation.

emldump_V0_0_9.zip (https)
MD5: 752A6F06290E2A35ACB4C564FA7D72C5
SHA256: 52CA4FB61B3B6FD9AECBA974AB73DCFA5D667086EBE7FDC84DE6F90E4DCC6853

Tuesday 10 May 2016

MovingXORSelection.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

This is a new script for 010 Editor. Like my XORSelection.1sc script, it encodes/decodes with the XOR operator.

The encoding method is as follows: the values of byte 1 and 2 are XORed and the result is stored as byte 2. Then this result (byte 2) is XORed with the value of byte 3, and that result is stored as byte 3. This goes on until all selected bytes are encoded.

Decoding is similar, but from right to left.

The script takes 2 parameters:

  1. Moving XOR is performed from left-to-right (L) or from right-to-left (R).
  2. The offset of the “previous” byte to XOR with the current byte (default -1).

20160508-172356

20160508-172436

The result:

20160508-173128

MovingXORSelection_V1_0.zip (https)
MD5: C0B069044E0CA64856B74DE03250F837
SHA256: CE4D0F139728DBCD7F3B817BB3B610FFAA893B3B5BDF73715345EE170166F36C

Monday 9 May 2016

Overview of Content Published In April

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in April:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Friday 6 May 2016

Update: numbers-to-hex.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

To deal with a particular maldoc sample, I added an option to numbers-to-hex.py to deal with signed bytes (negative and positive numbers used to represent byte values).

Here is a video:

The manual:

Usage: numbers-to-hex.py [options] [[@]file ...]
Program to convert decimal numbers into hex numbers

Arguments:
@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -i, --ignore          Do not generate an error when a number larger than 255
                        is found
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers per line (1 by default)
  -s, --signed          Numbers are signed bytes: add 256 if negative

Manual:

This program reads lines from the given file(s) or standard input, and
then extracts decimal numbers from each line. A decimal number is a
sequence of digits (optionally prefixed with a dash - for negative
numbers). All numbers found in a line are converted to hexadecimal and
outputed as a line. Hexadecimal numbers are separated by a space
character. If a number is smaller than 0 or larger than 255/0xFF, an
error is generated, except when option -i is used.
Option -s (--signed) indicates that the input numbers are signed
bytes: -1 is 0xFF, -2 is 0xFE, ...
Option -n NUMBER (--number) requires that at least NUMBER numbers are
present in the input line (the default is 1 number).

The hexadecimal numbers are written to standard output, except when
option -o is used. When option -o is used, the numbers are written to
the file specified by option -o.

numbers-to-hex_V0_0_3.zip (https)
MD5: EB8CE35EA272042211B1EADBE4606BE2
SHA256: 1CE2E7C6EF930C56024C0313C9FCE6E96A7FA6FC07893EAF06ACCC05A3D2C528

Tuesday 26 April 2016

Update translate.py Version 2.3.0

Filed under: My Software,Update — Didier Stevens @ 0:00

In this update of my translate program, I added support for searching and replacing with regular expressions.

Option -r (regex) uses a regular expression to search through the file and then calls the provided function with a match argument for each matched string. The return value of the function (a string) is used to replace the matched string.
Option -R (filterregex) is similar to option -r (regex), except that it does not operate on the complete file, but on the file filtered for the regex.

Here are 2 examples with a regex. The input file (test-ah.txt) contains the following: 1234&H41&H42&H43&H444321

The first command will search for strings &Hxx and replace them with the character represented in ASCII by hexadecimal number xx:
translate.py -r “&H(..)” test-ah.txt “lambda m: chr(int(m.groups()[0], 16))”
Output: 1234ABCD4321

The second command is exactly the same as the first command, except that it uses option -R in stead or -r:
translate.py -R “&H(..)” test-ah.txt “lambda m: chr(int(m.groups()[0], 16))”
Output: ABCD

In this output, strings that do not match the regular expression are filtered out.

translate_v2_3_0.zip (https)
MD5: 3C21675A2792DCBAF2EB0222C3D14450
SHA256: B51D4D47213AE7E79E3C9D157F5FC8E26C41AB9A5F3A26CD589F588C03910F2A

Monday 18 April 2016

Update: decode-vbe.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 8:48

I added support for ZIP files to decode-vbe.py

Here is the man page:

Usage: decode-vbe.py [options] [file]
Decode VBE script

Options:
–version   show program’s version number and exit
-h, –help  show this help message and exit
-m, –man   Print manual

Manual:

This program reads from the given file or standard input, and converts the encoded VBE script to VBS.

The provided file can be a password protected ZIP file (with password infected) containing the VBE script.

The content of the VBE script can also be passed as a literal argument. This is similar to a Here Document in Unix.
Start the argument (the “filename”) with character # to pass a literal argument.
Example: decode-vbe.py “##@~^DgAAAA==\ko$K6,JCV^GJqAQAAA==^#~@”
Result: MsgBox “Hello”

It’s also possible to use hexadecimal (prefix #h#) or base64 (prefix #b#) to pass a literal argument.
Example: decode-vbe.py #h#23407E5E4467414141413D3D5C6B6F244B362C4A437F565E474A7141514141413D3D5E237E40
Result: MsgBox “Hello”
Example: decode-vbe.py #b#I0B+XkRnQUFBQT09XGtvJEs2LEpDf1ZeR0pxQVFBQUE9PV4jfkA=
Result: MsgBox “Hello”

decode-vbe_V0_0_2.zip (https)
MD5: 35612087E2D62669E2690573FDE543F2
SHA256: 91A7465FE1F4D291751E6C5D88C51888C914B40C6F187709E33343FF121A116F

Sunday 17 April 2016

Overview of Content Published In March

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in March:

Blog posts:

SANS ISC Diary entries:

« Previous PageNext Page »

Blog at WordPress.com.