This new version of XORSearch comes with a new operation: shifting left.
It comes in handy to reverse engineer protocols like TeamViewer’s remote access protocol.
Here’s an example. When you run TeamViewer, your machine gets an ID:
We capture some TeamViewer traffic with Wireshark, and then we use XORSearch to search for TeamViewer ID 441055893 in this traffic:
And as you can see, XORSearch finds this ID by left-shifting the content of the pcap file with one bit.
I added several new fields to the output produce by my new tool AnalyzePESig:
- issuer unique id
- subject unique id
This is a small fix for TaskManager suggested by goglev: he had 2 network drives pointing to the same share, and this triggered a bug.
Since it was brought to my attention that some AV products detect the version with shellcode, I’m forking the project:
TaskManager.xls has no shellcode injection features, while TaskManagerSC.xls does.
The most important feature in this new version is the pivot table. You can select 2 columns and generate a pivot table for the data in these columns. Here is an example with data from a new tool I’m working on:
FYI: this shows which root certificates are present in the AuthentiCode signatures using MD5 or SHA1.
Here’s a list of changes:
- Quick fix for empty field bugs reported by Troy Larson
- Replaced Copy button in Values form with Copy Values and Copy All
- Added hide doubles column command
- Added Hide column; row counter & timer
- Added Load from clipboard (paste)
- Added Generate…
- Added “Has header row” option, code for version 0.7.3 provided by Patrick Thomas
This new version of USBVirusScan displays a banner when a USB stick is inserted. You specify the text of the banner in text file banner.txt.
Option -b enables this banner and displays it the first time a removable drive is mounted. Option -B displays the banner each time a removable drive is mounted.
You can find this new version here.
I fixed InstalledPrograms as earthsound suggested: now I include 32-bit installations on 64-bit systems (provided you use 64-bit Excel).
I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.
Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.
I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version can take action after a picture is taken. For each picture to retrieve, you can specify a optional program to be executed; this program receives the picture as argument.
Each line in vs.config can have a 5th parameter now: the name of the program to execute:
Hall.jpg http://192.168.1.1/IMAGE.JPG - Thread1 image-compare.py
I use it to start a program that compares the new picture with the previous picture, and warns me if they are significantly different.
I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then).
What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database.
If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force.
And if you don’t want to include your API key in the program source code, you have two alternatives:
- use option –key and provide the API key on the command line
- define environment variable VIRUSTOTAL_API2_KEY with the your API key
My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).
Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.
Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:
The result is that notepad will terminate itself.
When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.
FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.