Didier Stevens

Tuesday 28 August 2012

Update: USBVirusScan 1.7.5

Filed under: My Software,Update — Didier Stevens @ 18:56

This new version of USBVirusScan displays a banner when a USB stick is inserted. You specify the text of the banner in text file banner.txt.

Option -b enables this banner and displays it the first time a removable drive is mounted. Option -B displays the banner each time a removable drive is mounted.

You can find this new version here.

Tuesday 14 August 2012

Update: InstalledPrograms.xls V0.0.2

Filed under: My Software,Update — Didier Stevens @ 21:39

I fixed InstalledPrograms as earthsound suggested: now I include 32-bit installations on 64-bit systems (provided you use 64-bit Excel).

InstalledPrograms_V0_0_2.zip (https)
MD5: 383D9EC2B520E930A8484F1BD0B99534
SHA256: B174A5A9A366799B5C7CB99D6FD83643E5AE8155FBC52ADCEDA836FFF9281766

Thursday 19 July 2012

UserAssist Windows 2000 Thru Windows 8

Filed under: Forensics,My Software,Update — Didier Stevens @ 13:26

I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.

Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.

UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45

Monday 11 June 2012

Update: vs.py Version 0.5

Filed under: Hardware,My Software,Update — Didier Stevens @ 20:17

I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version can take action after a picture is taken. For each picture to retrieve, you can specify a optional program to be executed; this program receives the picture as argument.

Each line in vs.config can have a 5th parameter now: the name of the program to execute:

Hall.jpg    -    Thread1  image-compare.py

I use it to start a program that compares the new picture with the previous picture, and warns me if they are significantly different.

vs_v0_5.zip (https)
MD5: 83B6DE93E6E26B510E2FBC80C0FF3C17
SHA256: DE3D4DC8D00692BE57F4A8B0A13BB4E3FAE9564ECE444EA04A890B65EED2D538

Wednesday 30 May 2012

Update: virustotal-search

Filed under: Malware,My Software,Update — Didier Stevens @ 9:04

I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then).

What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database.

If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force.

And if you don’t want to include your API key in the program source code, you have two alternatives:

  1. use option –key and provide the API key on the command line
  2. define environment variable VIRUSTOTAL_API2_KEY with the your API key

virustotal-search_V0_0_3.zip (https)
MD5: 89D48483B8CF48A11A26314CC3A7631C
SHA256: A66A264A772CB9AEE356E1CF902E93FCA8CDE77233A09DB4999BCF15FA45EDF9

Tuesday 1 May 2012

Update: TaskManager.xls V0.1.3 Killer Shellcode

Filed under: My Software,Shellcode,Update — Didier Stevens @ 10:49

My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).

Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:

The result is that notepad will terminate itself.

When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.

FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.

TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC

Thursday 29 March 2012

Update: SE_ASLR Version

Filed under: My Software,Update — Didier Stevens @ 9:14

I added Bottom Up Randomization to my SE_ASLR tool.

In this source code, I use a Windows Cryptographic Service Provider to generate random numbers.

SE_ASLR_V0_0_0_2.zip (https)
MD5: C835D1DDB64A68A1CD48CCF87AE03D18
SHA256: 1560BEE96CFC956A5E8954FEFD92ED227293418B19FE6B06D4ED703B6C50F4AC

Monday 5 March 2012

Update: TaskManager.xls V0.1.2

Filed under: My Software,Update — Didier Stevens @ 12:03

This is a new version of TaskManager.xls with memory usage statistics, with code given to me by sciomathman.

I updated the code for 64-bit and edge cases.

TaskManager_V0_1_2.zip (https)
MD5: DEDB20DA6EE1A622DD3C234D07F5FE08
SHA256: 23EC10C7206BA43B56EF185E7C18EF528FD551FC0B34FFF9E4E183C37A114FF8

Saturday 8 October 2011

Update: USBVirusScan 1.7.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version 1.7.4 adds some extra debug info to the debug option (-d) and adds a new option (-w) to disable WOW64 filesystem redirection.

When USBVirusScan launches the program that was specified as argument upon insertion of a removable drive, it will provide debug information regarding the launching of this program.

In case of failure to launch the program, the debug info will include the error message from the Windows API:

If successfully launched, the debug info will include the process ID of the launched program:

USBVirusScan is a 32-bit application, but it works fine on 64-bit Windows. It can launch 64-bit programs without problems, except Windows’ own applications that come in 32-bit and 64-bit versions. For example, if you configure USBVirusScan to launch calc.exe on 64-bit Windows 7, it will launch the 32-bit version of calc.exe and not the 64-bit version. This is due to the WOW64 filesystem redirection mechanism. USBVirusScan has an option (-w) to disable this WOW64 filesystem redirection (only for USBVirusScan, not for your other programs). Disabling WOW64 filesystem redirection allows USBVirusScan to launch the 64-bit version of calc.exe.

Tuesday 1 March 2011

Update: TaskManager.xls Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:47

My TaskManager.xls spreadsheet is very popular, so here’s a new version.

I’ve added a couple of columns with info I need (the Filename, the process Creation time and a 32/64 bit indicator).

And this new version also enables the debug privilege to display info for processes of other users. Of course, you need the debug privilege in first place for this to work. So you have to be a local admin, and if you use an OS with UAC, you have to elevate the Excel application (run as administrator).

TaskManager.xls works on 64-bit Windows, provided you use 32-bit Excel. It doesn’t work on 64-bit Excel yet, I’ll release a new version that does later.


TaskManager_V0_0_3.zip (https)

MD5: BF40B4317C7E04E1F65B8CEE55ED3A7A

SHA256: 0D48C2E6986F1DD8FA3A0671A1A53F0FC489923701963031FDC4FA516603EEC1

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 199 other followers