Applications: 1768: Analyze Cobalt Strike beacons amsiscan: Scan input with AmsiScanBuffer AnalyzePESig: Analyze digital signature of PE file apc-b: Send beacon frames with AirPcap apc-channel: AirPcap channel hopper apc-pr-log: AirPcap probe requests logger Ariad: Tool (driver) to prevent inserted USB sticks from executing code avr-teensy-pdf-dropper: WinAVR PoC to program Teensy to drop PDF file base64dump: Extract base64 strings from file BinaryTools: simple binary tools: reverse (reverses a file) and middle (extract sequence from file) bpmtk: Basic Process Manipulation Tool Kit BruteForceEnigma: C# program to bruteforce ENIGMA encoded text byte-stats: Calculate byte statistics CASToggle: Utility providing more control over .NET CAS enforcement Challenger: Small program for simple reverse-engineering challenges cipher-tool: tool to encode and decode with simple ciphers cisco-calculate-ssh-fingerprint: Calculate the SSH fingerprint of a Cisco IOS device ClipboardTransformer: Clipboard utility cmd-dll: ReactOS cmd.exe transformed into a dll count: count unique items CounterHeapSpray: Process hardening tool, my PoC for Microsoft BlueHat Prize Contest CreateCertGUI: Generate your own OpenSSL certificate cut-bytes: Cut a section of bytes out of a file decode-vbe: Decode VBE files decompress_rtf: Tool to decompress compressed RTF defuzzer: Generate the original file by combining fuzzed files. disinformational-tweets: Python program to Tweet (obsolete) disitool: Tool to work with Windows executables digital signatures DumpStrings: 010 Editor Script to dump strings (integrated since version 4) EICARgen: Program to generate an EICAR file (EICAR AV test file) emldump: Analyze MIME files EnforcePermanentDEP: Enable permanent DEP in the loading process (Windows XP) extractscripts: Utility to check HTML file and generate a separate file for each script in the HTML file file-magic: Essentialy a wrapper for file (libmagic) file2vbscript: Embeds executable into vbscript script FileGen: Command-line program to create test files of different lengths FileScanner: Tool to scan files for patterns find-file-in-file: Check if a file is embedded inside another file, even non-contiguous format-bytes: This is essentialy a wrapper for the struct module fuzzer: 010 Editor Script implementing a simple fuzzer hash: This is essentialy a wrapper for the hashlib module headtail: Output head and tail of input HeapLocker: Process hardening tool, a bit like EMET, but open source hex-to-bin: convert hexadecimal to binary InstalledPrograms: List installed programs with Excel/VBA InteractiveSieve: GUI tool to visualize and analyze logs, data, … by “sifting” jpegdump: JPEG file analysis tool js-1.5-mod: SpiderMonkey JavaScript interpreter modifications js-1.7.0-mod: SpiderMonkey JavaScript interpreter modifications js-unicode-escape: 010 Editor Script to convert bytes to a Unicode escape encoded string for JavaScript js-unicode-unescape: 010 Editor Script to convert a Unicode escape encoded string to bytes keihash: Calculate SSH Key Exchange Init (KEI) hash: KEIHash ListModules: Analyze digital signature of all executables in processes ListSharesSecurityWithWMI-VS2001: C# example for share security enumeration with WMI LNKTemplate: 010 Editor Template for LNK file format LoadDLLViaAppInit: DLL to load other DLLs via appinit registry key LockIfNotHot: Automatically lock Windows computer when user walks away, requires IR thermometer lookup-tools: IP-address and hosts lookup tools LowerMyRights: Restricts the rights of an existing process make-pdf: Set of Python programs to generate all kinds of PDF files md5_authenticode: MD5 Authenticode collision PoC MIFAREACR122: Python program to read and write 1K MIFARE RFID tags with ACR122 contactless reader/writer MovingXORSelection: 010 Editor Script to perform a moving XOR of the current selection msoffcrypto-crack: Crack MS Office document password my-shellcode: My shellcode collection MyEFSService: PoC for Malicious Cryptography blogpost MySafeModeService: PoC for Playing with Safe Mode