Didier Stevens

Friday 23 September 2011

simple-shellcode-generator.py

Filed under: My Software — Didier Stevens @ 9:04

To help the attendees of my Brucon White Hat Shellcode workshop, I wrote a new program to generate simple shellcode. I’m releasing it now.

People regularly ask me for malware so they can test their security setup. First, that’s a bad idea, and second, you can do without.

Why is using malware a bad idea? It’s dangerous and not reliable. Say you use a trojan to test your sandbox. You notice that your machine is not compromised. But is it because your sandbox contained the trojan, or because the trojan failed to execute properly? It might surprise you, but there’s a lot of unreliable malware out in the wild.

So how can you reliably test your sandbox without risking infection, or even worse, have malware escape into your corporate network? Just use simple shellcode that creates a file in a location your sandbox should prevent, like system32.

To generate this shellcode with simple-shellcode-generator.py, create a text file (call it createfile.def) with these 2 lines:

kernel32.dll CreateFileA str 0x0 0x0 0x0 0x2 0x80 0x0
kernel32.dll CloseHandle eax

Each line in this definition file instructs the generator to generate assembler code to lookup the address of the WIN32 API function, and to call it with the arguments you provide. The first column defines the dll that contains the function to call, the second column is the actual API function, and the rest are arguments to this function. The arguments you provide are copied literally into the generated assembler code, except for 3 keywords.
Keyword int is used to represent any DWORD, it will result in the generation of a push 0×0.
Keyword str is used to reserve space for a string, and the address of the string is used as argument.
Keyword pint is user to reserve space for a DWORD, and the address of the DWORD is used as argument.

To generate our shellcode, issue this command:

simple-shellcode-generator.py -o createfile.asm createfile.def

This generates the following assembler code:

; Shellcode generated by simple-shellcode-generator.py
; Generated for NASM assembler (http://www.nasm.us)
; https://DidierStevens.com
; Use at your own risk
;
; History:
;   2011/09/23: generated

BITS 32

KERNEL32_HASH equ 0x000D4E88
KERNEL32_NUMBER_OF_FUNCTIONS equ 2
KERNEL32_CREATEFILEA_HASH equ 0x00067746
KERNEL32_CLOSEHANDLE_HASH equ 0x00067E1A

segment .text
	call geteip
geteip:
	pop ebx

	; Setup environment for kernel32.dll
	lea esi, [KERNEL32_FUNCTIONS_TABLE-geteip+ebx]
	push esi
	lea esi, [KERNEL32_HASHES_TABLE-geteip+ebx]
	push esi
	push KERNEL32_NUMBER_OF_FUNCTIONS
	push KERNEL32_HASH
	call LookupFunctions

	; call to CreateFileA
	push 0x0
	push 0x80
	push 0x2
	push 0x0
	push 0x0
	push 0x0
	lea eax, [STRING1-geteip+ebx]
	push eax
	call [KERNEL32_CREATEFILEA-geteip+ebx]

	; call to CloseHandle
	push eax
	call [KERNEL32_CLOSEHANDLE-geteip+ebx]

	ret

%include "sc-api-functions.asm"

KERNEL32_HASHES_TABLE:
	dd KERNEL32_CREATEFILEA_HASH
	dd KERNEL32_CLOSEHANDLE_HASH

KERNEL32_FUNCTIONS_TABLE:
KERNEL32_CREATEFILEA dd 0x00000000
KERNEL32_CLOSEHANDLE dd 0x00000000

STRING1: db "String 1", 0

You can replace “String 1″ on line 57 with the file you want to create: “C:\Windows\System32\testfile.txt”.

This shellcode uses the library sc-api-functions.asm you can find in my shellcode repository.

Download:

simple-shellcode-generator_V0_0_1.zip (https)
MD5: 3A6D00C6EBC1F20589C952817174653E
SHA256: FEFD4059810DA7855CC3CBC6A198FD75607C4F7B7B2F71817689E1520B454C58

Friday 16 September 2011

Quickpost: create-remote-thread.py

Filed under: My Software,Quickpost — Didier Stevens @ 15:17

create-remote-thread.py is a new tool I’ll publish after my White Hat Shellcode workshop at Brucon.

