Didier Stevens

Friday 21 August 2015

Update: base64dump.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 9:35

A small update to my base64dump.py program: with option -n, you can specify the minimum length of the decoded base64 stream.

I use this when I have too many short strings detected as base64.

base64dump_V0_0_2.zip (https)
MD5: EE032FAB256D44B2907EAA716AD812C5
SHA256: 1E5801DD71C0FFA9CA90D2803B46275662E222D874E409FF31F83B21E6DEC080

Thursday 13 August 2015

Update: pdf-parser Version 0.6.4

Filed under: Malware,My Software,PDF,Update — Didier Stevens @ 0:00

In this new version of pdf-parser, option -H will now also calculate the MD5 hashes of the unfiltered and filtered stream of selected objects, and also dump the first 16 bytes. I needed this to analyze a malicious PDF that embeds a .docm file.

20150812-215754

As you can see in this screenshot, the embedded file is a ZIP file (PK). .docm files are actually ZIP files.

pdf-parser_V0_6_4.zip (https)
MD5: 47A4C70AA281E1E80A816371249DCBD6
SHA256: EC8E64E3A74FCCDB7828B8ECC07A2C33B701052D52C43C549115DDCD6F0F02FE

Friday 26 June 2015

Update: oledump.py Version 0.0.17 – ExitCode

Filed under: My Software,Update — Didier Stevens @ 9:44

Here is a new version of oledump with a couple of bugfixes and a new feature: ExitCode.

The ExitCode of the Python program running oledump.py is 0, except if the analyzed file contains macros, then it is 1. You can’t use options if you want the ExitCode.

Thanks Philippe for the idea.

oledump_V0_0_17.zip (https)
MD5: 5AF76C638AA300F6703C6913F80C061F
SHA256: A04DDE83621770BCD96D622C7B57C424E109949FD5EE2523987F30A34FD319E1

Wednesday 6 May 2015

Update: NAFT Version 0.0.9

Filed under: Forensics,My Software,Networking,Update — Didier Stevens @ 13:55

This update to NAFT adds support for YARA. YARA rules can be used to search through the heap, like this:

naft-icd.py -y IOS_canary.yara –decoders decoder_xor1 heap r870-core

Address      Bytes     Prev     Next Ref     PrevF    NextF Alloc PC  what
83AB9498 0000004100 83AB9444 83ABA4CC 001  -------- -------- 80B5CC7C  8253709C
 YARA rule: IOS_canary

Rule IOS_canary.yara searches for a canary value inside the blocks.

rule IOS_canary
{
    strings:
        $canary = {FD 01 10 DF}
    condition:
        $canary
}

NAFT_V0_0_9.zip (https)
MD5: FEBBDB892D631275A95A0FEA59F8519F
SHA256: 95F42F109623F2BA6D8A9FFB013CBB0B5E995F02E5EB35F8E83A62B8CA8B86D0

Monday 27 April 2015

Update: virustotal-search Version 0.1.2 Daily Quota Handling and CVEs

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version op virustotal-search adds a bunch of options to manage the local database, and 2 features I want to highlight here:

1) If you exceed your daily quota, virustotal-search will now do a clean stop. You can use option -w (waitquota) to instruct virustotal-search to wait until your daily quota is reset, and then continue. The quota reset is tested by doing a query every hour.

2) A new column was added to the CSV output: CVEs. virustotal-search will extract CVE numbers from AV detection signatures and report them in column CVEs.

And I also worked together with VirusTotal so that you get a proper error message when you submit an invalid search request (for example MD5 hash prefixed with $).

virustotal-search_V0_1_2.zip (https)
MD5: 62C8031738E6E20FEC38337010496DF6
SHA256: 317AF862A62CF78FC58604EDB77AA3C00EC1543D2337EC634749C25CC5E4908C

Thursday 16 April 2015

pdf-parser: A Method To Manipulate PDFs Part 1

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

I provide 2 days of Hacking PDF training at HITB Amsterdam. This is one of the methods I teach.

Sometimes when I analyze PDF documents (benign or malicious), I want to reduce the PDF to its essential objects. But when one removes objects in a PDF, indexes need to be updated and references updated/removed. To automate this process as much as possible, I updated my pdf-parser program to generate a Python program that in turn, generates the original PDF.

