Didier Stevens

Sunday 15 May 2016

Update: emldump.py Version 0.0.9

Filed under: My Software,Update — Didier Stevens @ 11:29

Small changes in this version to handle obfuscation.

emldump_V0_0_9.zip (https)
MD5: 752A6F06290E2A35ACB4C564FA7D72C5
SHA256: 52CA4FB61B3B6FD9AECBA974AB73DCFA5D667086EBE7FDC84DE6F90E4DCC6853

Tuesday 10 May 2016

MovingXORSelection.1sc

Filed under: 010 Editor,My Software — Didier Stevens @ 0:00

This is a new script for 010 Editor. Like my XORSelection.1sc script, it encodes/decodes with the XOR operator.

The encoding method is as follows: the values of byte 1 and 2 are XORed and the result is stored as byte 2. Then this result (byte 2) is XORed with the value of byte 3, and that result is stored as byte 3. This goes on until all selected bytes are encoded.

Decoding is similar, but from right to left.

The script takes 2 parameters:

  1. Moving XOR is performed from left-to-right (L) or from right-to-left (R).
  2. The offset of the “previous” byte to XOR with the current byte (default -1).

20160508-172356

20160508-172436

The result:

20160508-173128

MovingXORSelection_V1_0.zip (https)
MD5: C0B069044E0CA64856B74DE03250F837
SHA256: CE4D0F139728DBCD7F3B817BB3B610FFAA893B3B5BDF73715345EE170166F36C

Monday 9 May 2016

Overview of Content Published In April

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in April:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Friday 6 May 2016

Update: numbers-to-hex.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

To deal with a particular maldoc sample, I added an option to numbers-to-hex.py to deal with signed bytes (negative and positive numbers used to represent byte values).

Here is a video:

The manual:

Usage: numbers-to-hex.py [options] [[@]file ...]
Program to convert decimal numbers into hex numbers

Arguments:
@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -i, --ignore          Do not generate an error when a number larger than 255
                        is found
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers per line (1 by default)
  -s, --signed          Numbers are signed bytes: add 256 if negative

Manual:

This program reads lines from the given file(s) or standard input, and
then extracts decimal numbers from each line. A decimal number is a
sequence of digits (optionally prefixed with a dash - for negative
numbers). All numbers found in a line are converted to hexadecimal and
outputed as a line. Hexadecimal numbers are separated by a space
character. If a number is smaller than 0 or larger than 255/0xFF, an
error is generated, except when option -i is used.
Option -s (--signed) indicates that the input numbers are signed
bytes: -1 is 0xFF, -2 is 0xFE, ...
Option -n NUMBER (--number) requires that at least NUMBER numbers are
present in the input line (the default is 1 number).

The hexadecimal numbers are written to standard output, except when
option -o is used. When option -o is used, the numbers are written to
the file specified by option -o.

numbers-to-hex_V0_0_3.zip (https)
MD5: EB8CE35EA272042211B1EADBE4606BE2
SHA256: 1CE2E7C6EF930C56024C0313C9FCE6E96A7FA6FC07893EAF06ACCC05A3D2C528

Tuesday 26 April 2016

Update translate.py Version 2.3.0

Filed under: My Software,Update — Didier Stevens @ 0:00

In this update of my translate program, I added support for searching and replacing with regular expressions.

Option -r (regex) uses a regular expression to search through the file and then calls the provided function with a match argument for each matched string. The return value of the function (a string) is used to replace the matched string.
Option -R (filterregex) is similar to option -r (regex), except that it does not operate on the complete file, but on the file filtered for the regex.

Here are 2 examples with a regex. The input file (test-ah.txt) contains the following: 1234&H41&H42&H43&H444321

The first command will search for strings &Hxx and replace them with the character represented in ASCII by hexadecimal number xx:
translate.py -r “&H(..)” test-ah.txt “lambda m: chr(int(m.groups()[0], 16))”
Output: 1234ABCD4321

The second command is exactly the same as the first command, except that it uses option -R in stead or -r:
translate.py -R “&H(..)” test-ah.txt “lambda m: chr(int(m.groups()[0], 16))”
Output: ABCD

In this output, strings that do not match the regular expression are filtered out.

translate_v2_3_0.zip (https)
MD5: 3C21675A2792DCBAF2EB0222C3D14450
SHA256: B51D4D47213AE7E79E3C9D157F5FC8E26C41AB9A5F3A26CD589F588C03910F2A

Monday 18 April 2016

Update: decode-vbe.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 8:48

I added support for ZIP files to decode-vbe.py

Here is the man page:

Usage: decode-vbe.py [options] [file]
Decode VBE script

Options:
–version   show program’s version number and exit
-h, –help  show this help message and exit
-m, –man   Print manual

Manual:

This program reads from the given file or standard input, and converts the encoded VBE script to VBS.

The provided file can be a password protected ZIP file (with password infected) containing the VBE script.

The content of the VBE script can also be passed as a literal argument. This is similar to a Here Document in Unix.
Start the argument (the “filename”) with character # to pass a literal argument.
Example: decode-vbe.py “##@~^DgAAAA==\ko$K6,JCV^GJqAQAAA==^#~@”
Result: MsgBox “Hello”

It’s also possible to use hexadecimal (prefix #h#) or base64 (prefix #b#) to pass a literal argument.
Example: decode-vbe.py #h#23407E5E4467414141413D3D5C6B6F244B362C4A437F565E474A7141514141413D3D5E237E40
Result: MsgBox “Hello”
Example: decode-vbe.py #b#I0B+XkRnQUFBQT09XGtvJEs2LEpDf1ZeR0pxQVFBQUE9PV4jfkA=
Result: MsgBox “Hello”

decode-vbe_V0_0_2.zip (https)
MD5: 35612087E2D62669E2690573FDE543F2
SHA256: 91A7465FE1F4D291751E6C5D88C51888C914B40C6F187709E33343FF121A116F

Sunday 17 April 2016

Overview of Content Published In March

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in March:

Blog posts:

SANS ISC Diary entries:

Tuesday 29 March 2016

Decoding VBE

Filed under: My Software — Didier Stevens @ 0:01

I wrote a Python program to decode encoded VBS scripts (VBE).

20160328-223229

decode-vbe_V0_0_1.zip (https)
MD5: 87E61217BC77275DBACEA77B8EDF12B5
SHA256: 11A9B5D47657C123845007E3E29FB331CAE7483B6A4A3AC54276DB90116911B5

Overview of Content Published In February

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in February:

Blog posts:

SANS ISC Diary entries:

Tuesday 22 March 2016

YARA Rule To Detect VBE Scripts

Filed under: maldoc,Malware,My Software — Didier Stevens @ 0:00

Malicious documents that drop VBE scripts (VBScript Encode scripts) are in the wild. Here is an example:

20160321-214635

20160321-214711

I have a YARA rule to detect VBE scripts:

20160321-214305

20160321-214346

20160321-214502

yara-rules-V0.0.6.zip (https)
MD5: 01CB37759AC30EEA8D2B66226609C73E
SHA256: 1B56C1D7D0E1A8F500674B74F93F3E7DE6B2EFC85259ABE3A57F1DCA458CCFF8

« Previous PageNext Page »

Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 451 other followers