Didier Stevens

Friday 27 February 2015

Update oledump.py Version 0.0.10

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This version handles corrupt VBA macro streams without crashing. Corrupt VBA macro streams are marked with an E indicator (error).

And an update to the plugin_http_heuristics and plugin_dridex plugins.

oledump_V0_0_10.zip (https)
MD5: 450C28232254F8FF3AF5E289F58D2DAB
SHA256: 139671E5E69200CECCE0EF730365C1BF1B7B8904B90E3B1E08E55AB040464C73

Thursday 19 February 2015

Update: oledump.py Version 0.0.9

Filed under: Malware,My Software,Update — Didier Stevens @ 22:19

The plugin_dridex plugin was updated.

And oledump.py has a new option: –quiet: only print output from plugins.

oledump_V0_0_9.zip (https)
MD5: 849C26F32397D2508381A8472FE40F90
SHA256: 74887EA3D4362C46CCBF67B89BB41D7AACE9E405E4CB5B63888FEDCE20FD6A07

Wednesday 18 February 2015

Analyzing A Fraudulent Document With Error Level Analysis

Filed under: Forensics,My Software,PDF — Didier Stevens @ 0:00

Some time ago I had the chance to try out an image forensic method (Error Level Analysis) on a PDF. It was a fraudulent document (a form), but with a special characteristic: the criminal converted the original form (a PDF) to JPEG, edited the JPEG with a raster graphics editor, and then inserted the edited JPEG in a PDF document. This gave me the opportunity to try out Error Level Analysis (ELA) on a “text document”.

I can’t share the PDF, but I recreated one to use in this blogpost.

First I search for images in the PDF document:

pdf-parser.py -s image example-edited.pdf


obj 4 0
 Referencing: 6 0 R

        /Im4 6 0 R
    /ProcSet [/PDF/Text/ImageC/ImageI/ImageB]

obj 6 0
 Type: /XObject
 Contains stream

    /Type /XObject
    /Subtype /Image
    /Width 680
    /Height 965
    /BitsPerComponent 8
    /ColorSpace /DeviceRGB
    /Filter /DCTDecode
    /Length 233133

The image is in object 6. I extract the image:

pdf-parser.py -o 6 -d example-edited.jpeg example-edited.pdf

Here it is:


If you Google for Error Level Analysis, you’ll find a couple of websites that provide online image forensics. But that was not an option for me, I could not share the document.

I found this C program for ELA, and later I wrote my own Python program (what else?), that I’ll use for this example:

image-forensics-ela.py example-edited.jpeg example-edited-ela.png


The colored pixels reveal the word I edited. You can see it better when I overlay the 2 images:

image-overlay.py -a 0.6 example-edited.jpeg example-edited-ela.png example-edited-overlay.png


FYI: there is also a GIMP plugin for ELA.

You can download the examples and programs here:

blogpost-ela-files.zip (https)
MD5: 4F3071A9162C5CA8B7B10A41F662093A
SHA256: CBA786368D7BAF65E1E9F854C315BFB60FF89910429106513A0C41C180D8FCAB

Tuesday 17 February 2015

Update: oledump.py Version 0.0.8

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This new version brings support for multiple YARA rule files.

The plugin_http_heuristics plugin was updated, and there is a new plugin: plugin_dridex.

oledump_V0_0_8.zip (https)
MD5: 29EBF73F5512B0BC250CD0A0977A2C72
SHA256: 09C451116FCDE7763173E1538C687734D92267A0D192499AFD118D8D923165B9

Monday 16 February 2015

Update EICARgen Version 2.1

Filed under: My Software,Update — Didier Stevens @ 0:00

Version 2.1 of EICARgen can create an Excel spreadsheet (.xls) with the EICAR test file embedded with OLE.

Tuesday 10 February 2015

Update: oledump.py Version 0.0.7

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This new version adds support for the new office file format (.docx, .xlsx, …) stored inside a ZIP file (so a ZIP inside a ZIP) and an option to print YARA strings.

And the HTTP heuristics plugin has some extra heuristics.

oledump_V0_0_7.zip (https)
MD5: 7A953BAFFA1E5285651699996FA2DF84
SHA256: F5DC5F650F005E530A7D0CF510C33E3A4EF29AD85B1DA2618B237F53A46B86B5

Monday 2 February 2015

AirPcap Channel Hopping With Python

Filed under: Didier Stevens Labs,My Software,WiFi,Wireshark — Didier Stevens @ 0:00

I’m teaching a Wireshark WiFi and Lua 2-day class at Brucon Spring Training 2015. You get an AirPcap packet capture adapter when you attend this class.

