Didier Stevens

Thursday 14 December 2017

Update: plugin_biff.py Version 0.0.2 / oledump.py Version 0.0.31

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

This is an update to plugin_biff, the oledump plugin to parse the BIFF format (used in .xls files).

New options allow to search for opcodes (-o) and strings/bytes (-f) inside BIFF records:


oledump_V0_0_31.zip (https)
MD5: 63B2B5ECE2BC46B937D33A6494F7F6A0
SHA256: D2CF42662897642DF27C863F6C246CE70019EDF03F275354A7A505DCE27632D1

Monday 11 December 2017

New Tool: hash.py

Filed under: My Software — Didier Stevens @ 0:00

This is a new tool, it’s essentially a wrapper for the Python module hashlib: it calculates cryptographic hashes.

I needed this (block mode) for the analysis of a particular malware sample, to be explained in the next blog post.


hash_V0_0_1.zip (https)
MD5: 8ECC05DEFBD4AB494A37DE02615A8FE1
SHA256: 07A1ED7FD00FB18B616540CB108AA1D2134B07CC509E11257E4E43FFF9A185C2

Sunday 10 December 2017

Update: rtfdump.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 10:31

This new version of rtfdump.py adds extra information when analyzing the content of an RTF file:

  • Extra info for objects
  • Size longest contiguous hexadecimal string

rtfdump_V0_0_6.zip (https)
MD5: B4F9264F2431322F52BAAB834A5A144D
SHA256: C15918E89313D03F01BC8A3BCB68376B6E21558567BDFD81889F48196DC80986

Wednesday 6 December 2017

Overview of Content Published In November

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in November:

Blog posts:

SANS ISC Diary entries:

Monday 27 November 2017

Update: pdfid.py Version 0.2.3

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

In this new version of pdfid.py, a new option was added: -n.

With this option, you can suppress output for names with a count of zero:

pdfid_v0_2_3.zip (https)
MD5: 65966E8BBF932D3C0830B755FDE094FE
SHA256: 9482176D173EFA6F2F33EE409B091BFA45685FC285B87F7219A4E9418B47F739

Monday 20 November 2017

Update: pcap-rename.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

pcap-rename.py is a program to rename pcap files with the timestamp of the first packet in the pcap file.

This new version supports big-endian pcap files.

pcap-rename_V0_0_2.zip (https)
MD5: 6EFFA5313946DEAF3363835B1D3C684E
SHA256: 3BA23CC936B49AF83306E486B0BFC9ABAF5BD0B5E3DEF81D8564BCC3810C06B9

Monday 13 November 2017

WebDAV Traffic To Malicious Sites

Filed under: maldoc — Didier Stevens @ 0:00

If observed WebDAV traffic to malicious sites in the past (in proxy logs), and recently I took some time to take a closer look.

TL;DR: when files are retrieved remotely with the file:// URI scheme on Windows, Windows will fallback to WebDAV when SMB connections can not be established.

I did my tests with 2 Windows 7 VMs on the same subnet, one Windows 7 machine with IIS/WebDAV, and the other Windows 7 machine with Word 2016 and a .docx document with a remote template (template.dotx) (using the file:// URI scheme). The Windows firewall on the IIS machine was configured to block ports 139 and 445.

When the .docx document is opened, Word will retrieve the template:

Here is the URI:

First we see attempts to connect on ports 445 and 139 on the IIS machine (SYN packets):

These come from the “System process”:

There are no packets coming back from the IIS machine (I blocked port 139 and 445), and after almost 30 seconds we see an HTTP request to port 80 on the IIS machine:

This is a WebDAV request, notice the User Agent string “DavClnt”:

This TCP connection originates from the Word process:

And about 3 seconds after this request, we get another WebDAV request:

For this request, the User Agent string is “Microsoft-WebDAV-MiniRedir/6.1.7601”.

This TCP connection originates from the WebClient service:

This service was not started:

The svchost service host process will load and start the WebClient service:

WebClient (WebClnt.dll) is the WebDAV service:

To summarize, when the file:// URI scheme is used in a Word document and SMB connections can not be established, we will see WebDAV requests from:

  1. Word (DavClnt)
  2. WebClient service (Microsoft-WebDAV-MiniRedir/6.1.7601)

I’ve observed the same behavior with Windows 10 (with a different version number for the WebClient User Agent string).

