Subscribe: Didier Stevens
http://blog.didierstevens.com/feed/
Added By: Feedage Forager Feedage Grade B rated
Language: English
Tags:
didierstevens new  didierstevens  file  files  malicious  new version  new  oledump  pcap  update  version didierstevens  version  zip https  zip 
Rate this Feed
Rate this feedRate this feedRate this feedRate this feedRate this feed
Rate this feed 1 starRate this feed 2 starRate this feed 3 starRate this feed 4 starRate this feed 5 star

Comments (0)

Feed Details and Statistics Feed Statistics
Preview: Didier Stevens

Didier Stevens



(blog \'DidierStevens)



Last Build Date: Thu, 23 Nov 2017 15:29:37 +0000

 



Update: pcap-rename.py Version 0.0.2didierstevens

Mon, 20 Nov 2017 00:00:01 +0000

pcap-rename.py is a program to rename pcap files with the timestamp of the first packet in the pcap file. This new version supports big-endian pcap files. pcap-rename_V0_0_2.zip (https) MD5: 6EFFA5313946DEAF3363835B1D3C684E SHA256: 3BA23CC936B49AF83306E486B0BFC9ABAF5BD0B5E3DEF81D8564BCC3810C06B9(image)


Media Files:
http://didierstevens.files.wordpress.com/2017/11/20171116-231854.png




WebDAV Traffic To Malicious Sitesdidierstevens

Mon, 13 Nov 2017 00:00:41 +0000

If observed WebDAV traffic to malicious sites in the past (in proxy logs), and recently I took some time to take a closer look. TL;DR: when files are retrieved remotely with the file:// URI scheme on Windows, Windows will fallback to WebDAV when SMB connections can not be established. I did my tests with 2 […](image)


Media Files:
http://didierstevens.files.wordpress.com/2017/11/20171112-131154.png




Update: numbers-to-string.py Version 0.0.3didierstevens

Fri, 10 Nov 2017 22:56:39 +0000

This version has a man page now. I use this tool to decode obfuscated strings in malicious scripts: Usage: numbers-to-string.py [options] [expression [[@]file ...]] Program to convert numbers into a string Arguments: @file: process each file listed in the text file specified wildcards are supported Source code put in the public domain by Didier Stevens, […](image)


Media Files:
http://didierstevens.files.wordpress.com/2017/11/20171110-234624.png




Update: oledump.py Version 0.0.30didierstevens

Mon, 06 Nov 2017 00:00:16 +0000

This new version of oledump.py detects and analyses orphaned streams. More info on orphaned streams can be found in this blogpost. oledump_V0_0_30.zip (https) MD5: BBD53C65FC40891E2125B9808F507E4A SHA256: 78CDC8C8BCD651A3578F567D24FD88300600E02520B2D75F45448E4FB480FEB0(image)


Media Files:
http://didierstevens.files.wordpress.com/2017/11/20171101-181652.png




Update: pecheck.py Version 0.7.1didierstevens

Sun, 05 Nov 2017 00:00:11 +0000

This new version of pecheck.py adds support for option -g to select a section:   pecheck-v0_7_1.zip (https) MD5: D5907442424C527A9937CFA65377C9BD SHA256: BF2F162D108F17F350111645B8DFFE5D3641065CB6EE3CE318FCBEC83507917B(image)


Media Files:
http://didierstevens.files.wordpress.com/2017/11/20171104-210813.png




Update: cut-bytes.py Version 0.0.6didierstevens

Sat, 04 Nov 2017 00:00:09 +0000

This new version of cut-bytes.py brings a small cosmetic change to the way a hex/ASCII dump is displayed: An extra space is added between the 8th and 9th byte of the hexdump. This was suggested to me by an attendee of the last private training I gave. cut-bytes_V0_0_6.zip (https) MD5: 7F726219F6F601018B4BD39E9A407728 SHA256: BFD80EF00455CD938A05A18EAA33551ABEC6B0298A0AEE81052E6F5A12BB86F7(image)


Media Files:
http://didierstevens.files.wordpress.com/2017/11/20171103-222237.png




Update: byte-stats.py Version 0.0.7didierstevens

Fri, 03 Nov 2017 20:59:41 +0000

My tool byte-stats.py calculates statistics for the files it analyzes. With option -l (and -p) , it produces a list of values for different parts of the file (buckets), for example a list of entropy values. With this, one can have an idea how the entropy changes inside a file. But as the saying goes, […](image)


Media Files:
http://didierstevens.files.wordpress.com/2017/11/20171101-222600.png




Analyzing Metasploit’s Office Maldocdidierstevens

Thu, 02 Nov 2017 00:00:40 +0000

Metasploit has a module to create Microsoft Word document with macros (.docm): office_word_macro. Documents generated with this module are not that hard to analyze and detect, because they always use the same VBA code. As I explain in my workshops and trainings, although the “new” Office file format (OOXML) is a ZIP container for XML […](image)


Media Files:
http://2.gravatar.com/avatar/b7ca17d338918a19d656f79b0b16057f?s=96&d=https%3A%2F%2F2.gravatar.com%2Favatar%2Fad516503a11cd5ca435acc9bb6523536%3Fs%3D96




Overview of Content Published In Octoberdidierstevens

Wed, 01 Nov 2017 00:00:17 +0000

Here is an overview of content I published in October: Blog posts: Quickpost: Mimikatz DCSync Detection Update: oledump.py Version 0.0.29 Update: base64dump.py Version 0.0.8 Update: pdf-parser.py Version 0.6.8 Update: pdfid.py Version 0.2.2 Analyzing A Malicious Document Cleaned By Anti-Virus SANS ISC Diary entries: A strange JPEG file Peeking into .msg files It’s in the signature. […](image)


Media Files:
http://2.gravatar.com/avatar/b7ca17d338918a19d656f79b0b16057f?s=96&d=https%3A%2F%2F2.gravatar.com%2Favatar%2Fad516503a11cd5ca435acc9bb6523536%3Fs%3D96




Analyzing A Malicious Document Cleaned By Anti-Virusdidierstevens

Tue, 31 Oct 2017 00:00:08 +0000

@futex90 shared a sample with me detected by many anti-virus programs on VirusTotal but, according to oledump.py, without VBA macros: I’ve seen this once before: this is a malicious document that has been cleaned by an anti-virus program. The macros have been disabled by orphaning the streams containing macros, just like when a file is […](image)


Media Files:
http://didierstevens.files.wordpress.com/2017/10/20171022-142001.png