Didier Stevens

Sunday 8 June 2025

Quickpost: USB-C Couplers

Filed under: Hardware — Didier Stevens @ 0:00

I have this USB C coupler to connect 2 USB C cables. The coupler has 2 female connectors:

I use it to extend my cables when charging:

But it doesn’t always work. Sometimes it does, sometimes it doesn’t (e.g., the device is not charging).

So I assumed this coupler was defective, and got another one:

This one has a small LED, and it too wouldn’t always work.

But because of the LED, I quickly figured it out:

If the LED isn’t on (e.g., not current is flowing), I just have to flip one of the male connectors 180°. Then it works.

And that’s what I also have to do with the first coupler I got: if it doesn’t work, flip one of the connectors. I just needed a LED to figure this out 🙂

Quickpost info

Saturday 7 June 2025

Python Requirements for Didier Stevens Suite

Filed under: My Software — Didier Stevens @ 0:00

Although many of my tools have zero or a just a few dependencies (it’s a design decision), I’ve had requests to create a requirements file.

It is available now in Didier Stevens Suite ZIP file and on GitHub.

Some dependencies are only necessary when you actually use the corresponding feature. For example, many of my tools support YARA rules, but it’s not a mandatory requirement. If you don’t use YARA rules with my tools, you don’t need to install module yara-python.

Friday 6 June 2025

DSS_DEFAULT_HASH_ALGORITHMS

Filed under: My Software — Didier Stevens @ 0:00

I’ve a feature in some of my tools, that let you choose the hash algorithm.

Many of my tools calculate hashes, and for historical reasons, that is the MD5 hash.

But if you want another hash, you can change this (for some of my tools) by setting environment variable DSS_DEFAULT_HASH_ALGORITHMS.

Like for pdf-parser.py, on Windows, you can set DSS_DEFAULT_HASH_ALGORITHMS=sha256 and then the hashes of the streams will be SHA256 in stead of MD5.

Thursday 5 June 2025

Quickpost: emldump Bulk Extraction

Filed under: Quickpost — Didier Stevens @ 0:00

A reader asked about bulk extraction of email attachments with emldump.py

If you want to extract all attachments and write them to disk, you can use the following command:

emldump.py --jsonoutput sample.eml | myjson-filter.py -W hashvir

This command will produce a MyJSON data structure will the content and metadata of all parts (not only attachments, also the different bodies) and save the parts to disk with filenames formatted as the sha256 hash of the content and the extension .vir.

You can then run the desired analysis commands on the files written to disk.

But you can also run a command directly on the items, without writing them to disk. Here is an example of such a command:

emldump.py --jsonoutput sample.eml | myjson-filter.py -r "cmd.exe /c oledump.py"

This command will start a oledump.py command for each part in the multipart document, and provide the content of each part via stdout.

Quickpost info

Wednesday 4 June 2025

Quickpost: Firefox Profiles and Multiple Instances

Filed under: Quickpost — Didier Stevens @ 0:00

It’s something that I’ve been doing for 10+years, but every couple of years I need to configure this again (on a new machine), and then I need to look it up because I forgot the details. Hence this quickpost.

This is how I run Firefox on Windows:

"C:\Program Files\Mozilla Firefox\firefox.exe" -ProfileManager -no-remote

This allow me to run multiple instances (option -no-remote) of Firefox and invoke the profile manager to select the desired profile at startup

Quickpost info

Tuesday 3 June 2025

Update: search-for-compression.py Version 0.0.4

Filed under: Beta,My Software,Update — Didier Stevens @ 0:00

This tool is still beta.

VBA compression is now supported, besides zlib compression. Option -t (–type) was added so that one can choose the compression type to search for. Possible values are zlib (default) or vba.

And shortcut #p# was added to the yara option, to predefine these rules:

rule attribute_vb_name {
    strings:
        $a = "Attribute VB_Name = "
    condition:
        $a
}

rule dir {
    strings:
        $a = { 01 00 04 }
    condition:
        $a at 0
}

I’ll explain in another blog post how these features can be used to analyze MS Access databases with VBA project.

Monday 2 June 2025

Update: myjson-transform.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

This update brings options -f and -c.

Option -f is used to define a Python function (function name or lambda) that will be applied to the content of each item in the MyJSON data.

Option -c is a shortcut for calling the CutData function via option -f. The lambda that is generated is: lambda data: CutData(data, ‘CUTEXPRESSION’)[0]
CUTEXPRESSION is the cut-expression provides as value for option -c.

myjson-transform_V0_0_2.zip (http)
MD5: BAA4F4E7E8159EB05063C588DAF2A111
SHA256: 0F79D0D1B35D3F6C7DF0C17746E18F257AF9493D8C474448D16774A405B620E4

Sunday 1 June 2025

Overview of Content Published in May

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in May:

Blog posts: SANS ISC Diary entries:

Saturday 31 May 2025

Update: myjson-filter.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

A new possible value for option -W (–write) has been added: nameext. This allows for writing files with the sanitized item name and the given extension. For example, nameext:config will create files with extension .config.

myjson-filter_V0_0_8.zip (http)
MD5: 6A899FB406C60F078F2B9E8310F9F2E0
SHA256: 7F5E5DA0C51DB2FF8A1A622925008770D5810D4967D313DEBA9C5ECBB7D99D14

Friday 30 May 2025

Update: oledump.py Version 0.0.82

Filed under: My Software,Update — Didier Stevens @ 0:00

This oledump update brings option –trimnull and updates plugin_vba_dir with option -f (–force).

oledump_V0_0_82.zip (http)
MD5: 9133DB7CF8F4B69458842518CEAC6F88
SHA256: 7F634930C9B5986EFDC6016B05F67A3058B1B3710D0F3DB052C7FC993A859CB4

« Previous PageNext Page »

Blog at WordPress.com.