I noticed that I didn’t post the latest version of my cmd.dll program.
And I looked into moving this code to the new ReactOS builder, but that still does not offer 64-bit builds, thus I’m postponing this migration.
cmd-dll_v0_0_5.zip (https)
MD5: 9BDBB368CDB576BDC05DDE76BC30702F
SHA256: 4757333DD509C77504E3FFCD1B01A2FFC6EC80AE518AE9CD787E80BF1281806D
Directory entries in “OLE” files (Compound File Binary Format) have a GUID field. Like this “Root Entry” inside a binary Word document file (Doc1.doc):
The GUID value found in this directory entry is: 00020906-0000-0000-C000-000000000046 (the endianness of GUIDs is mixed-endian: it’s a mix of little-endian and big-endian).
This GUID is a COM class id (CLSID) for Word.
You can display the CLSID with oledump.py using option -E to display extra information. Use parameter %CLSID% to display the CLSID, like this:
No class IDs were displayed in this output, and that’s because all the CLSID fields in the directory entries of these streams are zero (16 0x00 bytes). Most of the time, streams in Office documents have no CLSID. You’re more likely to find CLSIDs inside the directory entries of storages. To include storages in oledump’s output, use option –storages like this:
Starting with version 0.0.46, oledump.py will also display the Root Entry. And as can be seen in the above output, the Root Entry of this .doc file has a CLSID.
Philippe Lagadec, the developer of olefile and oletools, maintains a list of CLSIDs relevant to Office documents.
When oletools is installed, oledump.py looks up CLSIDs in this list when you use parameter %CLSIDDESC% (CLSID description). Here is the same command as before, but with parameter %CLSIDDESC%:
This result shows that 00020906-0000-0000-C000-000000000046 is COM Object “Microsoft Word 97-2003 Document (Word.Document.8)”.
Class IDs can also be found inside some streams, and that’s why I developed a new oledump.py plugin: plugin_clsid.py.
This plugin searches for CLSIDs (defined in oletools) inside streams. Like in this malicious document:
With the class IDs found in this stream, one can quickly conclude that this must be an exploit for the URL moniker.
And here is the Root Entry CLSID for this document:
This new version of oledump.py brings an update to plugin_biff (improved formula parsing) and fixes for Python 3.
oledump_V0_0_48.zip (https)
MD5: B869EC84DB4F10596212A2B67CF2C684
SHA256: 0E66E3EA42D5761301E0643A27D892B3C4531CCC2E4C95373ECE9B7AD7E6DAC6
This new version of oledump.py brings Root Entry listing with option –storages and %CLDISDESC% extra parameter.
plugin_biff.py is updated to be faster and has new options -X and -d (pure hexadecimal dump and binary dump).
plugin_clsid.py is a new plugin.
More details in coming blog posts and ISC diary entries.
oledump_V0_0_47.zip (https)
MD5: E851ED7240C08E9E9E3EBA4A412A46A4
SHA256: F35997537D5C4596E413D08C35A83EBD55CAF587D2D9898DAA9285BC83CAF287
Recently I had to extract hexadecimal numbers from a Proxmark3 hf 14a command to use with mfkey. The Proxmark3 forum has a discussion on how to do this.
Here is an example of what I need:
I started doing this manually, and later I wrote a script based on my Python text template.
This is a very specialized script, and I prefer to have more generic scripts. My “algorithm” is the following: search for lines with string AUTH-A, and then look at 2 lines before that line, and the 3 lines following that line. This can almost be done with a grep command using option context, but then the line itself and the line before that would also be selected, and I don’t need them.
My Python text template (process-text-file.py) is not only a template to start developing new scripts that reads text files, but it is also a stand-alone program, that can do grepping, for example. After some time, I realized how I could make a more generic script: add a context option to my Python text template to specify the lines to select as offsets from the grepped line.
Option –grep AUTH-A selects each line from text file forum-example.txt that contains the string AUTH-A. If I only use this option, then only lines with string AUTH-A would be the output of my command.
But because I use option –context, I can specify which lines to select relative to the “grepped” line (e.g. containing string AUTH-A).
Option “–context -2,1-3” means that I want to output the line 2 lines before the grepped line (-2) and the 3 lines following the grepped line (1-3). The grepped line itself is no part of the output. If I want that too, I would reference (0) it like this: “–context -2,0,1-3”.
Here is an overview of content I published in February:
Blog posts:
YouTube videos:
Videoblog posts:
SANS ISC Diary entries:
NVISO blog posts:
Here is an update to my Python templates (binary and text files).
I’ll explain the updates to each template in upcoming blog posts.
python-templates_V0_0_2.zip (https)
MD5: 082812485D24AD0E3D12F1618BC44367
SHA256: 98DE8BEC508C7E678D294DD630466DA175524D4180C1E8C3A6C06EE11587981E
This update for translate.py, a tool to “Translate bytes according to a Python expression”, adds a new function for XOR multy-byte-key encoding/decoding.
translate_v2_5_7.zip (https)
MD5: 886C1B4C518EA58F972F87980994B976
SHA256: 01E4239E050DE4853AC53020CCE44C9804003A4A2C195974B5B16AEDD1B8E1B1
This new version of format-bytes.py brings a new option when extracting bitstreams: producing a stream of 0s & 1s, like this:
Join specifier j:b (option “-f bitstream=…”) produces a bitstream of 0s & 1s, that I can then process further:
The png file I analyze in this example, was created with PHP Stegger on the Geocaching Toolbox site.
format-bytes_V0_0_13.zip (https)
MD5: E7A7A344B3B8753553FC5B2E4084D8DA
SHA256: 1F22A1D784DCF1269FFD12E2C9467EE0FB93B0895CC24D04CBBD9696D50945DB
This version of hex-to-bin.py, a simple tool to convert hexadecimal data to binary, can also handle bitstreams (option -b) with this update. If necessary, the bitstream is right-padded with 0s to make the bitstream length a multiple of 8.
Example:
hex-to-bin_V0_0_4.zip (https)
MD5: CBD3D27A2BC703F51FB23F757084BBE1
SHA256: CD70D7644BB353C64DD37AA0717B14967176A1A5E35E5DC6AE163D929BE13AAD
Didier Stevens 