I made a very small change to XORSearch’s source code (dropped malloc.h) so that it compiles on OSX.
You can find the new version on XORSearch’s page.
Thursday 8 November 2012
Wednesday 31 October 2012
“Please Buy Our Competitor’s Products”
I had a very good Samurai WTF training at Brucon by Raul Siles.
When Raul discussed the fact that clients are not worried about cross-site scripting when you demonstrate it with an alert box, I got the following idea:
Let’s redirect the customer to the competitor’s website. So instead of alert(“XSS”); let’s do window.location = “www.competitor.com”;. This will demonstrate that a cross-site script can cost your client money.
BTW, our training took place in a church:
Monday 22 October 2012
Workshops and Promo
My Windows x64 The Essentials Workshop at BruCON 2012 was a success. Today I finished the production of the videos of this workshop, it is for sale on my company’s site.
And tomorrow I’m doing my White Hat Shellcode Workshop at Hack.lu 2012, so I started a promotional sale during Hack.lu 2012.
Wednesday 10 October 2012
XORSearch Video
I will release free stuff on my company’s website Didier Stevens Labs. Like this new XORSearch video.
XORSearch is one of my popular tools, but I hadn’t made a video for it yet:
Tuesday 9 October 2012
Monday 1 October 2012
Searching For That Adobe Cert
You probably know by now that Adobe will revoke a compromised code signing certificate in a couple of days. As we seem to have more code signing related security incidents recently, I started to develop a couple of new tools.
AnalyzePESig is a tool to check signatures in PE files, just like Sysinternals’ sigcheck. But with a couple of differences.
First, when a signature is not valid, AnalyzePESig will tell you why and still display information about the invalid signature and related certificates. Second, AnalyzePESig displays more information and third, it is open source.
Here is how you use AnalyzePESig to look for executables signed with that Adobe certificate that will soon be revoked:
analyzepesig -e -v -s -o windows.csv c:\windows
This will produce a CSV list of all executables found in the c:\windows directory.
Filter this list for lines including string fdf01dd3f37c66ac4c779d92623c77814a07fe4c (this is the fingerprint of the compromised certificate):
As you can see, I’ve Flash components signed with this compromised certificate. Now, this does not mean that these executables are compromised. To get a better idea, I can use my virustotal-search tool to search VirusTotal.
And here is another example, JP2KLib.dll, a DLL of Adobe Reader X:
AnalyzePESig_V0_0_0_1.zip (https)
MD5: 4BE29E4A5DE470C6040241FD069010C4
SHA256: FB83C6491690402273D42A3335777E77EA29328F5FE8503FF6F5EF62833D1FBC
Thursday 20 September 2012
Didier Stevens Labs – Brucon 2012
I founded my own company: Didier Stevens Labs
You can find videos of my workshops for sale on this new website.
And I will give a brand new workshop at Brucon next week: Windows x64: The Essentials
I will sell CDs with my workshops videos at Brucon with a 20% discount.
Friday 14 September 2012
New Authenticode Tools
I’ve worked on a couple of new tools to analyze the digital signature found in PE files. In this post, I’m sharing some invalid signatures I found on my machines.
This signature is invalid because the certificate expired:
Normally, the fact that it expired shouldn’t cause the signature to become invalid, but here it does because the author forgot to countersign the signature with a timestamping service:
I also found several files where the root certificate used in the signatures uses a signature algorithm based on the MD2 hash:
And last a signature with a revoked certificate:
Remember Realtek Semiconductor? Their private key was compromised and used to sign Stuxnet components.
Thursday 6 September 2012
Update & Split: TaskManager.xls Version 0.1.4
This is a small fix for TaskManager suggested by goglev: he had 2 network drives pointing to the same share, and this triggered a bug.
Since it was brought to my attention that some AV products detect the version with shellcode, I’m forking the project:
TaskManager.xls has no shellcode injection features, while TaskManagerSC.xls does.
TaskManager_V0_1_4.zip (https)
MD5: FBB30486CF0E7A1BEB7342EF4672DE52
SHA256: 30779E09B5B0D1D1AFE9C33B12EDD0982E775A9FA0B0D2A1189835004750FB5F
TaskManagerSC_V0_1_4.zip (https)
MD5: 61C6657B2E36F3240A67960BCA413E56
SHA256: FAAB1044318A1EB6FEA09109ABDD982CDFFAEE54DC1C81D3416CC2A69DEEEC70
Wednesday 29 August 2012
Update: InteractiveSieve 0.7.6
The most important feature in this new version is the pivot table. You can select 2 columns and generate a pivot table for the data in these columns. Here is an example with data from a new tool I’m working on:
FYI: this shows which root certificates are present in the AuthentiCode signatures using MD5 or SHA1.
Here’s a list of changes:
- Quick fix for empty field bugs reported by Troy Larson
- Replaced Copy button in Values form with Copy Values and Copy All
- Added hide doubles column command
- Added Hide column; row counter & timer
- Added Load from clipboard (paste)
- Added Generate…
- Added “Has header row” option, code for version 0.7.3 provided by Patrick Thomas
InteractiveSieve_V_0_7_6_0.zip (https)
MD5: 37C18D2E41CB311442E033F253818057
SHA256: 5758289A939388FDB73617DAD686EBD2B79D1E48444A772946E7606DAF49DB05
