Thursday, March 18, 2010

Jsunpack-n update 0.3.1e: Bug Fixes Release

I released an update to jsunpack-n that fix some bugs and add some new features. The detection updates for this release mostly involve improvements in PDF parsing. Some jsunpack users suggested that I add better detection capabilities for PDF files and content within deflated streams. That is not yet available, but I am planning to make those updates available in a future version.

Updates 2010-03-18 version 0.3.1e
1) added LZW and RunLength decoding to pdf.py
2) fixed pdf.py so that streams that fail to decompress are not output
3) rooturl is now a member of jsunpack objects (to better support threading)
4) js.files now contains three entries [filename,origin,contents] (contents is new)
5) new command line argument -Q (for Quit-outputting-files), incase you plan to use the output from a python script
6) updated rules

4 comments:

  1. Very good work, and very fast on results. The classification is sometimes not correct.

    ReplyDelete
  2. Thanks Nicolas, which rule or alert caused the classification to be incorrect? Knowing so I would be able to fix or disable it.

    ReplyDelete
  3. can i run jsunpack on my local system? im trying to install it on my ubuntu, is it possible? just follow the install file and got all the needed packages, and i cant install pynids, below are some errors:
    nidsmodule.c:45: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
    nidsmodule.c:49: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
    nidsmodule.c:50: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token

    btw, im doing jsunpack as my research topic on my job as a malware analyst, i just need to run it locally. hope you can help me, my email is orgen16@gmail.com (dont worry, its just a temp email)

    ReplyDelete
  4. orgen experienced those errors because of this line:
    > nidsmodule.c:23:20: error: Python.h: No such file or directory

    For me installing the python-dev package solved this problem.

    ReplyDelete