Didierstevens - blog.didierstevens.com - Didier Stevens
General Information:
Latest News:
Quickpost: Proxy Cookies 24 Aug 2013 | 04:20 pm
Cookies set bij network proxies can be identified by their name. BlueCoat proxy cookies start with BCSI-CS-. Cisco IronPort proxy cookies start with iptac-. The string after iptac is the serial numb...
A Bit More Than A Signature 14 Aug 2013 | 12:07 am
Soon I’ll release new versions of my Authenticode Tools. Detecting extra data in the signature field is one of the new features. For example, it will analyze the size specified in the optional header...
Quickpost: Rovnix PCAP 5 Aug 2013 | 02:04 am
Microsoft’s Malware Protection Center has a blogpost on a version of Rovnix that uses its own TCP/IP stack. I used Wireshark to capture the network traffic generated by this sample when it is execute...
OHM2013 29 Jul 2013 | 05:00 am
I’m attending OHM2013. To mark the occasion of this outdoor hacker conference taking place every 2 years, I’m doing a 20% promo on my workshop videos. In case you missed it, I posted this during the ...
MSI: The Case Of The Invalid Signature 27 Jul 2013 | 03:01 am
I found a suspicious file on a Windows XP machine. I was able to trace its origin back to a Windows Installer package (.msi). This package in c:\windows\installer had an invalid digital signature. Lik...
Update: Lookup Tools 26 Jul 2013 | 01:11 am
It looks like I didn’t release this update to my lookup tools. lookup-hosts.py has a new argument: -R. This does a reverse lookup of the IP addresses (thus after it resolved the hostname). And now y...
Update: js-unicode-unescape.1sc 18 Jul 2013 | 11:36 pm
Because I had to use a workaround in my js-unicode-unescape.1sc script to copy an array of bytes to the clipboard, I asked the 010 Editor developers if they could add a function that does exactly this...
The Art Of Defuzzing 11 Jul 2013 | 02:05 am
I had something of a puzzle to solve. A friend asked me to look at a set of files, all of the same size, but with some differences. After some analysis, it dawned on me that these files were the resu...
Update: virustotal-search.py 4 Jul 2013 | 01:09 am
Mark Woan reported an issue with virustotal-search.py: sometimes VirusTotal returns a JSON object that the json parser can’t parse. That’s something I didn’t expect. I’ve added error handling for thi...
shellcode2vba 24 Jun 2013 | 09:00 am
This update adds x64 shellcode support to my shellcode2vbs.py script. shellcode2vba_v0_3.zip (https) MD5: 44AF2685975346F9DE09E48E7FB855CE SHA256: 04C42FA26717CCC7BC17A7BEDA02C746CA1A8BC8C6CE184670...