Didier Stevens

ExitProcess Shellcode

Didier Stevens — Mon, 14 May 2012 00:19:26 +0000

I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet.

Now I’ve added the asm files (sc-ep.asm for 32-bit and sc-64-ep.asm for 64-bit) for this shellcode to my library.

Remark that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a call to ExitProcess does not return.

You can find this shellcode on my shellcode page.

Why Isn’t my PoC Launching calc.exe?

Didier Stevens — Tue, 08 May 2012 11:17:53 +0000

I quickly developed a dll that kills calc.exe when started from anything else than explorer.exe.

This way, you can mess with all those PoCs that launch calc.exe

nocalcpoc_V0_0_0_1.zip (https)
MD5: 05798543571B45E19536181DC7346330
SHA256: ED0FEDC6096420F6F09F4980A1CE36F7C4BC0A8C9191F4DFC27FA4C77D547976

Update: TaskManager.xls V0.1.3 Killer Shellcode

Didier Stevens — Tue, 01 May 2012 10:49:25 +0000

My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).

Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:

The result is that notepad will terminate itself.

When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.

FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.

TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC

InteractiveSieve

Didier Stevens — Tue, 17 Apr 2012 11:33:34 +0000

Interactive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant.

I started writing this program in 2007 and use it often. But there is a problem I’ve not been able to fix: when you hide a lot of rows, it takes a long time, probably because of the redraw operation that takes place for each hidden row. Maybe someone will find a solution.
Update: big thanks to @woanware for fixing the redraw performance problem!

For more details on how to use the program, select Help / About.

InteractiveSieve_V_0_7_3_0.zip (https)
MD5: F36B245584DE143A15F484AA6220D67F
SHA256: AE0804EA739AEDC5FA32B7F6FD99AB99A35F7742B98953A653E0C24725E0FE6F

Update: SE_ASLR Version 0.0.0.2

Didier Stevens — Thu, 29 Mar 2012 09:14:11 +0000

I added Bottom Up Randomization to my SE_ASLR tool.

In this source code, I use a Windows Cryptographic Service Provider to generate random numbers.

SE_ASLR_V0_0_0_2.zip (https)
MD5: C835D1DDB64A68A1CD48CCF87AE03D18
SHA256: 1560BEE96CFC956A5E8954FEFD92ED227293418B19FE6B06D4ED703B6C50F4AC

Update: PDFid And pdf-parser

Didier Stevens — Wed, 14 Mar 2012 09:15:02 +0000

To mark the occasion of my Malicious PDF Analysis workshop at Black Hat Europe 2012, I’m releasing version 0.0.12 of PDFiD and version 0.3.9 of pdf-parser.

The major change is that these 2 tools support Python 3 too now. And then there are a couple of bugfixes and new features given to me by readers.

You can find these tools on the PDF Tools page.

NAFT Release

Didier Stevens — Mon, 12 Mar 2012 19:41:45 +0000

You can find a first release of my Network Appliance Forensic Toolkit here. This first release contains a tool for generic network appliances, but also works on memory dumps of PC operating systems like Windows.

Update: TaskManager.xls V0.1.2

Didier Stevens — Mon, 05 Mar 2012 12:03:20 +0000

This is a new version of TaskManager.xls with memory usage statistics, with code given to me by sciomathman.

I updated the code for 64-bit and edge cases.

TaskManager_V0_1_2.zip (https)
MD5: DEDB20DA6EE1A622DD3C234D07F5FE08
SHA256: 23EC10C7206BA43B56EF185E7C18EF528FD551FC0B34FFF9E4E183C37A114FF8

Teensy PDF Dropper Part 2

Didier Stevens — Mon, 27 Feb 2012 00:00:07 +0000

Last year I showed how to use a Teensy micro-controller to drop a PDF file with embedded executable. But I was limited to a file of a few kilobytes, because of the Arduino programming language I used for the Teensy.

In this post, I’m using WinAVR and I’m only limited by the amount of flash memory on my Teensy++.

First we use a new version of my PDF tools to create a PDF file with embedded file:

Filter i is exactly like filter h (ASCIIHexDecode), except that the lines of hex code are wrapped at 512 hex digits, making them digestible to our C compiler.

Another new feature of my make PDF tools is Python 3 support.

Here is a sample of our C code showing how to embed each line of the pure-ASCII PDF document as strings:

Macro PSTR makes that the string is stored in flash memory. The embedded executable is 57KB large, but still only takes half of the flash memory of my Teensy++.

After programming my Teensy++, I can fire up Notepad and let my Teensy++ type out the PDF document:

You can download my example for the WinAVR compiler here:

avr-teensy-pdf-dropper_V0_0_0_1.zip (https)
MD5: EA14100A1BEDA4614D1AE9DE0F71B747
SHA256: 2C9A5DF1831B564D82548C72F1050737BCF17E5A25DCDC41D7FA4EA446A8FDED

Peeking at NAFT

Didier Stevens — Mon, 20 Feb 2012 20:02:17 +0000

Here are DNS queries issued by a Windows XP machine:

And here is a command history of a Cisco router:

What do these results have in common?

Both were produced by analyzing RAM dumps with a new forensic toolkit I’m developing, the Network Appliance Forensic Toolkit, or NAFT.

More to be published soon.

But if you want a beta version now, provide me a Cisco core dump in exchange