### Pipeline Example - OLE Stream Extraction and Decoding Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Demonstrates piping the output of oledump.py (extracting an OLE stream) to base64dump.py for decoding, showcasing tool integration. ```bash python oledump.py -s 7 -d document.doc | python base64dump.py ``` -------------------------------- ### Pipeline Example - PDF Object Extraction and YARA Scanning Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Shows how to pipe extracted PDF objects from pdf-parser.py to yara-scan.py for threat detection. ```bash python pdf-parser.py -o 5 -f -d suspicious.pdf | python yara-scan.py rules.yara ``` -------------------------------- ### emldump.py - Email Parsing Examples Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Use emldump.py to extract specific MIME parts or get detailed metadata from email files. Supports JSON output for structured analysis. ```bash python emldump.py -t application/octet-stream message.eml ``` ```bash python emldump.py -E message.eml ``` ```bash cat message.eml | python emldump.py ``` ```bash python emldump.py -t text message.eml ``` ```bash python emldump.py --jsonoutput message.eml > email_analysis.json ``` -------------------------------- ### Show Entry Point Info of PE File with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Display information about the entry point of a PE file using pecheck.py. This indicates where the program execution begins. ```bash python pecheck.py -E malware.exe ``` -------------------------------- ### Basic PE File Analysis with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Perform basic analysis on Windows PE files using pecheck.py. This provides an initial overview of the executable's structure and properties. ```bash python pecheck.py malware.exe ``` -------------------------------- ### hash.py - File Hashing Utility Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Calculates various file hashes (MD5, SHA1, SHA256, CRC32, humanhash) with options for recursion, validation against a list, comparison, and renaming files based on their hash. ```bash python hash.py file.exe ``` ```bash python hash.py -a md5 file.exe ``` ```bash python hash.py -a sha256 file.exe ``` ```bash python hash.py -a crc32 file.exe ``` ```bash python hash.py --recursedir /path/to/files/ ``` ```bash python hash.py -V hashes.txt ``` ```bash python hash.py -C file1.exe file2.exe ``` ```bash python hash.py -s csv file.exe ``` ```bash python hash.py --rename sha256 *.exe ``` ```bash python hash.py --humanhash file.exe ``` ```bash python hash.py --jsoninput < files.json ``` ```bash python hash.py -V hashes.txt --unvalidatedhashes ``` -------------------------------- ### Show All Sections in PE File with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Display all sections of a PE file using pecheck.py. This helps in understanding the different parts of the executable, such as code and data segments. ```bash python pecheck.py -o s malware.exe ``` -------------------------------- ### Initialize UI State Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Initializes the UI by setting elements to visible if the 'ct' form field is empty. Assumes a form element named 'f' exists in the scope. ```javascript function Initialize() { if (f.ct.value == "") SetVisible(); } ``` -------------------------------- ### List Parts in Email with emldump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Use emldump.py to list all parts (headers, body, attachments) of an email (MIME) file. This provides an overview of the email's structure. ```bash python emldump.py message.eml ``` -------------------------------- ### Use PEiD Signature Database with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Analyze a PE file using a custom PEiD signature database with pecheck.py. This helps in identifying packers and other specific file properties. ```bash python pecheck.py userdb.txt malware.exe ``` -------------------------------- ### Use pdfid.py Plugins for Extended Analysis Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extend the analysis capabilities of pdfid.py by using plugins. Specify the plugin script to use for enhanced examination of PDF documents. ```bash python pdfid.py -p plugin_embeddedfile.py document.pdf ``` -------------------------------- ### AES Helper Functions and Constants Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Contains the Sbox lookup table, Rcon round constants, and utility functions for word manipulation used in AES key expansion. ```javascript t<4; t++) w[i][t] = w[i-Nk][t] ^ temp[t]; } return w; } function SubWord(w) { // apply SBox to 4-byte word w for (var i=0; i<4; i++) w[i] = Sbox[w[i]]; return w; } function RotWord(w) { // rotate 4-byte word w left by one byte var tmp = w[0]; for (var i=0; i<3; i++) w[i] = w[i+1]; w[3] = tmp; return w; } // Sbox is pre-computed multiplicative inverse in GF(2^8) used in SubBytes and