Didier Stevens

Thursday 18 September 2014

FileScanner.exe Part 4

Filed under: My Software — Didier Stevens @ 0:00

Please read part 1, part 2 and part 3 for more info.

A few remarks for people having issues running my program.

Folder Release contains a 32-bit executable that requires the Visual C++ Redistributable Packages for Visual Studio 2013.

Folder Release CRT contains a 32-bit executable with embedded C runtime, it does not require the redistributable.

Folder x64 contains 64-bit executables.

I included a rule file as example, filescanner-analysis-01.txt:

#Comment
exhaustive
PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:PK $META
CLASS:start:CAFEBABE
MZ:start:4D5A
PDF:start:str=%PDF-
OLE:start:D0CF11E0
RAR:start:526172211A07
$ATTRIBUT:content:00417474726962757400
OLE-VBA:and:OLE $ATTRIBUT
CAB:start:str=MSCF
ARJ:start:EA60
JFIF:start:FFD8FFE0

FileScanner_V0_0_0_3.zip (https)
MD5: D9A7BA5874C10B10BF380D03E49C82A6
SHA256: C89FF7DBDB71A22E2A88C16ECD65E36619BD8EA39A77036404B6F4B1049D21E5

Wednesday 17 September 2014

FileScanner.exe Part 3

Filed under: My Software — Didier Stevens @ 0:00

FileScanner.exe is a new Windows tool I developed. Read part 1 and part 2 for more info.

20140915-175358

To let you choose the files filescanner will scan, you can provide the following arguments: filename, @filename, folder and ?f:.

Filename and folder are self-descriptive. When you pass argument @filename, filename is a textfile that contains filenames to scan. ?f: stands for all fixed drives on the machine, for example: C:\ D:\.

You can provide more than one argument. To scan the subfolders of a folder you provided, use option -s.

By default, FileScanner provides the following information for scanned files:

20140902 225258

With option -f, files are completely read and the following information is provided:

20140902-225858

You can have CSV output with option -v.

To write the output to a file, use option -o and provide a filename. Option -O also writes the output to a filename, this filename is automatically generated: FileScanner-HOSTNAME-DATE-TIME.csv. Option -c lets you specify a folder to where the output file is copied when FileScanner finishes. This can be a UNC share to centralize all reports when you run FileScanner on several machines in parallel.

Option -l follows links.

Use option -r to specify a single rule and -a or -A to specify a textfile with rules.

Tuesday 16 September 2014

FileScanner.exe Part 2

Filed under: My Software — Didier Stevens @ 0:00

My new FileScanner tool allows you to use rules to scan files. Here is how you define rules.

Rule syntax

If you provide rules to FileScanner, it will only report files that match one rule or several rules (unless you instruct it to report all scanned files). A rule has a name, a type and one or more conditions. These elements are separated by the : character (colon). A name can be any string, and it is best unique if you have several rules (but this is not enforced). If a name starts with a $ character (dollar), the rule is only tested if it is referred to by another rule. Valid rule types are:

  • md5
  • sizemd5
  • start
  • content
  • icontent
  • and

The md5 rule triggers if the file has the specified md5 hash. Example:

PSEXEC2:md5:AEEE996FD3484F28E5CD85FE26B6BDCD

The sizemd5 rule triggers if the file has the specified size and md5 hash. The size is tested first, and the md5 hash is only calculated when the size matches. This speeds up the scan process if you know the size. Example:

PSEXEC:sizemd5:381816:AEEE996FD3484F28E5CD85FE26B6BDCD

The start rule triggers if the content of the file starts with the specified bytes. You can specify these bytes with a hexadecimal sequence or with a string. When using a string, prefix it with keyword str=. This test is case-sensitive. Examples:

MZ:start:4D5A

PK:start:str=PK

The content rule triggers if the file contains the specified bytes. You can specify these bytes with a hexadecimal sequence or with a string. When using a string, prefix it with keyword str=. This test is case-sensitive. Examples:

META:content:4D414E49464553542E4D46

META:content:str=MANIFEST.MF

The icontent rule is identical to the content rule, except that it is not case-sensitive.

The and rule triggers if all specified rules do trigger. The specified rules are tested from left to right, and testing stops if a rule does not trigger. If a specified rule has a name that starts with $, it will also be tested. In the following example, the JAR rule triggers if the $PK and $META rules do trigger.

$PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:$PK $META

 

Defining rules

Rules can be defined in a text file. A single rule can be defined via a command-line option or via the executable filename.

A set of rules contained in a text file is passed to the FileScanner tool via command line options -a or -A. With option -a, only files that match one or several rules are analyzed and reported. With option -A, all files are reported. A rule-file can contain comments: lines with the # character as the first character are comments (and ignored). 2 directives can be set in a rule-file:

  • selectallfiles
  • exhaustive

The selectallfiles directive instructs FileScanner to report all files (even with option -a).

The exhaustive directive instructs FileScanner to test all rules defined in the text file. If this directive is not present, rule testing stops after the first rule matches.

Example of a rule-file:

exhaustive
PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:PK $META
CLASS:start:CAFEBABE
MZ:start:4D5A
PDF:start:str=%PDF-
OLE:start:D0CF11E0

Specifying a single rule can be done via option -r. Example:

filescanner.exe -sr PSEXEC:sizemd5:381816:AEEE996FD3484F28E5CD85FE26B6BDCD c:\

Finally, if you have to ask an inexperienced user to run filescanner on his machine, you can encode a rule in the filename and send him the program. Example:

filescanner-auto-rule-PSEXEC-sizemd5-381816-AEEE996FD3484F28E5CD85FE26B6BDCD.exe

Download

20140915-175358
FileScanner_V0_0_0_2.zip (https)
MD5: 9A89333C13DBB669A94226F57E5D919A
SHA256: 5F46312B06AE865957A36B95A4C2DDC41F20113B0E51B7F083A50929B38BD0F9

 

Sunday 14 September 2014

Update: SpiderMonkey

Filed under: My Software,Update — Didier Stevens @ 15:00

During my PDF training at 44CON I got the idea for a simple modification: now with document.write(), a third file is created. The file is write.bin.log and contains the pure UNICODE data, e.g. without 0xFFFE header.

To extract shellcode now, you no longer need to edit write.uc.log to remove the 0xFFFE header.

I also included binaries for Windows and Linux (compiled on CentOS 6.0) in the ZIP file.

js-1.7.0-mod-b.zip (https)
MD5: 85B369B5650D4C041D21E8574CF09B9A
SHA256: D3827DF7B2EA81EEE91181B2DE045320E1CFEC46EED33F7CD84CA63C3A36BC38

Wednesday 3 September 2014

Introducing Filescanner.exe

Filed under: My Software — Didier Stevens @ 0:17

Filescanner is a tool I started to develop almost 2 years ago.

Back then, I needed a stand-alone, single executable tool that would allow me to search for files based on their content. Filescanner is a Windows tool.

Without any options, the tool will report some properties of the scanned file:

20140902 225258

Remark that the first 4 bytes of the scanned file are reported.

Here are the options:

20140902-225711

Option -f does a full read of the file and calculates some properties like entropy, md5, …

20140902-225858

You can also output CSV with option -v and search through subfolders with option -s.

Rules can be defined to select specific files. For example, with option -r, I can specify a single rule that will be used to select files.

Here is a rule named EXE that triggers when the content of a file starts with MZ: EXE:start:str=MZ

20140902-230520

A single rule can be passed as a command-line argument or be encoded in the executable filename. If you require more than 1 rule, put them inside a text file to define a ruleset.

Options -a and -A specify the ruleset to use. Here is an example of a ruleset:

exhaustive
PK:start:str=PK
$META:icontent:str=MANIFEST.MF
JAR:and:PK $META
CLASS:start:CAFEBABE
MZ:start:4D5A
PDF:start:str=%PDF-
OLE:start:D0CF11E0

Rules can also be defined for MD5 hashes.

In a next post, I’ll explain in detail the rule syntax.

FileScanner_V0_0_0_1.zip (https)
MD5: 9EE883A4E28A6D0649F6D7787BD76ED4
SHA256: 5AA71E6F4FED8E45A22B49FD9A0417933F7218AF9300FDEF24FEF696CF012F61

Monday 1 September 2014

Update: Calculating a SSH Fingerprint From a (Cisco) Public Key

Filed under: Encryption,My Software,Update — Didier Stevens @ 20:17

I think there’s more interest for my program to calculate the SSH fingerprint for Cisco IOS since Snowden started with his revelations.

I fixed a bug with 2048 bit (and more) keys.

