profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/decalage2/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

decalage2/oletools 1737

oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging.

decalage2/awesome-security-hardening 818

A collection of awesome security hardening guides, tools and other resources

decalage2/ViperMonkey 779

A VBA parser and emulation engine to analyze malicious macros.

bontchev/pcodedmp 357

A VBA p-code disassembler

decalage2/olefile 151

olefile is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook messages, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.

decalage2/balbuzard 81

Balbuzard is a package of malware analysis tools in python to extract patterns of interest from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

decalage2/exefilter 47

ExeFilter is an open-source tool and framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.

decalage2/oledump-contrib 37

The oledump-contrib repository contains plugins and enhancements for the oledump tool published by Didier Stevens.

decalage2/pyhtgen 11

pyhtgen (formerly HTML.py) provides a few classes to easily generate HTML content such as tables and lists.

decalage2/awesome-security 6

A collection of awesome software, libraries, documents, books, resources and cools stuffs about security.

startednetspooky/BGGP

started time in 2 days

startedstuhli/awesome-event-ids

started time in 2 days

issue commentdecalage2/oletools

rtfobj: parse and display the oleclsid control word when present

See also Will's presentation around 13:30: https://www.youtube.com/watch?v=PLK-eipRzxU

decalage2

comment created time in 2 days

issue commentdecalage2/oletools

olevba: add XLM macro keywords

Add also WRITELN: https://twitter.com/DissectMalware/status/1440130407870181378

decalage2

comment created time in 5 days

startedEdubr2020/CVE-2021-40444--CABless

started time in 6 days

startedklezVirus/CVE-2021-40444

started time in 10 days

startedaslitsecurity/CVE-2021-40444_builders

started time in 13 days

startedlockedbyte/CVE-2021-40444

started time in 15 days

issue openeddecalage2/ViperMonkey

python 3 release: update unidecode dependency

When python 3 version is released, make sure we switch to the latest unidecode version. See #112 and #113

created time in 16 days

push eventdecalage2/ViperMonkey

cccs-jh

commit sha e47ebbeda832741641550e31e9aba590380fd231

unidecode 1.3.0 dropped python2 support

view details

Philippe Lagadec

commit sha 631d242f43108226bb25ed91e773a274012dc8c2

Merge pull request #113 from cccs-jh/master unidecode 1.3.0 dropped python2 support

view details

push time in 16 days

PR merged decalage2/ViperMonkey

Reviewers
unidecode 1.3.0 dropped python2 support

fixes #112

+2 -2

1 comment

2 changed files

cccs-jh

pr closed time in 16 days

issue closeddecalage2/ViperMonkey

Unidecode 1.3.0 no longer supports python2

From their changelog https://github.com/avian2/unidecode/blob/master/ChangeLog 2021-09-06 unidecode 1.3.0 * Drop support for Python <3.5.

closed time in 16 days

cccs-jh

pull request commentdecalage2/ViperMonkey

unidecode 1.3.0 dropped python2 support

Thanks, I need to keep this in mind for the upcoming Python 3 release.

cccs-jh

comment created time in 16 days

issue commentdecalage2/ViperMonkey

Unidecode 1.3.0 no longer supports python2

Thanks, we need to change the dependency then.

cccs-jh

comment created time in 16 days

issue commentdecalage2/oletools

RTFObj doesn't work on RTF's containing OLE2LNK objects

Good catch, thanks!

tlansec

comment created time in 16 days

issue openeddecalage2/oletools

clsid: add Shell.Explorer and Forms.HTML

See https://www.securify.nl/blog/click-me-if-you-can-office-social-engineering-with-embedded-objects

  • Shell.Explorer.1 / {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}
  • Forms.HTML:Image.1 / {5512D112-5CC6-11CF-8D67-00AA00BDCE1D}
  • Forms.HTML:Submitbutton.1 / {5512D110-5CC6-11CF-8D67-00AA00BDCE1D}

created time in 16 days

startedlasq88/MalwareAnalysis

started time in 16 days

startedrfcxv/CVE-2021-40444-POC

started time in 16 days

startedtylabs/quicksand

started time in 16 days

startedfelixweyne/imaginaryC2

started time in 16 days

startedeneam/mboxviewer

started time in 19 days

startedcountercept/chainsaw

started time in 23 days

startedrathbuna/DFIRMindMaps

started time in 25 days

startedSTMSolutions/boobsnail

started time in a month

startedEXPMON/PubAPIs

started time in a month

issue commentdecalage2/exefilter

Active pdf (javascript) not detected

Hi @AndreaMonzini, indeed qpdf looks like a good complement to exefilter.

I have not worked on exefilter for a long time, so I don't remember exactly which "hidden" scripts are detected/cleaned. It depends a lot if you use pdfid or origami. pdfid only detects/cleans visible keywords, while origami should be able to dig deeper in the PDF structure, such as compressed streams.

rsaccani

comment created time in a month

startedjonaslejon/malicious-pdf

started time in a month

startedrj-chap/ransomware_tips

started time in a month

issue commentdecalage2/oletools

olevba+mraptor: add keywords for COM objects

Another one to be checked: https://twitter.com/SBousseaden/status/1427786112903303172

image

decalage2

comment created time in a month

startedGossiTheDog/SystemNightmare

started time in a month