KeyExpansion [§5.1.1] var Sbox = [0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5,0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76, 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0,0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0, 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc,0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15, 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a,0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75, 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0,0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84, 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b,0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf, 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85,0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8, 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5,0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2, 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17,0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73, 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88,0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb, 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c,0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79, 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9,0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08, 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6,0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a, 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e,0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e, 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94,0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf, 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68,0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16]; // Rcon is Round Constant used for the Key Expansion [1st col is 2^(r-1) in GF(2^8)] [§5.2] var Rcon = [ [0x00, 0x00, 0x00, 0x00], [0x01, 0x00, 0x00, 0x00], [0x02, 0x00, 0x00, 0x00], [0x04, 0x00, 0x00, 0x00], [0x08, 0x00, 0x00, 0x00], [0x10, 0x00, 0x00, 0x00], [0x20, 0x00, 0x00, 0x00], [0x40, 0x00, 0x00, 0x00], [0x80, 0x00, 0x00, 0x00], [0x1b, 0x00, 0x00, 0x00], [0x36, 0x00, 0x00, 0x00] ]; ``` -------------------------------- ### Analyze Cobalt Strike Beacon Configuration Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Analyzes and decrypts Cobalt Strike beacon configurations from PE files, shellcode, or memory dumps. Supports various output formats and options for obfuscated configurations. ```bash python 1768.py beacon.exe ``` ```bash python 1768.py beacon.zip ``` ```bash python 1768.py -J beacon.exe > beacon_config.json ``` ```bash python 1768.py -l "APT_GROUP:12345678,PENTESTER:87654321" beacon.exe ``` ```bash python 1768.py -c beacon.exe ``` ```bash python 1768.py -x beacon.exe ``` ```bash python 1768.py -V beacon.exe ``` ```bash python 1768.py -S beacon.exe ``` ```bash python 1768.py -H beacon.exe ``` -------------------------------- ### Scan PE File with YARA Rules using pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Scan a PE file with YARA rules using pecheck.py. This is crucial for detecting known malware signatures or specific characteristics within executables. ```bash python pecheck.py -y packer_rules.yara malware.exe ``` -------------------------------- ### Extract and Analyze Resources in PE File with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract and analyze the resources section of a PE file using pecheck.py. This can reveal embedded icons, dialogs, or other data. ```bash python pecheck.py -o r malware.exe ``` -------------------------------- ### Verbose Signature Analysis with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Perform a verbose analysis of the digital signature for a PE file using pecheck.py. This provides more detailed information about the signature's properties. ```bash python pecheck.py --verbose -a malware.exe ``` -------------------------------- ### Analyze Digital Signature of PE File with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Examine the digital signature of a PE file using pecheck.py. This helps verify the authenticity and integrity of the executable. ```bash python pecheck.py -a malware.exe ``` -------------------------------- ### JSON Output for Automation with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Generate JSON output from base64dump.py for automated processing. This provides structured results for scripting and analysis pipelines. ```bash python base64dump.py --jsonoutput malware.txt > results.json ``` -------------------------------- ### strings.py - Extract Strings from Binary Files Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extracts ASCII and Unicode strings from binary files. Options include filtering by length, type, uniqueness, whitespace inclusion, regex matching, and trimming. ```bash python strings.py malware.exe ``` ```bash python strings.py -n 10 malware.exe ``` ```bash python strings.py -L malware.exe ``` ```bash python strings.py -u malware.exe ``` ```bash python strings.py -t a malware.exe ``` ```bash python strings.py -t u malware.exe ``` ```bash python strings.py -w malware.exe ``` ```bash python strings.py -g "http[s]?://" malware.exe ``` ```bash python strings.py -T 80 malware.exe ``` ```bash python strings.py -o malware.exe ``` ```bash python strings.py -f "password|secret|key" malware.exe ``` ```bash python strings.py -c 0:10000 malware.exe ``` -------------------------------- ### Dump All Files from ZIP to Disk with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract all files from a ZIP archive to disk, writing them based on their hash, using zipdump.py. This is useful for forensic analysis or backup. ```bash python zipdump.py --write hash archive.zip ``` -------------------------------- ### Scan Decoded Content with YARA using base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Scan the decoded content of strings using YARA rules with base64dump.py. This integrates with threat intelligence for malware detection. ```bash python base64dump.py -y malware.yara malware.txt ``` -------------------------------- ### Encrypt Message and Generate HTML Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Encrypts a message using AES, then constructs an HTML string containing the current page's content. It temporarily hides UI elements during encryption and then restores them. The generated HTML is placed in the 'ciphertext' field. Assumes 'AESEncryptCtr' function and form 'f' are available. ```javascript function CmdEncrypt() { var sLT = String.fromCharCode(60); var sGT = String.fromCharCode(62); var sPwSave = f.pw.value; var sMessageSave = f.message.value; SetHidden(); f.ct.value = AESEncryptCtr(f.message.value, f.pw.value, 256); f.pw.value = ""; f.message.value = ""; f.ciphertext.value = ""; var sHTML = sLT + "html" + sGT + "\n" + document.body.parentNode.innerHTML + sLT + "/html" + sGT + "\n"; SetVisible(); f.pw.value = sPwSave; f.message.value = sMessageSave; f.ciphertext.value = sHTML; f.ciphertext.focus(); f.ciphertext.select(); } ``` -------------------------------- ### Strip Overlay and Save PE File with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Remove the overlay data from a PE file and save the modified executable using pecheck.py. This is useful for cleaning files or preparing them for analysis. ```bash python pecheck.py -g s malware.exe -w stripped.exe ``` -------------------------------- ### Show Detailed Info in ZIP Archive with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Display detailed information about the ZIP archive and its contents using zipdump.py. This provides a comprehensive analysis of the archive. ```bash python zipdump.py -i archive.zip ``` -------------------------------- ### Open Password-Protected ZIP with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Analyze password-protected ZIP archives using zipdump.py by providing the password. This enables access to encrypted archive contents. ```bash python zipdump.py -p infected archive.zip ``` -------------------------------- ### Hex Dump of Email Part with emldump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt View the hexadecimal representation of a specific email part using emldump.py. This allows for low-level inspection of email content. ```bash python emldump.py -s 3 -x message.eml ``` -------------------------------- ### Try Password List for Encrypted ZIP with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Attempt to decrypt encrypted ZIP archives using a list of passwords with zipdump.py. This is useful for brute-forcing or testing common passwords. ```bash python zipdump.py --passwordfile passwords.txt archive.zip ``` -------------------------------- ### Analyze ZIP Structure with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Examine the internal structure of a ZIP archive using zipdump.py. This can reveal information about compression methods and file organization. ```bash python zipdump.py -e archive.zip ``` -------------------------------- ### AES KeyExpansion Function Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Generates the expanded key schedule from the initial cipher key. This schedule is used throughout the encryption and decryption process. ```javascript function KeyExpansion(key) { // generate Key Schedule (byte-array Nr+1 x Nb) from Key [§5.2] var Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES) var Nk = key.length/4 // key length (in words): 4/6/8 for 128/192/256-bit keys var Nr = Nk + 6; // no of rounds: 10/12/14 for 128/192/256-bit keys var w = new Array(Nb*(Nr+1)); var temp = new Array(4); for (var i=0; i 6 && i%Nk == 4) { temp = SubWord(temp); } for (var t=0; t<4; t++) ``` -------------------------------- ### Analyze OLE/Compound Binary Files Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Analyzes