python - print hex string into binary file

#!/usr/local/bin/python3
import binascii

file = open("xxx.exe", "wb")

with open("xxx.txt", "r") as f:
    i = 0
    byte = f.read(2)
    while byte != "" and len(byte) == 2:
        try:
            file.write(binascii.unhexlify(byte))
        except:
            print(byte)
            print(i)
            print(len(byte))
        byte = f.read(2)
        byte = byte.rstrip()
        i = i + 2
f.close()

file.close()

py_xxd.py

#!/usr/local/bin/python3
from binascii import hexlify

output = ""
with open("a.exe", "rb") as file:
    i = 0
    j = 0
    k = 0
    output_1 = ""
    output_2 = ""
    a = file.read(1)
    while a != b'':
        i += 1
        j += 1
        k += 1
        byte = hexlify(a).decode("ascii")
        output_1 = output_1 + byte
        if k == 2:
            output_1 = output_1 + " "
            k = 0

        dec_value = int(hexlify(a), 16)
        if dec_value >= 32 and dec_value <= 126:
            asc = a.decode("utf-8")
        else:
            asc = "."
        output_2 += asc

        if i == 16:
            print("{:07x}: {} {}".format(j - 16, output_1, output_2))
            i = 0
            output_1 = ""
            output_2 = ""
        a = file.read(1)
file.close()

Office

http://malwageddon.blogspot.com.au/2014/05/dissecting-tips-ole-and-office-open-xml.html

https://blog.malwarebytes.org/intelligence/2013/08/ms-office-files/

http://blog.g-sec.lu/2009/07/new-advances-in-officeexcelpowerpoint.html


https://isc.sans.edu/diary/Getting+the+EXE+out+of+the+RTF/6703

https://isc.sans.edu/diary/Analyzing+Malicious+RTF+Files+Using+OfficeMalScanner%27s+RTFScan/14092

https://community.emc.com/community/connect/rsaxchange/netwitness/blog/2014/02/12/triaging-malicious-microsoft-office-documents-cve-2012-0158

PDF

$pdfextract filename.pdf
- All of the components will be extracted to filename.dump folder
- Do a "grep javascript" here

PDF Stream Dumper
- "Scan malicious"

http://hiddenillusion.blogspot.co.uk/2012/06/getting-what-you-want-out-of-pdf-with.html

$shellcode2exe

$base64 -d

c:\>convertshellcode.exe

$js-beatify

$js -f filename.js
document = {
write:print
};

$unicode2hex-escaped

PDF malware analysis links

http://resources.infosecinstitute.com/analyzing-malicious-pdf/

http://digital-forensics.sans.org/blog/2009/12/14/pdf-malware-analysis/

https://blog.malwarebytes.org/intelligence/2013/08/the-malware-archives-pdf-files/

http://zeltser.com/reverse-malware/analyzing-malicious-documents.html

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_rise_of_pdf_malware.pdf

http://blog.didierstevens.com/2008/04/09/quickpost-about-the-physical-and-logical-structure-of-pdf-files/

https://www.blackhat.com/presentations/bh-europe-08/Filiol/Presentation/bh-eu-08-filiol.pdf

http://blog.spiderlabs.com/2011/09/analyzing-pdf-malware-part-1.html

Compare two binary on Linux

 % xxd b1 > b1.hex
 % xxd b2 > b2.hex

And then

 % diff b1.hex b2.hex

or

 % vimdiff b1.hex b2.hex