blogpost NAFT: Network Appliance Forensic Toolkit NetworkMashup: Network utilities (ping, DNS) written in Excel/VBA NewPasswordStats: Password auditing password filter nmap-xml-script-output: nmap xml script output parser nocalcpoc: No calc PoC nsrl: NSRL tool numbers-to-hex: convert decimal numbers into hex numbers numbers-to-string: convert numbers into a string oledump: Analyze OLE files (Compound Binary Files) OllyStepNSearch: Plugin for OllyDbg password-history-analysis: Program to analyze password history Paste: paste does the opposite of clip, read the clipboard and write it to stdout pcap-rename: program to rename pcap files with a timestamp pdf-parser: PDF analysis program pdfid: PDF triage program PDFTemplate: 010 Editor Template for PDF file format pdftool: Tool to process PDFs pecheck: wrapper for pefile peid-userdb-to-yara-rules: Convert PeID userdb to YARA rules PFTemplate: 010 Editor Template for PF file format psurveil: Photo Surveillance for N800 python-per-line: Program to evaluate a Python expression for each line in the provided text file(s) re-search: Program to use Python’s re.findall on files regedit-dll: ReactOS regedit.exe transformed into a dll rtfdump: Analyze RTF files RTStego: Rainbow table steganography runasil: Launches program with a low integrity level RunInsideLimitedJob: Start program and run it inside a limited job SE_ASLR: Force ASLR on Windows Explorer Shell Extensions search-and-replace-with-wildcards: 010 Editor Script for search and replace with wildcards SelectMyParent: Launch a program and select its parent SendtoCLI: GUI tool for CLI commands setdllcharacteristics: Tool to set DEP, ASLR, … flags of a Windows executable sets: Set operations on 2 files: union, intersection, subtraction, exclusive or shellcode2vba: Convert shellcode to VBA shellcode2vbscript: Convert shellcode to VBA ShellCodeLibLoader: ShellCode With a C-Compiler ShellCodeMemoryModule: Generates DLL-loading shellcode from memory shift: 010 Editor Script to shift bytes in a file or selection simple-shellcode-generator: Python program to generate 32-bit shellcode (assembler code) simple_ip_stats: Process PCAP files to calculate IP data statistics simple_tcp_stats: Process PCAP files to calculate TCP data statistics SimpleEncoder: 010 Editor Script to encode current selection by shifting characters split: Split a text file into X number of files (2 by default) strings: Strings command in Python Suspender: DLL that suspends its host process TaskManager: Windows Task Manager written in Excel/VBA TestIntegrityCheckFlag: Test program for Using DLLCHARACTERISTICS’ FORCE_INTEGRITY Flag blogpost translate: Python script to perform bitwise operations on files (like XOR, ROL/ROR, …) ultraedit_scripts: Collection of UltraEdit scripts UndeletableSafebootKey: Tool to generate an undeletable Safeboot registry key USBVirusScan: Launch a program, like an AV scanner, each time USB removable storage is plugged-in UserAssist: Decode the UserAssist registry data virtualwill: HTML program to store your will VirusAlert: C# PoC program that monitors the event log for virus alerts and displays customized messages for the user virustotal-search: Search VirusTotal for provided hashes virustotal-submit: Submit files to VirusTotal for scanning vs: Python program to take surveillance pictures from IP-cameras what-is-new: Tool to monitor new items whoami: Firefox addon to identify your profile WMFTemplate: 010 Editor Template for WMF file format wmi-sc: WMI script for Security Center data wsrradial: wi-spy radial WiFi plotting tool wsrtool: wi-spy wsr files tool xmldump: This is essentially a wrapper for xml.etree.ElementTree xor-kpa: XOR known-plaintext attack XORSearch: Bruteforce a file for XOR, ROL, ROT, SHIFT, … encoding and search for a string XORSelection: 010 Editor Script to encode current selection with XOR XORStrings: Bruteforce a file for XOR, ROL, ROT, SHIFT, … encoding and dump strings zipdump: ZIP dump utility ZIPEncryptFTP: Zip files, encrypt ZIP file, upload via FTP zoneidentifier: Manage Zone.Identifier ADS

