Didier Stevens

Tuesday 29 December 2015

SHA256 Code Signing and Microsoft

Filed under: Encryption — Didier Stevens @ 10:28

In a couple of days Windows will no longer trust sha-1 code-signing. It happened in the past that Microsoft announced changes to AuthentiCode, and then did not follow though, but it looks like this one is going to happen.

First of all, the loss of trust will not happen for all executables with a sha-1 signature. It will only happen with executables with a “Mark of the Web” attribute and without a timestamp or a timestamp after 1/1/2016.

A “Mark of the Web” attribute means that the executable is flagged as downloaded from an untrusted source (the Internet), like this one:


This is done with an Alternate Data Stream (ADS) named Zone.Identifier and with content like this:


If you develop executables that will be downloaded and you sign with a sha-1 certificate, check that you also include a timestamp. As I explained in my blogpost, you can add a missing timestamp after signing. You don’t even need a code signing certificate to add a timestamp.

Monday 28 December 2015

Maldoc GET Range

Filed under: maldoc,Malware — Didier Stevens @ 13:06

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed a malicious document (365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3) that does something I hadn’t seen done before in VBS.

This maldoc drops a VBS script, that proceeds to download an executable. The PE file is XOR-encoded and embedded in a valid JPEG file. Here is the image:


Look at the obfuscated code:


Notice SetRequestHeader: This code is using HTTP and is adding something to the headers. Here is the deobfuscated code:


This code is downloading a picture (wp.jpg), but not the complete picture. It sets a header (Range: bytes=28141-) to download only the XOR-encoded PE file hidden in the JPEG image.


Tuesday 22 December 2015

MIME File With “Header”

Filed under: maldoc,My Software — Didier Stevens @ 0:00

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

Malicious MS Office documents are also distributed as MIME files. A blog reader asked for help with a MIME file that gave him problems: f67aa5a3ede3d31c5a68494c0678e2ee.

Accoring to emldump.py, the file is just text (not a multipart file):


But if you look at the file, you’ll notice a line preceding the MIME-Version line:


You can instruct emldump to skip this line with option -H:


Now emldump is able to analyze the multipart MIME file, and detect the MSO file (part 3). oledump can analyze MSO files:


Monday 21 December 2015

Update: oledump.py Version 0.0.22

Filed under: maldoc,My Software,Update — Didier Stevens @ 16:27

Some changes when you use the –raw option. Now plugins can also be used when the VBA code is corrupted.

oledump_V0_0_22.zip (https)
MD5: CA91850BBC92E82D705F707704000F82
SHA256: 16763BCF15BFB3301FFAE0BDA26F18EE2946EDD7478994B798127DBBEF5FF9E7

Monday 14 December 2015

BruCON Spring Training 2016: Analysing Malicious Documents

Filed under: Announcement — Didier Stevens @ 0:00

I teach a class on analyzing malicious documents at BruCON Spring Training 2016.

First day covers PDF, second day covers MS Office documents. When you attend, you also get my PDF and MS Office workshop videos.

Early bird registration till the end of the year.

Sunday 13 December 2015

Windows Backup Privilege: CMD.EXE

Filed under: Forensics,My Software — Didier Stevens @ 0:00

You probably encountered the situation where you could not access a file, even as an administrator. For example hiberfil.sys.

There is a way in Windows to read any file regardless of DACLs: the backup privilege.

I updated ReactOS’ cmd.exe shell to use the backup privilege.

I added a new command: privilege. This command enables the backup privilege. To be able to enable a privilege, you need to have the privilege: you have the backup privilege if you’re an administrator and elevate the process (cmd.exe).

And I updated the copy and type command to make use of the enabled backup privilege.

Finally, there’s yet another new command: info. This command gives the MAC timestamps, file attributes and SDDL of the given file/folder.

cmd-dll_v0_0_4.zip (https)
MD5: D9D75A10F2C328B708303F9BD24B9AD3
SHA256: 952CFB833D4F22093D7DF837372239A1199C1738FFFFED76124AF8668F4D3877

Friday 11 December 2015

Overview of Content Published In November

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Monday 30 November 2015

Update: Authenticode Tools

Filed under: Uncategorized — Didier Stevens @ 0:00

I released new versions of my AnalyzePESig and ListModules authenticode tools.

Extra fields with information were added to the output of the tools, and the tools were adapted to use the SE_BACKUP_NAME privilege, giving the tools the privilege to read files even when the permissions do not allow it (running as administrator and elevated).

A new field that might require some extra explanation is the DEROIDHash field. The DEROIDHash is a sha-256 hash of the DER structure and OID numbers of a PKCS7 signature: it’s the sha-256 hash of the bytes that make up the PKCS7 signature, except for the data. In other words, it’s the sha-256 hash of the DER bytes that specify the tags and the OID numbers. Signatures with the same structure and OID numbers share the same DEROIDhash.

For example, if a new version of a signed executable is released and the DEROIDHash value is different from the previous version, then the author has changed his/her signing process or is using a certificate with a different structure; or the executable was signed by another party using another signing process.

Sunday 29 November 2015

Update: oledump.py Version 0.0.21

Filed under: My Software,Update — Didier Stevens @ 11:15

A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-0x100 select the whole stream except the last 256 bytes.

oledump_V0_0_21.zip (https)
MD5: F72CBB797CE8FB810ACE5E54DC832129
SHA256: 016C772575DF381C274F6408B242945DE35679904B7C8B1B693ABFB2B3C023FB

Saturday 28 November 2015

Update: virustotal-search.py Version 0.1.3

Filed under: My Software,Update — Didier Stevens @ 9:29

A small update: I added option -s (separator) so that you can choose your CSV separator.

virustotal-search_V0_1_3.zip (https)
MD5: 6D93F6CCE56AA74C830D66F9AE2E88C0
SHA256: 09D3BA6BCE1A69E8292AD0D44FB216FBCBF5686EA3C64DCD5FC877E91D4141F4

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 374 other followers