OLE files, extracts embedded streams, detects VBA macros, and scans for malicious content. Supports OOXML files and password-protected ZIP archives. ```bash python oledump.py document.doc ``` ```bash python oledump.py -s 7 -v document.doc ``` ```bash python oledump.py -s 3 -d document.doc ``` ```bash python oledump.py -s 3 -d document.doc > extracted_stream.bin ``` ```bash python oledump.py -y malware_rules.yara document.doc ``` ```bash oledump.py document.docx ``` ```bash python oledump.py -i document.doc ``` ```bash python oledump.py -p plugin_vba.py document.doc ``` ```bash python oledump.py --jsonoutput document.doc > analysis.json ``` ```bash python oledump.py --password infected malware.zip ``` -------------------------------- ### Use Different Encoding Types with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Analyze strings using various encoding types with base64dump.py, including hex, all supported types, or custom hex XOR. ```bash python base64dump.py -e hex malware.txt ``` ```bash python base64dump.py -e all malware.txt ``` ```bash python base64dump.py -e zxle malware.txt ``` -------------------------------- ### Sort Output by Decoded Length with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Sort the output of base64dump.py based on the length of the decoded strings. This can help prioritize larger or more significant findings. ```bash python base64dump.py --sort malware.txt ``` -------------------------------- ### Extract and Decode Base64 Strings with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Use base64dump.py to find and decode base64 strings from files. This tool is effective for analyzing obfuscated malware and scripts. ```bash python base64dump.py malware.txt ``` -------------------------------- ### List Groups in RTF File with rtfdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Use rtfdump.py to list all groups within an RTF file. This provides an overview of the structure and content of the document. ```bash python rtfdump.py document.rtf ``` -------------------------------- ### Show Extra Information with rtfdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Display additional detailed information about the RTF document structure and content using rtfdump.py. This provides deeper insights into the file. ```bash python rtfdump.py -E document.rtf ``` -------------------------------- ### JSON Output for Automation with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Generate JSON output from zipdump.py for automated processing of ZIP archive contents. This provides structured data for scripting. ```bash python zipdump.py --jsonoutput archive.zip > contents.json ``` -------------------------------- ### List ZIP Contents with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Use zipdump.py to list the contents of a ZIP archive, including metadata for each file. This provides an overview of the archive's structure. ```bash python zipdump.py archive.zip ``` -------------------------------- ### JSON Output for Analysis with rtfdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Generate JSON output from rtfdump.py for structured analysis and automation. This provides machine-readable results of the RTF document. ```bash python rtfdump.py --jsonoutput document.rtf > analysis.json ``` -------------------------------- ### Force PDF Analysis with pdfid.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Force pdfid.py to analyze a file even if it's not a valid PDF. This is helpful for investigating potentially malformed or suspicious files. ```bash python pdfid.py --force suspicious_file ``` -------------------------------- ### Locate PE in Memory Dump with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Find and analyze PE structures within a memory dump file using pecheck.py. This is valuable for forensic analysis of running processes. ```bash python pecheck.py -l PE memdump.bin ``` -------------------------------- ### Set Minimum String Length with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Filter encoded strings based on a minimum length using base64dump.py. This helps to ignore very short, likely irrelevant, encoded data. ```bash python base64dump.py -n 20 malware.txt ``` -------------------------------- ### xmldump.py - XML File Analysis Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Parses XML files, including Office Open XML documents, to extract text content, attributes, and cell data. Supports pretty printing, namespace handling, and encoding specification. ```bash python xmldump.py text document.xml ``` ```bash python xmldump.py wordtext word/document.xml ``` ```bash python xmldump.py pretty document.xml ``` ```bash python xmldump.py elementtext "//title" document.xml ``` ```bash python xmldump.py attributes document.xml ``` ```bash python xmldump.py celltext sheet1.xml ``` ```bash python xmldump.py officeprotection document.xml ``` ```bash python xmldump.py -j pretty document.xml ``` ```bash python xmldump.py -u text document.xml ``` ```bash python xmldump.py --encoding utf-8 text document.xml ``` -------------------------------- ### Hex Dump of ZIP File Content with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt View the hexadecimal dump of a specific file's content within a ZIP archive using zipdump.py. This is useful for low-level analysis of file data. ```bash python zipdump.py -s 2 -x archive.zip ``` -------------------------------- ### Extract Overlay Data from PE File with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract the overlay data (data appended after the PE header) from a PE file using pecheck.py. This is often used for hiding additional payloads. ```bash python pecheck.py -g o malware.exe ``` -------------------------------- ### Recursive Analysis of Nested ZIPs with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Perform recursive analysis on nested ZIP archives within a ZIP file using zipdump.py. This is essential for dissecting complex archives. ```bash python zipdump.py -r archive.zip ``` -------------------------------- ### Scan RTF with YARA Rules using rtfdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Scan the contents of an RTF file using YARA rules with rtfdump.py. This helps in detecting known malicious patterns within RTF documents. ```bash python rtfdump.py -y rtf_exploits.yara document.rtf ``` -------------------------------- ### Dump Decoded Content to File with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Save the decoded content of a specific encoded string to a file using base64dump.py. This is useful for extracting binary payloads. ```bash python base64dump.py -s 3 -d malware.txt > decoded.bin ``` -------------------------------- ### Show Statistics for ZIP Archive with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Display statistical information about a ZIP archive, such as file counts and sizes, using zipdump.py. This provides a summary of the archive's contents. ```bash python zipdump.py --stats archive.zip ``` -------------------------------- ### JSON Output with pdfid.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Obtain JSON formatted output from pdfid.py for easier parsing and automation. This is useful for integrating the tool into larger workflows. ```bash python pdfid.py -j document.pdf ``` -------------------------------- ### Dump Specific Section from PE File with pecheck.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract and display the content of a specific section from a PE file using pecheck.py. This allows for detailed examination of executable segments. ```bash python pecheck.py -D 0 malware.exe ``` -------------------------------- ### Dump Email Attachment to File with emldump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Save a specific email attachment to a file using emldump.py. This is useful for extracting and analyzing potentially malicious attachments. ```bash python emldump.py -s 5 -d message.eml > attachment.bin ``` -------------------------------- ### Select Specific Encoding with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Decode a specific encoded string from a file using base64dump.py by its index. This allows for targeted analysis of particular encoded data. ```bash python base64dump.py -s 3 malware.txt ``` -------------------------------- ### Scan PDF for Threat Indicators Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Quickly scans PDF files to identify potentially dangerous elements like JavaScript, automatic actions, and embedded files. Supports recursive scanning and various output formats. ```bash python pdfid.py document.pdf ``` ```bash python pdfid.py *.pdf ``` ```bash python pdfid.py --scan /path/to/pdfs/ ``` ```bash python pdfid.py -x document.pdf ``` ```bash python pdfid.py -e document.pdf ``` ```bash python pdfid.py -a document.pdf ``` -------------------------------- ### Set UI Element Visibility Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Controls the visibility of specific form elements ('encrypt', 'ciphertext', 'instructions') by setting their CSS 'visibility' style property. Assumes a form element named 'f' exists in the scope. ```javascript function SetVisible() { SetVisibility("visible"); } ``` ```javascript function SetHidden() { SetVisibility("hidden"); } ``` ```javascript function SetVisibility(value) { f.encrypt.style.visibility = value; f.ciphertext.style.visibility = value; f.instructions.style.visibility = value; } ``` -------------------------------- ### Extract Specific Part from Email with emldump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract and display a specific part of an email (e.g., an attachment or a specific MIME part) using emldump.py by its index. ```bash python emldump.py -s 3 message.eml ``` -------------------------------- ### Select and Dump Specific