Didier Stevens

Wednesday 10 February 2016

Create Your Own CMD.XLS

Filed under: Hacking,My Software — Didier Stevens @ 0:00

For several years now I’ve been using my modified cmd.exe from Excel.

20160209-232633

I’m not releasing this spreadsheet with my cmd code, but I release the VBA code. You can create your own spreadsheet (or Word document) with this VBA file. If you don’t know how, here’s a video:

Sunday 7 February 2016

Update: numbers-to-hex.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 9:21

A bugfix.

numbers-to-hex_V0_0_2.zip (https)
MD5: 911D2BF2EC0839DD595C48FF4BE5E979
SHA256: 41D5B19E401516CB134521E1F6973A16DBFE491303BD93429EEBE55C0B3AFEF6

Sunday 31 January 2016

Update: cut-bytes.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:01

When searching for a sequence (example [d0cf11e0]), you can now specify the instance to select. [d0cf11e0] finds the first match, [d0cf11e0]1 too, [d0cf11e0]2 find the second match, …

Search string expressions (ASCII and hexadecimal) can be followed by an instance (a number equal to 1 or greater) to indicate which instance needs to be taken. For example, [‘ABC’]2 will search for the second instance of string ‘ABC’. If this instance is not found, then nothing is selected.
Search string expressions (ASCII and hexadecimal) can be followed by an offset (+ or – a number) to add (or subtract) an offset to the found instance. For example, [‘ABC’]+3 will search for the first instance of string ‘ABC’ and then select the bytes after ABC (+ 3).
Finally, search string expressions (ASCII and hexadecimal) can be followed by an instance and an offset.

This will be implemented in my dump tools too.

cut-bytes_V0_0_3.zip (https)
MD5: 211B96F715FD6AB4696D6E58D6DA924D
SHA256: 9D5D38AF1375FFBDE705280F99758FF4C7D9751B81C46D80681740C43D6B94C6

Saturday 30 January 2016

Update: xor-kpa.py Version 0.0.2

Filed under: Encryption,My Software,Update — Didier Stevens @ 8:48

I added support for ZIP files to xor-kpa.py.

If you pass a ZIP file to xor-kpa, it will analyze the contained file. The ZIP file can be password protected (password infected).

xor-kpa_V0_0_2.zip (https)
MD5: CA4DB797A7C12E3E81F55D9634EE77BF
SHA256: 76344E06A2C1F121D4CDD1B063DC109E59B9D2351BA5CFDDEE8613DCD220283B

Sunday 24 January 2016

Update: emldump.py Version 0.0.6

Filed under: Malware,My Software,Update — Didier Stevens @ 10:32

A small update to emldump.py to handle (intentionally) malformed MIME files.

20160124-112917

More details in my SANS ISC Diary entry “Obfuscated MIME Files”.

emldump_V0_0_6.zip (https)
MD5: 682793840D895E473647F2A1F85A9867
SHA256: D76BADF2A332C3417BB7DD46B783CE90757DD76648D2313083982BFD74902C41

Saturday 23 January 2016

Update: base64dump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 17:51

A quick update: extended –cut option (like in oledump) and added option -w to ignore whitespace.

base64dump_V0_0_4.zip (https)
MD5: 5864B1AF997EBA6E5F6DD0C3B8ADBE56
SHA256: 1B01023A97361A9DBBB16B9D8851FFD757F03FA3964C0ED72067F9117F283992

Saturday 2 January 2016

Update: shellcode2vba.py Version 0.4

Filed under: My Software,Shellcode,Update — Didier Stevens @ 13:33

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 3 new options:

Option –nocreatethread allows you to instruct the program not to add the VBA code to create a new thread.