It’s a Python program to create a thread in another process (using CreateRemoteThread), and you can specify the API function to execute.

In the example above, I call SetProcessDEPPolicy with an argument of 1 to force permanent DEP on calc.exe

But there are many more uses for my tool.

 

Friday 9 September 2011

DEP Enforcing Shellcode

Filed under: My Software — Didier Stevens @ 7:25

I developed shellcode that enforces permanent DEP when it is injected inside a process:

This is for my Brucon workshop. More details to be posted later.

BITS 32

KERNEL32_HASH equ 0x000d4e88
KERNEL32_NUMBER_OF_FUNCTIONS equ 1
KERNEL32_SETPROCESSDEPPOLICY_HASH equ 0x06f26f66

PROCESS_DEP_ENABLE equ 1

segment .text
	call geteip
geteip:
	pop ebx

  ; Setup environment
	lea esi, [KERNEL32_FUNCTIONS_TABLE-geteip+ebx]
	push esi
	lea esi, [KERNEL32_HASHES_TABLE-geteip+ebx]
	push esi
	push KERNEL32_NUMBER_OF_FUNCTIONS
	push KERNEL32_HASH
	call LookupFunctions

	; Enable permanent DEP in current process
	push PROCESS_DEP_ENABLE
	call [KERNEL32_SETPROCESSDEPPOLICY-geteip+ebx]

	ret

%include "sc-api-functions.asm"

KERNEL32_HASHES_TABLE:
	dd KERNEL32_SETPROCESSDEPPOLICY_HASH

KERNEL32_FUNCTIONS_TABLE:
KERNEL32_SETPROCESSDEPPOLICY dd 0x00000000

Wednesday 10 August 2011

Force “ASLR” on Shell Extensions

Filed under: My Software,Vulnerabilities — Didier Stevens @ 0:49

I’ve written about Shell Extension without ASLR support before.

Not only do they open up explorer.exe to ROP attacks, but other applications too, like Adobe Reader and Microsoft Office.

You could use EMET to force ASLR on these DLLs, assuming you know which applications load shell extensions. Because shell extensions are not only loaded into explorer.exe, but other programs too, I wrote a tool to force Shell Extension DLLs to load at another address than their base address, effectively simulating ASLR.

When my tool, SE_ASLR.dll, is loaded into a process, it will check for the presence of comdlg32.dll inside the list of loaded modules. When comdlg32.dll is used by an application, the likelihood of shell extensions being loaded into the process by user interaction with the file dialogs is significant.

Hence SE_ASLR will patch the IAT to intercept calls to LdrLoadDll. Each time the application loads a DLL (all DLLs, not only shell extension), SE_ASLR will check if the DLL supports ASLR. If it doesn’t, SE_ASLR will pre-allocate a memory page at the base address of the DLL, thereby forcing the loader to load the DLL at another address.

Although SE_ASLR’s primary goal is to relocate shell extensions, it will effectively relocate all DLLs without ASLR support once SE_ASLR is loaded into the process.

You need to load my tool into all applications that could use shell extension, for example via the AppInit_DLLs registry key. But before you do, be sure to test this out on a test machine. Not all shell extensions support relocation.

SE_ASLR_V0_0_0_1.zip (https)
MD5: 9D6AE1A96D554AEE527EB802FE59FB20
SHA256: 8A6C1406A757CD9788A2630D76A497E2C058333EE4D44CA0B85B2A05A39F257E

Monday 6 June 2011

Update: vs.py

Filed under: My Software,Hardware — Didier Stevens @ 18:46

I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version is multi-threaded. For each picture to retrieve, you can specify a thread.

