Articles and tools about Python, Cyber Security and more.

oletools - python tools to analyze OLE and MS Office files

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on my olefile parser. 

Advanced VBA Macros Attack & Defence - Black Hat Europe 2019

Presentation at Black Hat Europe 2019, about malicious VBA Macros and recent advances in the attack and defense sides.

olefile - a Python module to read/write MS OLE2 files

olefile (formerly OleFileIO_PL) is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook MSG files, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.

Tip - How to use pip, git and PyCharm behind a proxy

Sometimes I need to use pip, git, twine and PyCharm behind a proxy, and I have to look up how to configure them. Here's a quick cheat sheet:

pip

The proxy needs to be provided on the command line each time you run pip, as follows:

pip install --proxy http://proxyserver:port <package>

If you need authentication:

pip install --proxy http://user:password@proxyserver:port <package>

git

The proxy can be set in the configuration using this command:

Weaponized PDF - Payload Delivery Format

This article describes the PDF file format, related security issues and useful resources. [WORK IN PROGRESS]

VBA Macros Pest Control - THC 2017

Presentation at the Toulouse Hacking Convention 2017 (3rd March 2017) about Malicious VBA Macros: what they can do, how to analyze them, and how we can detect and block them before they hit end-users.

Updated on the 24th August 2017 for the International Cyber Security Summer School.

iodeflib - a python library to create, parse and edit IODEF incident reports

iodeflib is a python library to create, parse and edit cyber incident reports using the IODEF v1 XML format (RFC 5070).

Tip: How to download thousands of MS Office files for testing

When developing tools related to MS Office files such as olefile and oletools, it is often necessary to test them on many different samples of various types and sizes. It is quite easy to find malicious samples using malwr.com, hybrid-analysis.com and VirusTotal, just to name a few (see my previous post about that topic). However, finding and downloading a large number of legitimate files is a different challenge. Here are some tips to do it:

How to find data hidden at the end of an OLE file

"Would it be possible to add a method to olefile that returns bytes that are appended to an OLE file? I have a sample that has encoded EXE appended."

When Didier Stevens asked me that question some time ago, I thought it would be easy, a matter of minutes. Indeed, the OLE format (aka Microsoft Compound File Binary Format) is structured and well specified in MS-CFB.

My Python projects

Here is the list of open-source Python projects that I am maintaining or contributing to.

Syndicate content