20111221-225407

cisco-calculate-ssh-fingerprint_V0_0_2.zip (https)
MD5: C304299624F12341F9935263304F725B
SHA256: 2F2BF65E6903BE3D9ED99D06F0F38B599079CCE920222D55CC5C3D7350BD20FB

Monday 11 August 2014

EICARgen: An Arms Race

Filed under: My Software — Didier Stevens @ 0:01

If you subscribed to my videos, you saw this video and had early access to my new version of EICARgen.

Version 1.0 of EICARgen is detected by too many AV as a dropper. So I rewrote the code. If you launch the new EICARgen (version 2.0) without any arguments, it does nothing.

You have to provide argument “write” for it to write the EICAR test file to disk. By default this is eicar.com, but you can still provide a filename as second argument.

And I’ve added 2 new files: zip and pdf. Use argument zip and eicar.zip is written, use pdf and eicar.pdf is written.

Here is the VirusTotal detection for eicargen.exe.

EICARgen_V2_0.zip (https)
MD5: D346A3725622F981DDA7221799EF08E8
SHA256: 2DF76319D8513B1AD70D327816D3C1028B261EF1E314243DCD0DEC14FF1FC7CE

Thursday 24 July 2014

Stoned Bitcoin: My Analysis Tools

Filed under: Encryption,Forensics,Malware,My Software — Didier Stevens @ 0:00

The most interesting thing about Stoned Bitcoin for me, was to work out a method to find these Bitcoin transactions.

When this was mentioned on Twitter, I did a string search through the Bitcoin blockchain for string STONED: no hits.

Some time later I used my find-file-in-file tool. I got a copy of the Stoned Virus (md5 74A6DBB7A60915FE2111E580ACDEEAB7) and searched through the blockchain: again, no hits.

Although this means the blockchain doesn’t contain the start bytes of the Stoned Virus, it could still contain other parts of the virus. So I randomly selected a sequence of bytes from the virus, and used my tool again: I got a hit!

The command: find-file-in-file.py -s 0xFC 74A6DBB7A60915FE2111E580ACDEEAB7.vir blk00129.dat

The output:

0171c33d 00000010 (6%)
Remaining 244 (93%)

These are the bytes I found: 07 00 BA 80 00 CD 13 EB 49 90 B9 03 00 BA 00 01

How to find the transaction containing this byte sequence? A Bitcoin transaction (binary form) starts with a version number (unsigned 32 bit integer, little-endian), this number is currently 1. The ID of a transaction is the SHA-256 hash of the SHA-256 hash of all the bytes in the transaction, and this reversed and expressed in hexadecimal notation. Armed with this information, I was able to find the transaction: f09904aaa4fa4a8ec7da06f5e3d318a9b6a218e1a215f9307416fbbadf5a1c8e.

Finally, I updated my find-file-in-file tool so that I could do partial searches (and a couple of other features), and I wrote a Python script to parse and search the Bitcoin blockchain.

This is what you can do with the new version of find-file-in-file:

20140723-234257

Option partial allows you to search for parts of the file.

Option hexdump does a hexdump of the found bytes.

And options rangebegin and rangeend allow you to limit what you are searching for by specifying the range to search for. This is necessary for the Stoned Virus, because it ends with a sequence of 0x00 bytes, and such sequences are certainly not specific to the Stoned Virus, but omni-present in the blockchain.

Soon I will release these tools.

Wednesday 16 July 2014

Update: translate.py

Filed under: My Software,Update — Didier Stevens @ 19:37

Some time ago, Chris John Riley reminded me of a program I had written, published … and forgotten: translate.py. Apparently, it is used in SANS classes.

Looking at this program from 2007, I though: my Python coding style has changed since then, I need to rewrite this.

So here is the new version. It’s backward compatible with the old version (same arguments), but it offers more flexibility, like input/output redirection, allowing it to be used in pipes.

And from now on, I’m going to try to add a man page to all new Python program releases. It’s embedded in the source code, and you view it like this: translate.py –man

20140716-212254

Monday 16 June 2014

Wireshark-export

Filed under: 010 Editor,My Software — Didier Stevens @ 0:37

Here is the 010 Editor script I developed to generate Wireshark hex dumps.

Watch how to use it in my previous blogpost: “Packet Class: Wireshark – Import Hex Dump”.

wireshark-export_v0_0_1.zip (https)
MD5: B339EFD0898B6506CBEAAFCBCE08B3A6
SHA256: 557B39246FAC3BD91CE24EAD3DF07F8B68100778241393A26C67A566756C404B

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 230 other followers