Saturday 24 December 2011
Wednesday 30 December 2009
Detecting EICAR With a .NET Micro-controller
I’ve been playing with a .NET Micro Framework micro-controller: the USBizi. A few of its interesting characteristics are that you program it in C# with Visual Studio and that in-circuit debugging (including single-stepping) is supported.
The .NET Micro Framework has no assemblies to support USB in host mode (only guest mode), but the USBizi comes with assemblies for host mode providing support for removable drives like USB sticks. To illustrate this feature, I wrote a program to scan the files on a USB stick for the EICAR test file and replace the content with a message appropriate for the time of the year.
Some ideas I’ve for this device: program it as a hardware keylogger, a hardware password vault, …
using System.Threading;
using System;
using System.IO;
using Microsoft.SPOT.Hardware;
using Microsoft.SPOT;
using Microsoft.SPOT.IO;
using GHIElectronics.System.SystemDevices;
using GHIElectronics.System;
using GHIElectronics.System.IO;
using GHIElectronics.Hardware;
namespace USBiziEICARDetector
{
public class Program
{
static string sEICAR = @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";
static void Main()
{
Boolean bFoundEicar;
Debug.Print("Starting...");
while (true)
{
// must start system first, no event is associated
SystemManager.Start(null);
// wait till we have a device
while (SystemManager.GetDevices().Length == 0)
Thread.Sleep(500);
// get a list of devices
Device[] devices = SystemManager.GetDevices();
// look for a device
foreach (Device device in devices)
{
// this loop will run once for every device
if (device.deviceType == DeviceType.Drive)
{
try
{
// USB drive is inserted
// Create a new storage device
PersistentStorage PS = new PersistentStorage(device.deviceID);
// now everything works just like on SD cards....
// Mount the file system
PS.MountFileSystem();
// Assume one storage device is available, access it through NETMF
string rootDirectory = VolumeInfo.GetVolumes()[0].RootDirectory;
bFoundEicar = false;
string[] files = Directory.GetFiles(rootDirectory);
Debug.Print("Files on root of USB drive...");
foreach (string file in files)
{
Debug.Print(file);
Boolean bFileIsEICAR = false;
FileStream fs = File.OpenRead(file);
Debug.Print(fs.Length.ToString());
if (fs.Length == sEICAR.Length)
{
char[] acEICAR = sEICAR.ToCharArray();
for (int iIter = 0; iIter < sEICAR.Length; iIter++)
{
int iByte = fs.ReadByte();
if (acEICAR[iIter] != iByte)
break;
if (iIter == sEICAR.Length - 1)
{
bFoundEicar = true;
bFileIsEICAR = true;
}
}
}
fs.Close();
if (bFileIsEICAR)
{
byte[] abHappyNewYear2010 = {
0x0D, 0x0A, 0x0D, 0x0A, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20,
0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20,
0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58,
0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20,
0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20,
0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20,
0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x58, 0x20, 0x20, 0x58,
0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58,
0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58,
0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x0D, 0x0A, 0x0D, 0x0A};
File.WriteAllBytes(file, abHappyNewYear2010);
Debug.Print("EICAR found!");
}
}
Debug.Print("... end of list!");
// if we need to unmount
Thread.Sleep(500);
PS.UnmountFileSystem();
Thread.Sleep(500);
PS.Remove();
OutputPort LED = new OutputPort(USBizi.Pins.E2x, false);
if (bFoundEicar)
{
Debug.Print("bFoundEicar = true");
BlinkXTimes(LED, 4, 300);
}
else
{
Debug.Print("bFoundEicar = false");
BlinkXTimes(LED, 2, 300);
}
}
catch (Exception e)
{
Debug.Print("Exception:");
Debug.Print(e.Message);
}
}
}
Thread.Sleep(500);
SystemManager.Reboot(SystemManager.RebootMode.Normal);
}
}
public static void BlinkXTimes(OutputPort LED, int times, int milliseconds)
{
for (int i = 0; i < times; i++)
{
LED.Write(true);
Thread.Sleep(milliseconds);
LED.Write(false);
Thread.Sleep(milliseconds);
}
}
}
}
Monday 9 November 2009
Quickpost: “Hiding” a PDF Document
Here’s some Python code (it uses my mPDF module) to append a new PDF document to an existing PDF document to “hide” the original document. Recovering the original is trivial, you open the PDF document with a HEX-editor and delete the appended document (starting after the second %%EOF counting from the end of the file). This trick uses incremental updates.
