Updates II


Author: David Zimmer
Date: 05.03.12 - 4:09am



One more Update to add to the last post..

scdbg updates:
  • libemu pop esp and jg bugfixes
  • now supports drag and drop for shellcode files and folders

PdfStreamDumper updates:
  • FaxDecode filter added
  • JBIG2 filter added (disabled by default)
  • right click Image viewer feature added (for JPXDecode and DCTDecode streams)
  • tools->Filter Visualizer form added
  • tools->Download file w/progressbar and abort support
  • Search->extract URLS
  • Search->Filter Chains
  • dedicated hexeditor component now utilized
  • VirusTotal plugin
    • Hash lookup of the current pdf
    • Bulk hash lookup of embedded objects in the current pdf
    • Bulk hash lookup of CRLF list of MD5s loaded from clipboard
The JBIG2 decoder is disabled by default because it uses a complex native code library. I have not been able to get it to crash when doing bulk testing on old samples, but better safe than sorry. Enable it in tools->options->Enable Jbig2 Decoding Support. It will stay active until disabled again.

From the last post:

Malcode Analyst Pack Updates:
  • Virustotal app, right click in explorer, or bulk lookup from Hash Files form.
  • added dirwatch and procwatch from SysAnalyzer package. (monitor file system changes and process creation events)
  • added finddll command line utility (scan all processes for target dll)
  • ShellExt.Hash files right click menu:
    • Copy Hashs
    • VirusTotal search selected, VirusTotal search All
    • Make Extensions Safe,
    • Rename to MD5,
    • Coopy to CSV,
    • Rename Extensions.
    • A compile date/detected file type field was also added
    • Google search for hash button added
  • ShellExt.Strings form:
    • Find all button
    • file offsets now included in results with raw and VA modes(for PE files)
    • progress bar displayed while searching or scanning
    • better font
    • automatic filter to reduce noise (filtered results still viewable)
    • rescan button to change size of minimum match length
    • form maintains its size and position across runs now
Sysanalyzer:
  • now has tcpdump option to take full pcap
  • more filtering on directory watch captures
  • sniffhit now defaults to non-promiscious mode
  • api_log.dll now hooks and ignores calls to sleep
  • api_log supports config (and runtime reconfig) options
  • api_logger.exe expanded and includes preliminary log parser
  • sysanalyzer now has scan for RWE injections, memory map, scan for dll features.
  • added procwatch application (log new process creation)





Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
 



Twitter
RSS

About Me
More Blogs
Main Site
Posts:
IDA python over IPC
dns wildcard blocking
64bit IDA Plugins
Twitter Feed
anterior lines
misc news/updates
KANAL Mod
Decoders again
CDO.Message Breakpoints
SysAnalyzer Updates
SysAnalyzer and Site Updates
crazy decoder
ida js w/dbg
flash patching #2
JS Graphing
packet reassembly
Delphi IDA Plugin
scdbg IDA integration
API Hash Database
Winmerge plugin
IDACompare Updates
Guest Post @ hexblog
TCP Stream Reassembly
SysAnalyzer Updates
Apilogger Video
Shellcode2Exe trainer
scdbg updates
IDA Javascript w/IDE
Rop Analysis II
scdbg vrs ROP
flash patching
x64 Hooks
micro hook
jmp api+5 *2
SysAnalyzer Updates
InjDll runtime config
C# Asm/Dsm Library
Shellcode Hook Detection
Updates II
findDll
Java Hacking
Windows 8
Win7 x64
Graphing ideas
.Net Hacking
Old iDefense Releases
BootLoaders
hll shellcode
ActionScript Tips
-patch fu
scdbg ordinal lookup
scdbg -api mode
Peb Module Lists
scdbg vrs Process Injection
GetProcAddress Scanner
scdbg fopen mode
scdbg findsc mode
scdbg MemMonitor
demo shellcodes
scdbg download
api hashs redux
Api hash gen
Retro XSS Chat Codes
Exe as DLL
Olly Plugins
Debugging Explorer
Attach to hidden process
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
PDF Stream Dumper
Malcode Call API by Hash
WinDbg Cheat Sheet
GPG Automation