Group with rtfdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract and display the content of a specific group from an RTF file using rtfdump.py. This allows for focused analysis of particular sections. ```bash python rtfdump.py -s 5 document.rtf ``` -------------------------------- ### Find and Extract OLE Objects with rtfdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Identify and extract OLE objects embedded within an RTF file using rtfdump.py. This is crucial for analyzing potentially malicious embedded content. ```bash python rtfdump.py -f O document.rtf ``` -------------------------------- ### Extract Specific File from ZIP with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract a specific file from a ZIP archive by its index using zipdump.py. This allows for targeted retrieval of archive contents. ```bash python zipdump.py -s 3 -d archive.zip ``` -------------------------------- ### Encode Base64 String Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Extends the String object to provide RFC 4648 compliant Base64 encoding. Supports optional UTF8 encoding before conversion. ```javascript var b64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; String.prototype.encodeBase64 = function(utf8encode) { // http://tools.ietf.org/html/rfc4648 utf8encode = (typeof utf8encode == 'undefined') ? false : utf8encode; var o1, o2, o3, bits, h1, h2, h3, h4, e=[], pad = '', c, plain, coded; plain = utf8encode ? this.encodeUTF8() : this; c = plain.length % 3; // pad string to length of multiple of 3 if (c > 0) { while (c++ < 3) { pad += '='; plain += '\0'; } } // note: doing padding here saves us doing special-case packing for trailing 1 or 2 chars for (c=0; c>18 & 0x3f; h2 = bits>>12 & 0x3f; h3 = bits>>6 & 0x3f; h4 = bits & 0x3f; // use hextets to index into b64 string e[c/3] = b64.charAt(h1) + b64.charAt(h2) + b64.charAt(h3) + b64.charAt(h4); } coded = e.join(''); // join() is far faster than repeated string concatenation // replace 'A's from padded nulls with '='s coded = coded.slice(0, coded.length-pad.length) + pad; return coded; } ``` -------------------------------- ### Ignore Whitespace in Base64 with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Decode base64 strings while ignoring whitespace characters using base64dump.py. This handles common variations in base64 encoding. ```bash python base64dump.py -w malware.txt ``` -------------------------------- ### YARA Scan Email Parts with emldump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Scan individual parts of an email file using YARA rules with emldump.py. This helps detect malicious content within email attachments or body. ```bash python emldump.py -y phishing.yara message.eml ``` -------------------------------- ### Parse PDF Documents Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Parses PDF documents to extract and analyze objects, streams, JavaScript, and embedded content. Essential for analyzing malicious PDFs without opening them in a vulnerable reader. ```bash python pdf-parser.py document.pdf ``` ```bash python pdf-parser.py -s javascript document.pdf ``` ```bash python pdf-parser.py -o 5 document.pdf ``` ```bash python pdf-parser.py -o 5 -d document.pdf ``` ```bash python pdf-parser.py -o 5 -f document.pdf ``` ```bash python pdf-parser.py --searchstream "/JavaScript" -f document.pdf ``` ```bash python pdf-parser.py -y pdf_exploits.yara document.pdf ``` ```bash python pdf-parser.py -a document.pdf ``` ```bash python pdf-parser.py -O document.pdf ``` ```bash python pdf-parser.py -o 10 -f -w document.pdf ``` ```bash python pdf-parser.py --hash document.pdf ``` -------------------------------- ### Disarm PDF with pdfid.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Use pdfid.py to remove dangerous elements from a PDF file. This is useful for sanitizing documents before further analysis. ```bash python pdfid.py -d document.pdf ``` -------------------------------- ### AES MixColumns Function Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Implements the MixColumns transformation, which combines the bytes in each column of the state matrix using matrix multiplication in GF(2^8). ```javascript function MixColumns(s, Nb) { // combine bytes of each col of state S [§5.1.3] for (var c=0; c<4; c++) { var a = new Array(4); // 'a' is a copy of the current column from 's' var b = new Array(4); // 'b' is a•{02} in GF(2^8) for (var i=0; i<4; i++) { a[i] = s[i][c]; b[i] = s[i][c]&0x80 ? s[i][c]<<1 ^ 0x011b : s[i][c]<<1; } // a[n] ^ b[n] is a•{03} in GF(2^8) s[0][c] = b[0] ^ a[1] ^ b[1] ^ a[2] ^ a[3]; // 2*a0 + 3*a1 + a2 + a3 s[1][c] = a[0] ^ b[1] ^ a[2] ^ b[2] ^ a[3]; // a0 * 2*a1 + 3*a2 + a3 s[2][c] = a[0] ^ a[1] ^ b[2] ^ a[3] ^ b[3]; // a0 + a1 + 2*a2 + 3*a3 s[3][c] = a[0] ^ b[0] ^ a[1] ^ a[2] ^ b[3]; // 3*a0 + a1 + a2 + 2*a3 } return s; } ``` -------------------------------- ### YARA Scan ZIP Archive Contents with zipdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Scan all files within a ZIP archive using YARA rules with zipdump.py. This helps detect malware or suspicious content within the archive. ```bash python zipdump.py -y malware.yara archive.zip ``` -------------------------------- ### AES Cipher Function Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Implements the main AES cipher function, taking a byte-array input and a key schedule to perform encryption. It applies a specified number of rounds based on the key size. ```javascript function Cipher(input, w) { // main Cipher function [§5.1] var Nb = 4; // block size (in words): no of columns in state (fixed at 4 for AES) var Nr = w.length/Nb - 1; // no of rounds: 10/12/14 for 128/192/256-bit keys var state = [[],[],[],[]]; // initialise 4xNb byte-array 'state' with input [§3.4] for (var i=0; i<4*Nb; i++) state[i%4][Math.floor(i/4)] = input[i]; state = AddRoundKey(state, w, 0, Nb); for (var round=1; round>>16 & 0xff; o2 = bits>>>8 & 0xff; o3 = bits & 0xff; d[c/4] = String.fromCharCode(o1, o2, o3); // check for padding if (h4 == 0x40) d[c/4] = String.fromCharCode(o1, o2); if (h3 == 0x40) d[c/4] = String.fromCharCode(o1); } plain = d.join(''); // join() is far faster than repeated string concatenation return utf8decode ? plain.decodeUTF8() : plain; } ``` -------------------------------- ### Extract Specific Bytes from RTF Group with rtfdump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract a specific range of bytes from an RTF group using rtfdump.py. This allows for precise isolation of data within a group. ```bash python rtfdump.py -s 5 -c 0:1000 document.rtf ``` -------------------------------- ### AES Counter Mode Encryption Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Encrypts text using AES in Counter (CTR) mode. Requires a plaintext string, password, and key size (128, 192, or 256 bits). ```javascript function AESEncryptCtr(plaintext, password, nBits) { var blockSize = 16; // block size fixed at 16 bytes / 128 bits (Nb=4) for AES if (!(nBits==128 || nBits==192 || nBits==256)) return ''; // standard allows 128/192/256 bit keys plaintext = plaintext.encodeUTF8(); password = password.encodeUTF8(); //var t = new Date(); // timer // use AES itself to encrypt password to get cipher key (using plain password as source for key // expansion) - gives us well encrypted key var nBytes = nBits/8; // no bytes in key var pwBytes = new Array(nBytes); for (var i=0; i>> i*8) & 0xff; for (var i=0; i<4; i++) counterBlock[i+4] = nonceMs & 0xff; // and convert it to a string to go on the front of the ciphertext var ctrTxt = ''; for (var i=0; i<8; i++) ctrTxt += String.fromCharCode(counterBlock[i]); // generate key schedule - an expansion of the key into distinct Key Rounds for each round var keySchedule = KeyExpansion(key); var blockCount = Math.ceil(plaintext.length/blockSize); var ciphertxt = new Array(blockCount); // ciphertext as array of strings for (var b=0; b>> c*8) & 0xff; for (var c=0; c<4; c++) counterBlock[15-c-4] = (b/0x100000000 >>> c*8) var cipherCntr = Cipher(counterBlock, keySchedule); // -- encrypt counter block -- // block size is reduced on final block var blockLength = b embedded.bin ``` -------------------------------- ### Encode String to UTF-8 Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Encodes a string into UTF-8. Supports characters in the Basic Multilingual Plane (BMP). Characters from U+0080 to U+07FF are encoded into 2 bytes, and U+0800 to U+FFFF into 3 bytes. ```javascript String.prototype.encodeUTF8 = function() { // use regular expressions & String.replace callback function for better efficiency // than procedural approaches var str = this.replace( /[€-߿]/g, // U+0080 - U+07FF => 2 bytes function(c) { var cc = c.charCodeAt(0); return String.fromCharCode(0xc0 | cc>>6, 0x80 | cc&0x3f); } ); str = str.replace( /[ࠀ-￿]/g, // U+0800 - U+FFFF => 3 bytes function(c) { var cc = c.charCodeAt(0); return String.fromCharCode(0xe0 | cc>>12, 0x80 | cc>>6&0x3F, 0x80 | cc&0x3f); } ); return str; } ``` -------------------------------- ### Decrypt Message Source: https://github.com/didierstevens/didierstevenssuite/blob/master/virtualwill.html Decrypts a ciphertext using AES. If the provided password is 'encrypt', it sets the UI to visible; otherwise, it decrypts the message using AESDecryptCtr and displays it in the 'message' field. Assumes 'AESDecryptCtr' function and form 'f' are available. ```javascript function CmdDecrypt() { if (f.pw.value == "encrypt") SetVisible(); else f.message.value = AESDecryptCtr(f.ct.value, f.pw.value, 256); } ``` -------------------------------- ### Cut Specific Bytes from Decoded Data with base64dump.py Source: https://context7.com/didierstevens/didierstevenssuite/llms.txt Extract a specific byte range from decoded data using base64dump.py. This is useful for isolating parts of a payload. ```bash python base64dump.py -s 3 -c 0:100 malware.txt ```