Thus when I want to make changes to the PDF (like removing objects), I generate its corresponding Python program, and then I edit this Python program.

I do this simply with option -g.

20150415-233047

Then you can edit the Python program, and when you run it, it will generate a new PDF file.

You can also use option -g together with option -f to filter the streams before they are inserted in the Python program. This gives you the decompressed streams in the Python program, opening them up to editing.

In this example, without option -f the Python statement for the stream object is:

oPDF.stream(5, 0, 'x\x9cs\nQ\xd0w3T02Q\x08IS040P0\x07\xe2\x90\x14\x05\r\x8f\xd4\x9c\x9c|\x85\xf0\xfc\xa2\x9c\x14M\x85\x90,\x05\xd7\x10\x00\xdfn\x0b!', '<<\r\n /Length %d\r\n /Filter /FlateDecode\r\n>>')

And with option -f, it becomes:

oPDF.stream2(5, 0, 'BT /F1 24 Tf 100 700 Td (Hello World) Tj ET', '', 'f')

The generated Python program relies on my mPDF library found in my PDF make tools.

pdf-parser_V0_6_2.zip (https)
MD5: D6717F1CA6B9DA2392E63F0DABF590DD
SHA256: 4DC0136062E9A5B6D84C74696005531609BD0299887B70DDFFAA19115BF2E746

Monday 13 April 2015

Update: oledump.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 0:00

A new version of oledump (small bugfix and updated plugins).

oledump_V0_0_14.zip (https)
MD5: 5ECD8BC3BD1F6C59F57E7C74DACCF017
SHA256: 7EEF509D84F7185C299A17882D3BD71481B7B1E41654F463F58492455FBDBD11

Friday 27 March 2015

oledump And XML With Embedded OLE Object

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

I updated oledump to handle a new type of malicious document: an XML file, not with VBA macros, but with an embedded OLE object that is a VBS file.

And the man page is finished. Run oledump.py -m to view the man page.

The sample I’m using here is 078409755.doc (B28EF236D901A96CFEFF9A70562C9155). The extension is .doc, but it is an XML file, not an OLE file.

First check:

20150326-201918

The XML file contains an OLE file with 1 stream.

Let’s take a look inside the stream:

20150326-202105

Byte 0x78 could be the start of a ZLIB compressed data stream. Let’s checks this with option –decompress:

20150326-202544

It is indeed ZLIB compressed, and the decompressed data seems to be another OLE file (D0 CF 11 E0).

So let’s pipe this decompressed OLE file into a second instance of oledump:

20150326-203457

This OLE file contains an embedded object (Ole10Native). Let’s have a look:

20150326-203709

It seems to be a .VBS file. Let’s have a look:

20150326-203953

So this looks like VB Script with base64 strings. Let’s try to decode them with a plugin:

20150326-204225

So now it’s clear what this maldoc does: launch PowerShell, download a file and store it as a .cab file in a temporary folder. Expand the downloaded .cab file to an .exe file, and then launch the .exe file. In other words, it is a downloader.

oledump_V0_0_13.zip (https)
MD5: 6651A674F4981D9AEDE000C1F5895B69
SHA256: 4452DF48F7D852140B4CD662AD95C6BC695F5F04009B37A367EB392384935C51

Wednesday 18 March 2015

Update: peid-userdb-to-yara-rules.py

Filed under: My Software,Update — Didier Stevens @ 0:00

Just some small changes.

peid-userdb-to-yara-rules_V0_0_2.zip (https)
MD5: BE287BE1CB4EAFC360B1105C47F81819
SHA256: DC673DC90420F880EBDC8A0298410B3B8D90AFBCCE868A3E075DB5AAF898A188

Tuesday 17 March 2015

Update oledump.py Version 0.0.12

Filed under: Malware,My Software,Update — Didier Stevens @ 0:00

This update adds support for metadata and fixes an XML parsing bug.

20150314-110037

oledump_V0_0_12.zip (https)
MD5: 0AB5F77A9C0F1FF3E8BE4F675440A875
SHA256: 6F87E65729B5A921079B9E5400F63BE6721673B7AC075D809B643074B47FB8D3

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 322 other followers