Didier Stevens - RSS Feed

(blog \'DidierStevens)

Latest articles

Overview of Content Published in December

Here is an overview of content I published in December: Blog posts: MiTM Cobalt Strike Network Traffic Update: base64dump.py Version 0.0.19 Update: cs-decrypt-metadata.py Version 0.0.4 Update: cs-parse-traffic.py Version 0.0.4 Update: 1768.py Version 0.0.11 Update: cs-extract-key.py Version 0.0.4 Update: cs-analyze-processdump.py...

Overview of Content Published in December

Here is an overview of content I published in December: Blog posts: MiTM Cobalt Strike Network Traffic Update: base64dump.py Version 0.0.19 Update: cs-decrypt-metadata.py Version 0.0.4 Update: cs-parse-traffic.py Version 0.0.4 Update: 1768.py Version 0.0.11 Update: cs-extract-key.py Version 0.0.4 Update: cs-analyze-processdump.py...

Update: base64dump.py Version 0.0.20

This new version brings a new encoding: zxcn zxcn stands for “zero x comma no-leading zero”, and is very similar to zxc encoding (zero x comma). Example of zxc: 0x90,0x0A,0x4D,0x5A Remark the leading zero for value 0x0A (values smaller than 0x10). With zxcn encoding, there is no leading zero for values smaller...

Update: base64dump.py Version 0.0.20

This new version brings a new encoding: zxcn zxcn stands for “zero x comma no-leading zero”, and is very similar to zxc encoding (zero x comma). Example of zxc: 0x90,0x0A,0x4D,0x5A Remark the leading zero for value 0x0A (values smaller than 0x10). With zxcn encoding, there is no leading zero for values smaller...

Update: pecheck Version 0.7.14

This new version of pecheck adds support for dumping files (-D) while using option -l P. pecheck-v0_7_14.zip (https)MD5: 3B5CED47987F0395CC4BC795A938EA4ASHA256: 547941BD830C22586CE0C509DE8406424C2EB02D0C5FEAA555C43C77FCCDE33D

Update: pecheck Version 0.7.14

This new version of pecheck adds support for dumping files (-D) while using option -l P. pecheck-v0_7_14.zip (https)MD5: 3B5CED47987F0395CC4BC795A938EA4ASHA256: 547941BD830C22586CE0C509DE8406424C2EB02D0C5FEAA555C43C77FCCDE33D

VBA: __SRP_ Streams

Office documents with a VBA project that contains streams whose name starts with __SRP_, have had their VBA macros executed at least once. As Dr. Bontchev describes in the documentation for his pcodedmp tool: When the p-code has been executed at least once, a further tokenized form of it is stored elsewhere in the document (in streams,...

VBA: __SRP_ Streams

Office documents with a VBA project that contains streams whose name starts with __SRP_, have had their VBA macros executed at least once. As Dr. Bontchev describes in the documentation for his pcodedmp tool: When the p-code has been executed at least once, a further tokenized form of it is stored elsewhere in the document (in streams,...

Update: cs-analyze-processdump.py Version 0.0.3

This new version brings some options to guide the XOR-key detection algorithm. The beacon’s AES and HMAC key are contained in writable process memory: my tool cs-extract-key.py can detect these keys. But the beacon can be configured to encode these keys while it is sleeping. This feature is called a sleep mask, and uses a 13-byte long XOR...

Update: cs-analyze-processdump.py Version 0.0.3

This new version brings some options to guide the XOR-key detection algorithm. The beacon’s AES and HMAC key are contained in writable process memory: my tool cs-extract-key.py can detect these keys. But the beacon can be configured to encode these keys while it is sleeping. This feature is called a sleep mask, and uses a 13-byte long XOR...

Discover, share and read the best on the web

Follow RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters! Get unfiltered news feeds or filter them to your liking.

Get Inoreader
Inoreader - Follow RSS Feeds, Blogs, Podcasts, Twitter searches, Facebook pages, even Email Newsletters!