Didier Stevens, Author at Forensic Blogs

December 31, 2021 by Didier Stevens

Overview of Content Published in December

Here is an overview of content I published in December: Blog posts: MiTM Cobalt Strike Network Traffic Update: base64dump.py Version 0.0.19 Update: cs-decrypt-metadata.py Version 0.0.4 Update: cs-parse-traffic.py Version 0.0.4 Update: 1768.py Version 0.0.11 Update: cs-extract-key.py Version 0.0.4 Update: cs-analyze-processdump.py Version 0.0.3 VBA: __SRP_ Streams Update: pecheck Version 0.7.14 Update: base64dump.py Version 0.0.20 YouTube videos: MSBuild & Cobalt Strike SANS ISC Diary entries: Office 2021: VBA Project Version TShark Tip: Extracting Field Values From Capture Files Quicktip: TShark’s Options -e and -T

December 30, 2021 by Didier Stevens

Update: base64dump.py Version 0.0.20

This new version brings a new encoding: zxcn

zxcn stands for “zero x comma no-leading zero”, and is very similar to zxc encoding (zero x comma).

Example of zxc: 0x90,0x0A,0x4D,0x5A

Remark the leading zero for value 0x0A (values smaller than 0x10).

With zxcn encoding, there is no leading zero for values smaller than 0x10.

Thus the example for zxcn becomes: 0x90,0xA,0x4D,0x5A

base64dump_V0_0_20.zip (https)
MD5: 10E130F7B989EDDBF03092B8AA0585E1
SHA256: BD7ADF465CA89B10D0591A6D73E6E97DA3EF313EA7C28C90DD59F0A5CBBEB9CD

December 29, 2021 by Didier Stevens

Update: pecheck Version 0.7.14

This new version of pecheck adds support for dumping files (-D) while using option -l P.

pecheck-v0_7_14.zip (https)
MD5: 3B5CED47987F0395CC4BC795A938EA4A
SHA256: 547941BD830C22586CE0C509DE8406424C2EB02D0C5FEAA555C43C77FCCDE33D