I made a modification to my Python program to do channel hopping with the AirPcap adapter. Now you can specify a sequence of channels with option -c.

apc-channel_v0_2.zip (https)
MD5: 52169F5CB679E6C0DF1F8D47DA38F779
SHA256: 59F4BEE229F5EF5B7AF27BAF6AA972DCDC9E6A6007E8E468AE7BC7C3F1CB89DD

Thursday 22 January 2015

Converting PEiD Signatures To YARA Rules

Filed under: Forensics,Malware,My Software — Didier Stevens @ 0:56

I converted Jim Clausing’s PEiD rules to YARA rules so that I can use them to detect executable code in suspect Microsoft Office Documents with my oledump tool.

Of course, I wrote a program to do this automatically: peid-userdb-to-yara-rules.py

This program converts PEiD signatures to YARA rules. These signatures are typically found in file userdb.txt. Since PEiD signature names don’t need to be unique, and can contain characters that are not allowed in YARA rules, the name of the YARA rule is prefixed with PEiD_ and a running counter, and non-alphanumeric characters are converted to underscores (_).
Signatures that can not be parsed are ignored.

Here is an example:
PEiD signature:

 [!EP (ExE Pack) V1.0 -> Elite Coding Group]
 signature = 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10
 ep_only = true

Generated YARA rule:

 rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
         description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
         ep_only = "true"
         $a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}

PEiD signatures have an ep_only property that can be true or false. This property specifies if the signature has to be found at the PE file’s entry point (true) or can be found anywhere (false).
This program will convert all signatures, regardless of the value of the ep_only property. Use option -e to convert only rules with ep_only property equal to true or false.

Option -p generates rules that use YARA’s pe module. If a signature has ep_only property equal to true, then the YARA rule’s condition becomes $a at pe.entry_point instead of just $a.


 import "pe"

 rule PEiD_00001__EP__ExE_Pack__V1_0____Elite_Coding_Group_
         description = "[!EP (ExE Pack) V1.0 -> Elite Coding Group]"
         ep_only = "true"
         $a = {60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10}
         $a at pe.entry_point

Specific signatures can be excluded with option -x. This option takes a file that contains signatures to ignore (signatures like 60 68 ?? ?? ?? ?? B8 ?? ?? ?? ?? FF 10, not names like [!EP (ExE Pack) V1.0 -> Elite Coding Group]).

Download my YARA Rules.

peid-userdb-to-yara-rules_V0_0_1.zip (https)
MD5: D5B9B6FA7EC50A107A70419D30FEC9ED

Friday 16 January 2015

Update: oledump.py Version 0.0.6

Filed under: Malware,My Software,Update — Didier Stevens @ 16:11

My last software release for 2014 was oledump.py V0.0.6 with support for the “ZIP/XML” Microsoft Office fileformat and YARA.

In this post I will highlight support for the “new” Microsoft Office fileformat (.docx, .docm, .xlsx, .xlsm, …), which is mainly composed of XML files stored inside a ZIP container. Except macros which are still stored with OLE files (inside the ZIP container).

When oledump.py detects that the file is actually a ZIP file, it searches through all the files stored inside the ZIP container for OLE files, and analyses these.

Here is an example of a simple spreadsheet with macros. The xlsm file contains one OLE file: xl/vbaProject.bin. oledump gives it the identifier A. All the streams inside the OLE file are reported, and their index is prefixed with the identifier (A in this example).


If you want to select the stream with the macros, you use A6, like this: oledump.py -s A1

oledump also supports the analysis of an OLE file stored in a password protected ZIP file (typically, malware samples are stored inside ZIP files with password infected). When oledump.py analyses a ZIP file with extension .zip, it assumes that the file is NOT using the “new” Microsoft Office fileformat. Only when the file is a ZIP file but the extension is not .zip does oledump assume that the file is using the “new” Microsoft Office fileformat.

I have another example in my Internet Storm Center Guest Diary Entry.

oledump_V0_0_6.zip (https)
MD5: E32069589FEB7B53707D00D7E0256F79
SHA256: 8FCEFAEF5E6A2779FC8755ED96FB1A8DACDBE037B98EE419DBB974B5F18E578B

Thursday 8 January 2015

Didier Stevens Suite

Filed under: My Software — Didier Stevens @ 20:14

I bundled most of my software in a ZIP file. In all modesty, I call it Didier Stevens Suite.

Next Page »

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 257 other followers