Didier Stevens

Saturday 25 February 2017

Update: rtfdump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 10:28

This new version of rtfdump.py adds object extraction (-E) and can also handle objects obfuscated with \dde0000…


rtfdump_V0_0_5.zip (https)
MD5: 14475C70D992FB72306D5F83815DDE19
SHA256: A26A60536509BA7CF55FF1876E8BC3A6DBA43F1EF8841F159D55411FD11B5078

Wednesday 22 February 2017

Update: base64dump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

After searching with base64dump for encoded strings in this maldoc sample, I decided to add an option to base64dump to check all encodings automatically.

Use option -e with value all to try out all encodings, and report all found strings ordered by increasing length. And with option -u, you can limit the output to unique decoded strings.

zipdump.py -s 5 -d output.docx.vir.zip | base64dump.py -e all -u


base64dump_V0_0_6.zip (https)
SHA256: BFBCFA51DDC47793C8CA397B261E036701543610F637CE8813BC5870FC4B2C2F

Wednesday 15 February 2017

Quickpost: ClamAV and ZIP File Decryption

Filed under: Malware,Quickpost — Didier Stevens @ 0:00

While reading-up on ClamAV and YARA, I came across something I wanted to try for some time: have ClamAV decrypt and scan a password protected ZIP file.

It can be done by creating a .pwdb password signature file, as explained in section 3.12 of Creating signatures for ClamAV.

I created one signature for password “infected”:


ZipPasswordInfected is the name I gave to the signature.

Engine:81-255 defines the required functionality level of the ClamAV engine. If I’m not mistaken, 81 is version 0.99.

0 indicates that the password is in ASCII.

infected is the password to attempt ZIP decryption.

And then I can pass the password signature file to clamscan with option -d. Or I can put the password signature file in the database directory.

In this example, notepad.exe is stored in a password protected ZIP file (password infected), and is_pe_file.yara is a YARA rule to detect PE files.

clamscan.exe -d is_pe_file.yara -d passwords.pwdb notepad.exe.zip
notepad.exe.zip: YARA.is_PE_File.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 1
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.21 MB
Data read: 0.14 MB (ratio 1.50:1)
Time: 0.063 sec (0 m 0 s)

Quickpost info

Tuesday 14 February 2017

Overview of Content Published In January

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in January:

Blog posts:

SANS ISC Diary entries:

NVISO Labs blog posts:

Tuesday 31 January 2017

Update: zipdump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

A small feature in this new version: start the -E option value with # to count and group.


C:\Demo>zipdump.py -E “#%HEADASCII%;%HEADHEX%” Book1.xlsm
1: –…………..;d0cf11e0a1b11ae10000000000000000
1: <xml xmlns:v=”ur;3c786d6c20786d6c6e733a763d227572
12: <?xml version=”1;3c3f786d6c2076657273696f6e3d2231
zipdump_v0_0_5.zip (https)
MD5: 5F49895D3EA97A870ECB1E262A738A04
SHA256: E16CE5A426840D2804E5EF544CF334715F501D0892496D02B6C5000B18CE10BA

Monday 30 January 2017

Quickpost: Dropbox & Alternate Data Streams

Filed under: Forensics,Quickpost,Reverse Engineering — Didier Stevens @ 0:00

When I got this popup while moving a file from a Dropbox folder, I immediately thought Alternate Data Stream:


I ran my filescanner on the file, and found an ADS with name com.dropbox.attributes:


From the Magic HEX value, we can see that the content of the stream (frozen-sea-foam.mp4:com.dropbox.attributes) starts with 0x78 (and the streamsize is 83 bytes). 0x78 hints at zlib deflated data.

If you are not that familiar with magic values, you can use my file-magic tool:


Trying to decompress the ADS with translate.py gives us JSON data {“dropbox_fileid_local”: {“machineid_attr”: {“data”: “aa4xliox7z5n0qewxOlT3Q==”}}}:


The data field looks like BASE64, so let’s try to decode it with base64dump.py:


It decodes with BASE64 to data that looks random. From the names in the JSON data, we can deduce that this is probably a machine ID.

Remark 1: as it could well be my unique machine ID, I altered the value of the ID.

Remark 2: my file-magic.py tool is beta.

Remark 3: if you wonder what the video frozen-sea-foam is, I have it on Instragram.


Quickpost info

Sunday 29 January 2017

Update: FileScanner Version

Filed under: My Software,Update — Didier Stevens @ 0:00

I released this new version of FileScanner at the end of 2015, but forgot to announce it here on my blog.

This new version also scans Alternate Data Streams.

FileScanner_V0_0_0_4.zip (https)
MD5: 4BB8F475328B9EB214E6B9405F84816E
SHA256: 5D3B1408C5D2BD17C0441D0D9D0DA565E8D690DE792971092956F4CA10D5A071

Saturday 28 January 2017

Update: byte-stats.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 8:37

This new version of byte-stats.py adds statistics for hexadecimal and base64 characters:

$byte-stats.py all.bin

Byte ASCII Count     Pct
0x00           1   0.39%
0x01           1   0.39%
0x02           1   0.39%
0x03           1   0.39%
0x04           1   0.39%
0xfb           1   0.39%
0xfc           1   0.39%
0xfd           1   0.39%
0xfe           1   0.39%
0xff           1   0.39%

Size: 256

Entropy:           8.000000
Unique bytes:           256 100.00%
NULL bytes:               1   0.39%
Control bytes:           27  10.55%
Whitespace bytes:         6   2.34%
Printable bytes:         94  36.72%
High bytes:             128  50.00%
Hexadecimal bytes:       22   8.59%
BASE64 bytes:            65  25.39%

byte-stats_V0_0_5.zip (https)
MD5: B79C6DF0964C9BA676D88E2085ACF037
SHA256: B9112274BD757FB3311883B0CF179ABDEC149C421EFEB335D70AF972495A5C20

Tuesday 10 January 2017

Overview of Content Published In December

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in December:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO Labs blog posts:

Wednesday 28 December 2016

Update: pdf-parser Version 0.6.7

Filed under: My Software,PDF,Update — Didier Stevens @ 12:03

I added option -k to search for keys in dictionaries. A usage example can be found in blog post “PDF Analysis: Back To Basics“.

pdf-parser_V0_6_7.zip (https)
MD5: D04D7DA42F3263139BC2C7E7B2621C91
SHA256: ED863DE952A5096FF4BE0825110D2726BA1BE75A7A6717AF0E6A153B843E3B78

« Previous PageNext Page »

Blog at WordPress.com.