#!/usr/bin/python
__description__ = 'make-pdf-hide-original, use it to "hide" the original PDF document'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2009/11/07'
"""
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk
History:
2009/11/07: start
Todo:
"""
import mPDF
import time
import zlib
import optparse
def Main():
oParser = optparse.OptionParser(usage='usage: %prog [options] pdf-file\n' + __description__, version='%prog ' + __version__)
oParser.add_option('-s', '--line', default='Hello World', help='The line of text to print on the screen (default Hello World')
(options, args) = oParser.parse_args()
if len(args) != 1:
oParser.print_help()
print ''
print ' %s' % __description__
print ' Source code put in the public domain by Didier Stevens, no Copyright'
print ' Use at your own risk'
print ' https://DidierStevens.com'
else:
pdffile = args[0]
oPDF = mPDF.cPDF(pdffile)
oPDF.template1()
oPDF.stream(5, 0, 'BT /F1 24 Tf 100 700 Td (%s) Tj ET' % options.line)
oPDF.xrefAndTrailer('1 0 R')
if __name__ == '__main__':
Main()
Quickpost info
Wednesday 21 October 2009
A Windows 7 Launch Party Trick!
In search of a new trick for that Windows 7 Launch Party you’re invited to? 
Here’s one:
You can download a beta version of my UserAssist tool here. Soon I’ll be posting a final version with details and source code.
Tuesday 1 September 2009
Link: case of the tweep abduction
I know, I love a bit of mischief
Wim renamed his “old” Twitter account @domgingelom to the “new” @wimremes. And then I promptly registered @domdingelom…
Did some Tweeting under an assumed name…
And then gave the “new” @domdingelom to Wim.
Monday 13 July 2009
Quickpost: TrueCrypt’s Boot Loader Screen Options
Ready for some Security Through Obscurity fun?
I’ve been playing with TrueCrypt‘s Boot Loader Screen Options to display a custom message when I boot my laptop with full disk encryption.
It’s probably enough to be misleading during a casual inspection of your laptop:
The screen doesn’t even display asterisks when you type your TrueCrypt password.
It’s just as unresponsive as the original “NTLDR is missing” screen.
The only difference with the Windows XP NT Loader missing message, is that the original is just a bit longer:
Or you can just let it display gibberish, like this:
And if challenged, say your laptop was infected with a virus from that damned hotel’s WiFi network.
Quickpost info
Tuesday 9 June 2009
Quickpost: Make Your Own Corrupted PDFs For Free
In response to Bruce Schneier’s latest post, let me explain how you can corrupt your own PDF documents for free. Open your PDF document with a binary editor, search for references to the root object (/Root), and overwrite the reference (36 in my example) with a non-existing reference, like 00.
Of course, be careful and make backups first.
Tested on several PDF readers:
Sunday 18 January 2009
Quickpost: Windows 7 Beta: ROT13 Replaced With Vigenère? Great Joke!
Remember that the UserAssist keys are encrypted with ROT13?
In Windows 7 Beta, not anymore! Weak ROT13 crypto has been replaced with “stronger” Vigenère crypto!
The Vigenère key I found through some basic cryptanalysis is BWHQNKTEZYFSLMRGXADUJOPIVC.
To the Microsoft developer who designed this: great joke! You really made me laugh. Seriously. 
And I thought Easter Eggs were banned in Microsoft products. Maybe you don’t think of it as an Easter Egg, but as a programmer, I do.
Quickpost info
Saturday 13 December 2008
Identifying Garbage Men
My guest post over at Pauldotcom:
“Tis the season for tipping garbage men. Here in Brussels, at the end of the year, garbage men would ring your doorbell during their round, presenting you their best wishes for the new year.
This tradition came to an end several years ago. Nowadays, they present you their best wishes when they’re off-duty. And in came a new ID problem…“
