Updates II


Author: David Zimmer
Date: 05.03.12 - 4:09am



One more Update to add to the last post..

scdbg updates:
  • libemu pop esp and jg bugfixes
  • now supports drag and drop for shellcode files and folders

PdfStreamDumper updates:
  • FaxDecode filter added
  • JBIG2 filter added (disabled by default)
  • right click Image viewer feature added (for JPXDecode and DCTDecode streams)
  • tools->Filter Visualizer form added
  • tools->Download file w/progressbar and abort support
  • Search->extract URLS
  • Search->Filter Chains
  • dedicated hexeditor component now utilized
  • VirusTotal plugin
    • Hash lookup of the current pdf
    • Bulk hash lookup of embedded objects in the current pdf
    • Bulk hash lookup of CRLF list of MD5s loaded from clipboard
The JBIG2 decoder is disabled by default because it uses a complex native code library. I have not been able to get it to crash when doing bulk testing on old samples, but better safe than sorry. Enable it in tools->options->Enable Jbig2 Decoding Support. It will stay active until disabled again.

From the last post:

Malcode Analyst Pack Updates:
  • Virustotal app, right click in explorer, or bulk lookup from Hash Files form.
  • added dirwatch and procwatch from SysAnalyzer package. (monitor file system changes and process creation events)
  • added finddll command line utility (scan all processes for target dll)
  • ShellExt.Hash files right click menu:
    • Copy Hashs
    • VirusTotal search selected, VirusTotal search All
    • Make Extensions Safe,
    • Rename to MD5,
    • Coopy to CSV,
    • Rename Extensions.
    • A compile date/detected file type field was also added
    • Google search for hash button added
  • ShellExt.Strings form:
    • Find all button
    • file offsets now included in results with raw and VA modes(for PE files)
    • progress bar displayed while searching or scanning
    • better font
    • automatic filter to reduce noise (filtered results still viewable)
    • rescan button to change size of minimum match length
    • form maintains its size and position across runs now
Sysanalyzer:
  • now has tcpdump option to take full pcap
  • more filtering on directory watch captures
  • sniffhit now defaults to non-promiscious mode
  • api_log.dll now hooks and ignores calls to sleep
  • api_log supports config (and runtime reconfig) options
  • api_logger.exe expanded and includes preliminary log parser
  • sysanalyzer now has scan for RWE injections, memory map, scan for dll features.
  • added procwatch application (log new process creation)





Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 56 + 24 = ? followed by the letter: I 



Twitter
RSS
About Me
More Blogs
Main Site
Posts: (All)
2020 ( 6 )
2019 ( 12 )
2017 ( 5 )
2016 ( 4 )
2015 ( 6 )
2014 ( 5 )
2013 ( 9 )
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 ( 19 )
2010 ( 11 )
2009 ( 1 )