Each line in vs.config requires a 4th parameter now, the name of the thread:

Hall.jpg    http://192.168.1.1/IMAGE.JPG    -    Thread1

This name can be anything. If you use the same name for different pictures, then these pictures will be retrieved sequentially by this thread.

vs_v0_4.zip (https)

MD5: A2AFAD9E581798F1D986A0AE9DF64577

SHA256: C3AC4892A71DF79E3BA87714CB6323D157C7E74C838EDE81013C96DD4EAD0238

Wednesday 27 April 2011

Suspender.dll

Filed under: My Software — Didier Stevens @ 16:12

When the suspender DLL is loaded inside a process, it will wait for 60 seconds and then suspend all the threads of the host process. If you want another delay, just change the name of the file by appending the number of seconds to sleep. For example, suspender10.dll will wait for 10 seconds before suspending the process.

To resume the process, you can use Process Explorer.

I’ve used this DLL to analyze malware and to disable some unwanted programs without killing them.

And from now on, I’ll try to release 32-bit and 64-bit versions of my tools.

Download:

Suspender_V0_0_0_3.zip (https)

MD5: C87FCAB2586C6154B58FB0F95FBB1FBE

SHA256: 56D0C641569E99AC31C7590DE513025E21166747565B73C5EBE34346616FFB2F

Tuesday 19 April 2011

Signed Spreadsheet with cmd.dll & regedit.dll

Filed under: Hacking,My Software — Didier Stevens @ 14:05

Remember my Excel with cmd.dll & regedit.dll?

Paul Craig has a signed version of my spreadsheet on his iKAT site. Download ikat3.zip and look for officekat.xls.

These signed macros are handy when you’re working in a restricted environment that requires Office macros to be signed.

Monday 14 March 2011

HeapLocker: Null Page Allocation

Filed under: My Software,Vulnerabilities — Didier Stevens @ 5:03

Just like EMET, HeapLocker can allocate a page at address 0 (null or 0×00000000) to mitigate null pointer dereferencing.

I actually implemented this code in HeapLocker because I wanted to find out how one can allocate a page at address 0. You see, when you call VirtualAlloc with address 0, VirtualAlloc will allocate a page at an address chosen by VirtualAlloc, and not at address 0. So I would think that the trick is to call VirtualAlloc with address 1, and that VirtualAlloc will allocate a page that contains address 1, and that this page must start at boundary 0.

But the problem is that you get an error when you try to allocate a page at address 1 with VirtualAlloc. Ivanlef0u explains this in his blogpost (French). VirtualAlloc rejects addresses inferior to 0×1000, one must use NtAllocateVirtualMemory to successfully allocate address 1.

Tuesday 8 March 2011

DumpStrings.1sc

Filed under: Forensics,My Software — Didier Stevens @ 0:00

I wrote another script for my 010 Editor.

Like its name implies, DumpStrings will dump all the strings (ASCII and UNICODE) found in a file, or a selection in a file, to the output tab.
Strings must be at least 5 characters long (defined with a #define statement in the script).
UNICODE support is very simple for the moment: 7-bit values in a 16-bit character (MSB or LSB).

Take into account that this is not designed for large files: it will take too long. But its easy to analyze partial files without having to save the selection for analysis with another strings tool.

Download:

DumpStrings_V0_0_1.zip (https)

MD5: 50C0C92F28020E7BCABBF46CA8775CCE

SHA256: 7EC688DBB0FD95C828067662C9ED8BBCFFEFBE5EA37B607DC8DFA1BDCB94365C

Tuesday 1 March 2011

Update: TaskManager.xls Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:47

My TaskManager.xls spreadsheet is very popular, so here’s a new version.

I’ve added a couple of columns with info I need (the Filename, the process Creation time and a 32/64 bit indicator).

And this new version also enables the debug privilege to display info for processes of other users. Of course, you need the debug privilege in first place for this to work. So you have to be a local admin, and if you use an OS with UAC, you have to elevate the Excel application (run as administrator).

TaskManager.xls works on 64-bit Windows, provided you use 32-bit Excel. It doesn’t work on 64-bit Excel yet, I’ll release a new version that does later.

Download:

TaskManager_V0_0_3.zip (https)

MD5: BF40B4317C7E04E1F65B8CEE55ED3A7A

SHA256: 0D48C2E6986F1DD8FA3A0671A1A53F0FC489923701963031FDC4FA516603EEC1

« Previous PageNext Page »

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 83 other followers