You are browsing the archive for Software Releases.

DeXRAY 2.0 released

March 9, 2017 in Batch Analysis, Compromise Detection, DeXRAY, File Formats ZOO, Forensic Analysis, Incident Response, Malware Analysis, Software Releases

Recently I was contacted by two fellow DFIRers (thx @JamesHabben and @bmmaloney97) who suggested some improvements to the tool.

James mentioned to me a type of Quarantine files that I never heard of (Lumension LEMSS) and was kind enough to provide the recipe on how to handle them which I implemented in the tool (hope it works!).

Brian wrote some piece of code to integrate it with DeXRAY. Thanks to his efforts McAfee BUP files are now finally properly handled (the older version of DeXRAY required the user to carve out the decrypted malware, because DeXRAY didn’t handle OLE files). Thx!

In the effort to better parse some troublesome files I have added an additional routine to carve the files out (and I use it for Symantec ccSubSdk files).

Lo and behold the DeXRAY is now 2.0.

You can download it here.

The full list of supported or recognized file formats is listed below:

  • AhnLab (V3B)
  • ASquared (EQF)
  • Avast (Magic@0=’-chest- ‘)
  • Avira (QUA)
  • Baidu (QV)
  • BitDefender (BDQ)
  • CMC Antivirus (CMC)
  • Comodo <GUID> (not really; Quarantined files are not encrypted 🙂
  • ESafe (VIR)
  • ESET (NQF)
  • F-Prot (TMP) (Magic@0=’KSS’)
  • Kaspersky (KLQ)
  • Lavasoft AdAware (BDQ) /BitDefender files really/
  • Lumension LEMSS (lqf)
  • MalwareBytes Data files (DATA)
  • MalwareBytes Quarantine files (QUAR)
  • McAfee Quarantine files (BUP) /full support for OLE format/
  • Microsoft Forefront|Defender (Magic@0=0B AD|D3 45) – D3 45 C5 99 header handled
  • Panda <GUID> Zip files
  • Spybot – Search & Destroy 2 ‘recovery’
  • SUPERAntiSpyware (SDB)
  • Symantec ccSubSdk files: {GUID} files and submissions.idx
  • Symantec Quarantine Data files (QBD)
  • Symantec Quarantine files (VBN)
  • Symantec Quarantine Index files (QBI)
  • TrendMicro (Magic@0=A9 AC BD A7 which is a ‘VSBX’ string ^ 0xFF)
  • QuickHeal <hash> files
  • Vipre (<GUID>_ENC2)
  • Any binary file (using X-RAY scanning)

Hunting for a better hex dump tool

January 23, 2017 in hex.pl, Reversing, Software Releases

Many command line tools are written with an ancient 80×25 terminal size in mind and as such their output is often limited (at least, for a current standard). This is quite amazing that a concept of writing tools destined for such a small terminal is so omnipresent given the fact high resolution computer screens, as well as dual- and multi- monitor setups are now such a common thing.

With this in mind a few years ago I coded a simple hex dump tool which I now use quite often – it gives me a better output than a typical hexdump, and… it was a fun exercise to do. The script is written in perl, fully portable (no dependencies) and… it can for sure be a) buggy b) improved in many ways – use at your own risk 🙂

The idea that I came with was based on a large amount of unused space I have observed on my terminal (one that I use on Windows). It is typically at least 140×50 and even more, when needed. As such, the 80 columns used by the standard hex dump tool leaves an empty space of at least 70 characters…

Let’s have a look at cygwin’s hexdump ran in a canonical mode:

I had an idea that this gap could be utilized to present more data. So, my script prints the output similar to the canonical output of hexdump, plus a bonus. The bonus includes:

  • the data decimal offset
  • extracted strings (both ANSI and wide) that start within the current line

The output looks like this:

Isn’t that cool?

You can immediately copy many of the strings to clipboard w/o using strings tool.

This is how to run the script:

perl hex.pl <filename>
perl hex.pl -s <filename>
perl hex.pl -S <filename>
where:
-s - extract strings
-S - extract strings, and skip output lines w/o strings

You can download the script here.

If you find any bugs or run into any issue, please let me know.