Didier Stevens

Thursday 6 September 2012

Update & Split: TaskManager.xls Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 18:38

This is a small fix for TaskManager suggested by goglev: he had 2 network drives pointing to the same share, and this triggered a bug.

Since it was brought to my attention that some AV products detect the version with shellcode, I’m forking the project:

TaskManager.xls has no shellcode injection features, while TaskManagerSC.xls does.

TaskManager_V0_1_4.zip (https)
MD5: FBB30486CF0E7A1BEB7342EF4672DE52
SHA256: 30779E09B5B0D1D1AFE9C33B12EDD0982E775A9FA0B0D2A1189835004750FB5F

TaskManagerSC_V0_1_4.zip (https)
MD5: 61C6657B2E36F3240A67960BCA413E56
SHA256: FAAB1044318A1EB6FEA09109ABDD982CDFFAEE54DC1C81D3416CC2A69DEEEC70

Wednesday 29 August 2012

Update: InteractiveSieve 0.7.6

Filed under: My Software,Update — Didier Stevens @ 13:18

The most important feature in this new version is the pivot table. You can select 2 columns and generate a pivot table for the data in these columns. Here is an example with data from a new tool I’m working on:

FYI: this shows which root certificates are present in the AuthentiCode signatures using MD5 or SHA1.

Here’s a list of changes:

  • Quick fix for empty field bugs reported by Troy Larson
  • Replaced Copy button in Values form with Copy Values and Copy All
  • Added hide doubles column command
  • Added Hide column; row counter & timer
  • Added Load from clipboard (paste)
  • Added Generate…
  • Added “Has header row” option, code for version 0.7.3 provided by Patrick Thomas

InteractiveSieve_V_0_7_6_0.zip (https)
MD5: 37C18D2E41CB311442E033F253818057
SHA256: 5758289A939388FDB73617DAD686EBD2B79D1E48444A772946E7606DAF49DB05

Tuesday 28 August 2012

Update: USBVirusScan 1.7.5

Filed under: My Software,Update — Didier Stevens @ 18:56

This new version of USBVirusScan displays a banner when a USB stick is inserted. You specify the text of the banner in text file banner.txt.

Option -b enables this banner and displays it the first time a removable drive is mounted. Option -B displays the banner each time a removable drive is mounted.

You can find this new version here.

Tuesday 14 August 2012

Update: InstalledPrograms.xls V0.0.2

Filed under: My Software,Update — Didier Stevens @ 21:39

I fixed InstalledPrograms as earthsound suggested: now I include 32-bit installations on 64-bit systems (provided you use 64-bit Excel).

InstalledPrograms_V0_0_2.zip (https)
MD5: 383D9EC2B520E930A8484F1BD0B99534
SHA256: B174A5A9A366799B5C7CB99D6FD83643E5AE8155FBC52ADCEDA836FFF9281766

Thursday 19 July 2012

UserAssist Windows 2000 Thru Windows 8

Filed under: Forensics,My Software,Update — Didier Stevens @ 13:26

I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.

Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.

UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45

Monday 11 June 2012

Update: vs.py Version 0.5

Filed under: Hardware,My Software,Update — Didier Stevens @ 20:17

I’ve updated my Python program to take surveillance pictures from IP-cameras. This updated version can take action after a picture is taken. For each picture to retrieve, you can specify a optional program to be executed; this program receives the picture as argument.

Each line in vs.config can have a 5th parameter now: the name of the program to execute:

Hall.jpg    http://192.168.1.1/IMAGE.JPG    -    Thread1  image-compare.py

I use it to start a program that compares the new picture with the previous picture, and warns me if they are significantly different.

vs_v0_5.zip (https)
MD5: 83B6DE93E6E26B510E2FBC80C0FF3C17
SHA256: DE3D4DC8D00692BE57F4A8B0A13BB4E3FAE9564ECE444EA04A890B65EED2D538

Wednesday 30 May 2012

Update: virustotal-search

Filed under: Malware,My Software,Update — Didier Stevens @ 9:04

I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then).

What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database.

If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force.

And if you don’t want to include your API key in the program source code, you have two alternatives:

  1. use option –key and provide the API key on the command line
  2. define environment variable VIRUSTOTAL_API2_KEY with the your API key

virustotal-search_V0_0_3.zip (https)
MD5: 89D48483B8CF48A11A26314CC3A7631C
SHA256: A66A264A772CB9AEE356E1CF902E93FCA8CDE77233A09DB4999BCF15FA45EDF9

Tuesday 1 May 2012

Update: TaskManager.xls V0.1.3 Killer Shellcode

Filed under: My Software,Shellcode,Update — Didier Stevens @ 10:49

My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).

Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:

The result is that notepad will terminate itself.

When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.

FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.

TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC

Thursday 29 March 2012

Update: SE_ASLR Version 0.0.0.2

Filed under: My Software,Update — Didier Stevens @ 9:14

I added Bottom Up Randomization to my SE_ASLR tool.

In this source code, I use a Windows Cryptographic Service Provider to generate random numbers.

SE_ASLR_V0_0_0_2.zip (https)
MD5: C835D1DDB64A68A1CD48CCF87AE03D18
SHA256: 1560BEE96CFC956A5E8954FEFD92ED227293418B19FE6B06D4ED703B6C50F4AC

Monday 5 March 2012

Update: TaskManager.xls V0.1.2

Filed under: My Software,Update — Didier Stevens @ 12:03

This is a new version of TaskManager.xls with memory usage statistics, with code given to me by sciomathman.

I updated the code for 64-bit and edge cases.

TaskManager_V0_1_2.zip (https)
MD5: DEDB20DA6EE1A622DD3C234D07F5FE08
SHA256: 23EC10C7206BA43B56EF185E7C18EF528FD551FC0B34FFF9E4E183C37A114FF8

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 222 other followers