isodump.py is a simple Python script utilized to assist incident responders analyzing ISO files (ISO 9660 disk image format) containing malware.
The following file systems are supported:
file /opt/isodump/samples/Test.dmg
/opt/isodump/samples/Test.dmg: ISO 9660 CD-ROM filesystem data 'TEST'
file /opt/isodump/samples/PO#20190705.IMG
/opt/isodump/samples/PO#20190705.IMG: UDF filesystem data (version 1.5) 'PICTURES'
Warning: The directory samples contains real malware!
Before you can use the script you will need to install the python library isoparser by Barney Gale.
sudo -H pip install six
sudo -H pip install isoparser
Tested on macOS 10.14.5
python3 isodump.py -h
usage: isodump.py -i <file> [options]
ISO dump utility
optional arguments:
-h, --help show this help message and exit
-d, --dump dump file (default: item 0 to stdout)
-i ISO, --iso ISO iso file to analyze
-l, --list List all files from root directory (csv output)
-M, --metadata Print metadata
-o [OUT], --out [OUT]
output folder (default: current working directory)
-s [SELECT], --select [SELECT]
select item nr for dumping (a for all)
--version show program's version number and exit
- List all files from root directory (csv output)
python3 isodump.py -i /opt/isodump/samples/Test.dmg -l
Index;Name;Size;Header;MD5;SHA256
0;INVOICE_.EXE;1325568;4d5a9000030000000400;208cd564304ef7fe98a0c3da095fec3b;b3aef0e1d7a71edbc858a81e66f354be1974aafdd4449f2972e4dae1c82f2b8a
1;PAYMENT SLIP AND BANK CONF.EXE;709632;4d5a5000020000000400;eccd7c33037181277ae23f3c3b5baf74;84b73d9bc64da09072ebba537418a35c4883daba40fa7b348080fa10b1dfeb41
2;PO_20190.EXE;610816;4d5a9000030000000400;663ece11cb6b12d23266884d7b89e47a;2d8f0de8c52452cc12e8d4f993f0aad60457c3cd396632546da0f501b066ff3f
python3 isodump.py -i /opt/isodump/samples/Test.dmg -l | column -s ";" -t
Index Name Size Header MD5 SHA256
0 INVOICE_.EXE 1325568 4d5a9000030000000400 208cd564304ef7fe98a0c3da095fec3b b3aef0e1d7a71edbc858a81e66f354be1974aafdd4449f2972e4dae1c82f2b8a
1 PAYMENT SLIP AND BANK CONF.EXE 709632 4d5a5000020000000400 eccd7c33037181277ae23f3c3b5baf74 84b73d9bc64da09072ebba537418a35c4883daba40fa7b348080fa10b1dfeb41
2 PO_20190.EXE 610816 4d5a9000030000000400 663ece11cb6b12d23266884d7b89e47a 2d8f0de8c52452cc12e8d4f993f0aad60457c3cd396632546da0f501b066ff3f
- Print metadata of iso file
python3 isodump.py -i /opt/isodump/samples/Test.dmg -M
volume name = TEST
volume block count = 1839
volume block size = 2048
voulme size = 3766272
volume set name =
volume software =
volume create root dir = 2019-05-13 16:10:36
volume create volume = 2019051314120000
volume modify = 2019051314120000
- Extract all files from root directory
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d -s a -o /Users/evild3ad/Desktop/dump/
- Extract specific file from root directory
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d -s 1 -o /Users/evild3ad/Desktop/dump/
- Pipe file into other tools (default: item 0 to stdout)
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d | python tools/file-magic/file-magic.py
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d | python tools/pecheck/pecheck.py | less
- Pipe specific file into other tools
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d -s 2 | python tools/file-magic/file-magic.py
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d -s 2 | python tools/pecheck/pecheck.py | less
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d -s 1 | xxd | head
00000000: 4d5a 5000 0200 0000 0400 0f00 ffff 0000 MZP.............
00000010: b800 0000 0000 0000 4000 1a00 0000 0000 ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 0001 0000 ................
00000040: ba10 000e 1fb4 09cd 21b8 014c cd21 9090 ........!..L.!..
00000050: 5468 6973 2070 726f 6772 616d 206d 7573 This program mus
00000060: 7420 6265 2072 756e 2075 6e64 6572 2057 t be run under W
00000070: 696e 3332 0d0a 2437 0000 0000 0000 0000 in32..$7........
00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d -s 2 | xxd | head
00000000: 4d5a 9000 0300 0000 0400 0000 ffff 0000 MZ..............
00000010: b800 0000 0000 0000 4000 0000 0000 0000 ........@.......
00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030: 0000 0000 0000 0000 0000 0000 1001 0000 ................
00000040: 0e1f ba0e 00b4 09cd 21b8 014c cd21 5468 ........!..L.!Th
00000050: 6973 2070 726f 6772 616d 2063 616e 6e6f is program canno
00000060: 7420 6265 2072 756e 2069 6e20 444f 5320 t be run in DOS
00000070: 6d6f 6465 2e0d 0d0a 2400 0000 0000 0000 mode....$.......
00000080: 1673 9292 5212 fcc1 5212 fcc1 5212 fcc1 .s..R...R...R...
00000090: 1443 1dc1 5012 fcc1 ccb2 3bc1 5312 fcc1 .C..P.....;.S...
python3 isodump.py -i /opt/isodump/samples/Test.dmg -d -s 2 | file -
/dev/stdin: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
isodump - ISO dump utility Copyright (c) 2019 Martin Willing
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program. If not, see http://www.gnu.org/licenses/licenses.en.html