Didier Stevens

This version of pecheck adds support for YARA rules and overlays.

pecheck-v0_5_0.zip (https)
MD5: B873F8B5F6D408E4026010F010EA5FC4
SHA256: 7FCE12A8B10BEFF0C991B652CEDE376C187E74F23C603BF1A9250C9E7756AB48

Small changes in this version to handle obfuscation.

emldump_V0_0_9.zip (https)
MD5: 752A6F06290E2A35ACB4C564FA7D72C5
SHA256: 52CA4FB61B3B6FD9AECBA974AB73DCFA5D667086EBE7FDC84DE6F90E4DCC6853

To deal with a particular maldoc sample, I added an option to numbers-to-hex.py to deal with signed bytes (negative and positive numbers used to represent byte values).

Here is a video:

The manual:

Usage: numbers-to-hex.py [options] [[@]file ...]
Program to convert decimal numbers into hex numbers

Arguments:
@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
https://DidierStevens.com

Options:
  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -i, --ignore          Do not generate an error when a number larger than 255
                        is found
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers per line (1 by default)
  -s, --signed          Numbers are signed bytes: add 256 if negative

Manual:

This program reads lines from the given file(s) or standard input, and
then extracts decimal numbers from each line. A decimal number is a
sequence of digits (optionally prefixed with a dash - for negative
numbers). All numbers found in a line are converted to hexadecimal and
outputed as a line. Hexadecimal numbers are separated by a space
character. If a number is smaller than 0 or larger than 255/0xFF, an
error is generated, except when option -i is used.
Option -s (--signed) indicates that the input numbers are signed
bytes: -1 is 0xFF, -2 is 0xFE, ...
Option -n NUMBER (--number) requires that at least NUMBER numbers are
present in the input line (the default is 1 number).

The hexadecimal numbers are written to standard output, except when
option -o is used. When option -o is used, the numbers are written to
the file specified by option -o.

numbers-to-hex_V0_0_3.zip (https)
MD5: EB8CE35EA272042211B1EADBE4606BE2
SHA256: 1CE2E7C6EF930C56024C0313C9FCE6E96A7FA6FC07893EAF06ACCC05A3D2C528

In this update of my translate program, I added support for searching and replacing with regular expressions.

Option -r (regex) uses a regular expression to search through the file and then calls the provided function with a match argument for each matched string. The return value of the function (a string) is used to replace the matched string.
Option -R (filterregex) is similar to option -r (regex), except that it does not operate on the complete file, but on the file filtered for the regex.

Here are 2 examples with a regex. The input file (test-ah.txt) contains the following: 1234&H41&H42&H43&H444321

The first command will search for strings &Hxx and replace them with the character represented in ASCII by hexadecimal number xx:
translate.py -r “&H(..)” test-ah.txt “lambda m: chr(int(m.groups()[0], 16))”
Output: 1234ABCD4321

The second command is exactly the same as the first command, except that it uses option -R in stead or -r:
translate.py -R “&H(..)” test-ah.txt “lambda m: chr(int(m.groups()[0], 16))”
Output: ABCD

In this output, strings that do not match the regular expression are filtered out.

translate_v2_3_0.zip (https)
MD5: 3C21675A2792DCBAF2EB0222C3D14450
SHA256: B51D4D47213AE7E79E3C9D157F5FC8E26C41AB9A5F3A26CD589F588C03910F2A

I added support for ZIP files to decode-vbe.py

Here is the man page:

Usage: decode-vbe.py [options] [file]
Decode VBE script

Options:
–version   show program’s version number and exit
-h, –help  show this help message and exit
-m, –man   Print manual

Manual:

This program reads from the given file or standard input, and converts the encoded VBE script to VBS.

The provided file can be a password protected ZIP file (with password infected) containing the VBE script.

The content of the VBE script can also be passed as a literal argument. This is similar to a Here Document in Unix.
Start the argument (the “filename”) with character # to pass a literal argument.
Example: decode-vbe.py “##@~^DgAAAA==\ko$K6,JCV^GJqAQAAA==^#~@”
Result: MsgBox “Hello”

It’s also possible to use hexadecimal (prefix #h#) or base64 (prefix #b#) to pass a literal argument.
Example: decode-vbe.py #h#23407E5E4467414141413D3D5C6B6F244B362C4A437F565E474A7141514141413D3D5E237E40
Result: MsgBox “Hello”
Example: decode-vbe.py #b#I0B+XkRnQUFBQT09XGtvJEs2LEpDf1ZeR0pxQVFBQUE9PV4jfkA=
Result: MsgBox “Hello”

decode-vbe_V0_0_2.zip (https)
MD5: 35612087E2D62669E2690573FDE543F2
SHA256: 91A7465FE1F4D291751E6C5D88C51888C914B40C6F187709E33343FF121A116F