🍄 Ready for an in-depth analysis from start to finish? This series kicks off by examining an RTF document that leverages an outdated Office exploit. We'll dedicate some time to dissecting the OLE file format with tools like OLEDUMP and OLEDIR. Our video will conclude with identifying and extracting the shellcode 👇 buff.ly/E64scy1

Finally اكثر شي واجهة فيه صعوبه وقعدت احاول فيه يومين when i have to make sure the sus file in the same dir of oledump , python same path

🚨 Quick blog post on identifying #userforms in #vba projects. These are often used to store data used by the malicious document, such as URLs and #shellcode. thecyberyeti.com/post/identi… Tools used are #oledump, #olevba and the Office IDE.

Just released olefile 0.47 - a python parser for MS OLE/CFB files, used by many projects such as Pillow, oledump, oletools. This is a long overdue release with several new features and bugfixes. github.com/decalage2/olefile pypi.org/project/olefile/

To resume the talk about #MSIX files, don’t use oledump anymore, just use zipdump! 😜 #hacklu

ごめんなさい、こっちが @DidierStevens -san ご本人のツイートです。oledump、いつもお世話になっておりますm(__)m

oledumpの開発者、@DidierStevens さんが、JPCERT/CCで公開されたPDFにMalDocを潜ませる件について、分析手法の解説をしてますよ、というご紹介。

Inflated file size to evade malware sandboxes @thotcon @medic642 @DidierStevens Oledump has MSI plug-in to analyze the malware samples

الحمدلله انتهيت من تجربة العمل الافتراضي لتحليل الاستجابة لحوادث الأمن السيبراني والمقدمة من @stc_ksa بالتعاون مع @MiskKSA. التجربة كانت عملية اكثر من انها تعليمية وكانت تركز على ثلاث مواضيع: - تحليل البيانات على "Splunk" (كتابة تقرير لاستجابة الحوادث) - تحليل الايميلات المشبوهة (باستعمال اداة "oledump" لتحليل الملفات المشبوهة) - تطوير السياسات و الوعي عن الأمن السيبراني في المنظمة شكراً @stc_ksa و @MiskKSA على هذي المبادرة!

Preventing Framing; Oledump Supports MSI; 3CX Update; PinDuoDuo App Issues; i5c.us/p8436

MSI-based malware on the rise, great to have oledump around.

Update: oledump & MSI Files i5c.us/d29700

An Excel document that abuses a classic equation editor vulnerability (CVE-2017-11882) from @abuse_ch. Despite it's age, it's still common in phishing docs. I'll pull the shellcode and the next two stages. We'll use oledump, scdbg, dnspy, and virustotal. youtube.com/watch?v=A2jpx9dP…

WebDav Leads to IcedID; oledump msi plugin; Automatic BEC/Ransomware Discrution; Cisco Vulns; i5c.us/p8386

oledump & MSI Files i5c.us/d29584

The ransomware IV section covers oledump and using CyberChef for deobfuscation, nice. To learn more about maldoc analysis, see my @defcon 27 workshop here: github.com/rj-chap/CFWorksho…

I completed MalDoc101 challenge（無料） Maldoc解析で使用できるツールの使い方の練習になった※oledump,olevba,cyberchef cyberdefenders.org/blueteam-… #BlueTeam #DFIR #InfoSec #CyberSecurity @CyberDefendersより

Hex and Regex Forensics Cheat Sheet: sansorg.egnyte.com/dl/ZvGHqv… oledump .py Quick Reference: sansorg.egnyte.com/dl/3ydBhh… windows cmd cheat sheet: sansorg.egnyte.com/dl/AvZo1d…

Shoutout to @DidierStevens for making such great tools. Being able to pipe msoffcrypto-crack to oledump is so freaking useful. New malicious xlsx files we're seeing contain #encryption and it's a life saver for analyzing the files in #Remnux.