Didier Stevens

Thursday 22 October 2020

Update: strings.py Version 0.0.5 Pascal Strings

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of strings.py, my tool to extract strings from arbitrary files, adds option -P to add support for Pascal strings.

A Pascal string is a string that is internally stored with a length-prefix: an integer that counts the number of characters inside the string.

The Unix strings command, and my strings.py tool, can extract Pascal strings without any problem, because they just search for a sequence of characters, without looking for a terminating NULL character (C-string) or a length-prefix (P-string ot Pascal string).

But with option -P, you can direct my tool strings.py to only extract Pascal strings, by checking if character sequences are prefixed with an integer that is equal to the number of characters inside the string. Strings that do not match that requirement are ignored.

Since an integer can be represented internally with different byte formats, you have to provide a value to option -P that indicates how the integer is stored internally. I use the same format as Python’s struct module to represent that format. For example, “<I” is a little-endian, unsigned 32-bit integer. That is how a string is represented in Delphi, as can be seen in this example of a Delphi malware sample:

The strings you see here are all found inside the sample, and are prefixed by their length. If you wouldn’t use option -P, then these strings would also be extracted, but they would not stand out amid the other strings that are not prefixed by their length.

Delphi also supports the ShortString type: one byte to encode the length. These can be found with option -P “<B”: little-endian, unsigned 8-bit integer:

strings_V0_0_5.zip (https)
MD5: A4BF314BE0A72972ECA7B14B558610E6
SHA256: 30E9E9BB618006445483AA78F804766D8FFA518974B81F9B68FF534BEA30B072

Sunday 18 October 2020

Update: translate.py version 2.5.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small bug fix release for Python 3.

translate_v2_5_9.zip (https)
MD5: 8EC7A9F0738C86CCF2F0B44D3994E798
SHA256: 3C469996F7014CC1BD5D4F02157B7D5803698D93018360904B79EA2A1601BD10

Saturday 10 October 2020

Quickpost: 4 Bytes To Crash Excel

Filed under: Hacking,Quickpost,Reverse Engineering — Didier Stevens @ 0:00

A couple of years ago, while experimenting with SYLK files, I created a .slk file that caused Excel to crash.

When you create a text file with content “ID;;”, save it with extension .slk, then open it with Excel, Excel will crash.

Microsoft Security Response Center looked at my DoS PoC last year: the issue will not be fixed. It is a “Safe Crash”, Excel detects the invalid input and calls MsoForceAppExitIf to terminate the Excel process.

If you have Excel crashing with .slk files, then look at the first line. If you see something like “ID;;…”, know that the absence of characters between the semi-colons causes the crash. Add a letter, or remove a semi-colon, and that should fix the issue.

Quickpost info

Tuesday 6 October 2020

Update: oledump.py Version 0.0.54

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds a new variable for option -E: %MOFULEINFO%

This variable need to be used together with option -i: it contains the size of the compiled VBA code and the compressed VBA code. For example: 123+65.

There’s a new option (-s) for plugin plugin_http_heuristics: with this option, the plugin ignores space characters (useful for hexadecimal bytes separated by a space character, for example).

And there is a new plugin: plugin_msg_summary. This is a new type of plugin, a plugin that operates on the complete document. Before, plugins could only operate on individual streams, and were instantiated for each stream.

This plugin produces a summary of a .msg file (something we needed for our “Epic Manchego” research).

Here is an example:

This plugin has a couple of options, for example to produce JSON output or to add header or body information:


Thursday 1 October 2020

Overview of Content Published in September

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in September:

Blog posts:

SANS ISC Diary entries:

NVISO blog posts:

Tuesday 29 September 2020

“Epic Manchego” And My Tools

Filed under: Announcement — Didier Stevens @ 0:00

Over the last months, I’ve been quite busy working with my colleagues on report “Epic Manchego – atypical maldoc delivery brings flurry of infostealers“: we’ve tracked an actor creating a new type of malicious Office document.

To help with the automatic analysis of all the maldocs produced by this actor (several per day), I added new features to existing tools and created new tools.

I’m releasing this work in the coming months (some has already been published: oledump.py and zipdump.py).

Monday 28 September 2020

Quickpost: USB Passive Load

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

I just received a USB passive load. It’s basically 2 resistors connected to the USB power wires in parallel, each with a switch in series:

It can draw approximately 1, 2 or 3 amps (depending on switch positions) from a 5 volt USB source.

The resistors can dissipate 10 Watts, and will become very hot.

The resistor for 1 amp (4,7 ohms, tolerance 5%) maxed-out my FLIR One thermal camera (> 150 °C), but I could measure around 220°C (that’s close to 451°F) with another thermal imaging camera.

The second resistor (2 amps: 2,2 ohms, tolerance 5%) maxed-out that other thermal camera too: this one got hotter than 280°C.

I’m referring to 451°F, because presumably, that’s the temperature to ignite paper. Something I’ll have to test out in safe conditions.

I also measured the resistors, and they are well within tolerance:

Here is a short thermal imaging video of the first resistor heating up:

Quickpost info

Sunday 27 September 2020

Quickpost: Ext2explore

Filed under: Quickpost — Didier Stevens @ 17:17

I was looking for a solution to read my Wifi Pineapple’s recon.db file from the SD card (ext2 formatted) on my Windows 10 machine.

The solution I went with is Ext2explore, a tool that can access ext2 volumes.


You have to run it as administrator, otherwise the tool will not be able to get raw access to the ext2 volume:


When you run the tool as administrator, you see your volumes. Mine is an SD card:

I can then explore the content and save file recon.db to a folder on my Windows 10 machine:

Quickpost info

Thursday 10 September 2020

Quickpost: dig On Windows

Filed under: Quickpost — Didier Stevens @ 12:40

I found out there’s a dig command for Windows.

I group small tools like this inside a bin folder. But dig relies on a set of DLLs, that should also be in the PATH, so I put them in the same bin folder.

These are the DLLs dig.exe needs:

  • libbind9.dll
  • libcrypto-1_1-x64.dll
  • libdns.dll
  • libirs.dll
  • libisc.dll
  • libisccfg.dll
  • libuv.dll
  • libxml2.dll

I used procmon on my Win10 machine to figure out which DLLs are needed, as you get no error message (there’s probably a registry setting for that).

I do have a Windows 7 VM, that I can also use to figure out which DLLs are missing because it displays an error message:

And you might also need to install the Visual C redistribuable that is included with the downloaded ZIP:

And now I can run dig from my bin folder:

Quickpost info

Wednesday 9 September 2020

Quickpost: Downloading Files With Windows Defender & User Agent String

Filed under: Quickpost — Didier Stevens @ 7:29

@mohammadaskar2 found out you can use Windows Defender to download arbitrary files. Like this:

"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url http://didierstevens.com/index.html -path test.html

This command uses MpCommunication as User Agent String:

Update: this download feature has been disabled.

Quickpost info

Next Page »

Blog at WordPress.com.