Option –writememory: from now on, the VBA code uses RtlMoveMemory in stead of WriteProcessMemory. To use WriteProcessMemory, use option –writememory process

Option –start allows you to specify the name of the start function (ExecuteShellCode by default).

shellcode2vba_v0_4.zip (https)
MD5: DA1580DEF5B5CFF08ACF5FA921AF0822
SHA256: BDC0A5EC3E918B3DA27C392E1B2F909B7BDAD319C43A4250689DD38C81FF876F

Friday 1 January 2016

XOR Known-Plaintext Attack

Filed under: Encryption,My Software — Didier Stevens @ 16:00

To celebrate my Microsoft MVP award 2016, I’m releasing a new XOR-tool. Because you can never have enough XOR-tools in your toolbox :-).

When data is XOR-encrypted with a repeating key and you known some of the plaintext, you can perform a simple known-plaintext attack. Because when you XOR the ciphertext with the plaintext, you recover the key-stream.

With “repeating key” I mean the following: let’s assume that the encryption key is “Secret”. Then the first byte of the plaintext is XORed with “S”, the second byte with “e”, the third byte with “c”, …, the sixth byte with “t”. And for the seventh byte, we start again with “S”, then for the eighth byte again with “e”, …

When we know some of the plaintext, for example the beginning of the file, and we XOR this with the ciphertext, we obtain the key-stream: SecretSecretSecretSec It’s simple to extract the repeating key (Secret).

I’ve written a small Python program that automates this process: xor-kpa.py.

As an example, I’ve XORed the notepad.exe program with a key. We know that PE files contain the string “This program cannot be run in DOS mode”, this string is store in text file plaintext.txt. This is how you use xor-kpa:

C:\Demo>xor-kpa.py -e 3 plaintext.txt notepad-ciphertext.exe
Key:       Password
Extra:     30
Keystream: rdPasswordPasswordPasswordPasswordPass

This result shows that the recovered keystream is “rdPasswordPasswordPasswordPasswordPass”, and that the repeating key is “Password”. Extra (30) is the difference between the keystream length (38) and the key length (8). The higher the value of extra is, the higher the confidence is we recovered the correct key. When Extra is only 1, the confidence is low. To properly recover the key, the known-plaintext must be longer than the key.

With option -e you can filter for the minimum value of Extra.

Since the known-plaintext can often be a a short ASCII string, you can provide it directly as an argument in stead of writing it in a text file. To achieve this, just precede the argument with character #, like in this example (the double quotes are necessary because of the space characters):

C:\Demo>xor-kpa.py -e 3 "#This program cannot be run in DOS mode" notepad-ciphertext.exe
Key:       Password
Extra:     30
Keystream: rdPasswordPasswordPasswordPasswordPass

xor-kpa_V0_0_1.zip (https)
MD5: 4265BB1AFCD470A98070FFBDFCB1B52A
SHA256: CF41CEDE7281459FA47061B366AA9B4A5F579CC9BA46E73098B52EA8CAB6E816

Tuesday 22 December 2015

MIME File With “Header”

Filed under: maldoc,My Software — Didier Stevens @ 0:00

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

Malicious MS Office documents are also distributed as MIME files. A blog reader asked for help with a MIME file that gave him problems: f67aa5a3ede3d31c5a68494c0678e2ee.

Accoring to emldump.py, the file is just text (not a multipart file):

20151221-175808

But if you look at the file, you’ll notice a line preceding the MIME-Version line:

20151221-180149

You can instruct emldump to skip this line with option -H:

20151221-180326

Now emldump is able to analyze the multipart MIME file, and detect the MSO file (part 3). oledump can analyze MSO files:

20151221-180513

Monday 21 December 2015

Update: oledump.py Version 0.0.22

Filed under: maldoc,My Software,Update — Didier Stevens @ 16:27

Some changes when you use the –raw option. Now plugins can also be used when the VBA code is corrupted.

oledump_V0_0_22.zip (https)
MD5: CA91850BBC92E82D705F707704000F82
SHA256: 16763BCF15BFB3301FFAE0BDA26F18EE2946EDD7478994B798127DBBEF5FF9E7

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 375 other followers