When the document is opened a second time, there is no WebDAV request from Word (1), only requests from the WebClient service (2).

When I stop the WebClient service and reopen the document, there is first a WebDAV request from Word (1) followed by requests from the WebClient service (2).

When I disable the WebClient service and reopen the document, there are no more WebDAV requests at all.


Friday 10 November 2017

Update: numbers-to-string.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 22:56

This version has a man page now.

I use this tool to decode obfuscated strings in malicious scripts:

Usage: numbers-to-string.py [options] [expression [[@]file ...]]
Program to convert numbers into a string

@file: process each file listed in the text file specified
wildcards are supported

Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  -m, --man             Print manual
  -o OUTPUT, --output=OUTPUT
                        Output to file
  -e, --error           Generate error when error occurs in Python expression
  -i, --ignore          Ignore numbers greater than 255
  -n NUMBER, --number=NUMBER
                        Minimum number of numbers (3 by default)
  -j, --join            Join output


numbers-to-string.py is a Python program that reads texts files (as
arguments on the commandline, @here files or stdin), extract numbers
from these files and converts these to strings.
The first argument of numbers-to-string.py is a Python expression.
This Python expression can use variable n that represents each
extracted number.

Here is an example, with a script file (test.js) containing a list of

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)

Running this script file through numbers-to-string.py with an empty
expression ("") converts the numbers to a string:

C:\Demo>numbers-to-string.py "" test.js

68 is the ASCII number of letter D, 105 is the ASCII number of letter
i, ...
numbers-to-string.py converts each number it extracts to a character,
and concatenates them into one string per line.

The same result can be obtained by using Python expression n, where n
represents the extracted numbers:

C:\Demo>numbers-to-string.py n test.js

The advantage of using a Python expression becomes obvious when the
numbers have been altered to obfuscate their meaning.

In the next example, 1 has been added to each number, making
straightforward conversion generate an unintelligible string:

a = (105, 117, 117, 113, 116, 59, 48, 48, 69, 106, 101, 106, 102, 115,
84, 117, 102, 119, 102, 111, 116, 47, 100, 112, 110)

C:\Demo>numbers-to-string.py n test.js

If we use the Python expression to substract 1 from each number (n -
1), then we can decode the string:

C:\Demo>numbers-to-string.py "n - 1" test.js

For more complex operations, a lambda expression can be used. The
argument of the lambda expression is the list of numbers.
Here is an example from a real malicious document:

C:\Demo>numbers-to-string.py "lambda l: [b - 40 + i*2 for i, b in
enumerate(l)]" test.js

numbers-to-string.py will work line per line, as illustrated with this

C:\Demo>type test.js
a = (68, 105, 100, 105, 101, 114)
b = (83, 116, 101, 118, 101, 110, 115)

C:\Demo>numbers-to-string.py n test.js

With option -j, the output strings can be concatenated:

C:\Demo>numbers-to-string.py -j n test.js

Output can be written to a file using option -o.

numbers-to-string.py needs at least 3 numbers per line to start
extracting. Lines with less than 3 numbers are ignored. 3 numbers is
the default minimum value, and can be changed using option -n.

Errors that occur when evaluating the Python expression will be
silently ignored. To have the tool raise these errors, use option -e.

If the resulting value of the expression is more than 255, an error
will be generated, unless option -i is used to ignore these errors.

numbers-to-string_v0_0_3.zip (https)
MD5: 6FD49062058E6A03A4A7BF3A3D26408A
SHA256: 9457AFA699B61DA52F07921D3F7AB486585036654D64AD126B933345E71BC07F

Monday 6 November 2017

Update: oledump.py Version 0.0.30

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py detects and analyses orphaned streams. More info on orphaned streams can be found in this blogpost.

oledump_V0_0_30.zip (https)
MD5: BBD53C65FC40891E2125B9808F507E4A
SHA256: 78CDC8C8BCD651A3578F567D24FD88300600E02520B2D75F45448E4FB480FEB0

Sunday 5 November 2017

Update: pecheck.py Version 0.7.1

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of pecheck.py adds support for option -g to select a section:


pecheck-v0_7_1.zip (https)
MD5: D5907442424C527A9937CFA65377C9BD
SHA256: BF2F162D108F17F350111645B8DFFE5D3641065CB6EE3CE318FCBEC83507917B

Next Page »

Blog at WordPress.com.