Didier Stevens

Monday 17 February 2020

Update: format-bytes.py Version 0.0.13

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of format-bytes.py brings a new option when extracting bitstreams: producing a stream of 0s & 1s, like this:

Join specifier j:b (option “-f bitstream=…”) produces a bitstream of 0s & 1s, that I can then process further:

The png file I analyze in this example, was created with PHP Stegger on the Geocaching Toolbox site.

format-bytes_V0_0_13.zip (https)
MD5: E7A7A344B3B8753553FC5B2E4084D8DA
SHA256: 1F22A1D784DCF1269FFD12E2C9467EE0FB93B0895CC24D04CBBD9696D50945DB

Sunday 16 February 2020

Update: hex-to-bin.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This version of hex-to-bin.py, a simple tool to convert hexadecimal data to binary, can also handle bitstreams (option -b) with this update. If necessary, the bitstream is right-padded with 0s to make the bitstream length a multiple of 8.

Example:

hex-to-bin_V0_0_4.zip (https)
MD5: CBD3D27A2BC703F51FB23F757084BBE1
SHA256: CD70D7644BB353C64DD37AA0717B14967176A1A5E35E5DC6AE163D929BE13AAD

Tuesday 11 February 2020

Update: xmldump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of xmldump.py, a tool to parse and display xml content, has a new command: pretty.

As its name implies, this command performs a pretty print of the xml content.

xmldump_V0_0_4.zip (https)
MD5: A97F4048226BD9A0BE47D1ABDEC5D770
SHA256: 2636D10294C5BCD8B1E97DFE30745FF91496FB9F87ABB8D99371B379AA711B25

Monday 10 February 2020

Update: oledump.py Version 0.0.45

Filed under: maldoc,My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py has a feature to display Ad Hoc YARA rules using option –verbose.

In this example, I show a string Ad Hoc YARA rule to search for string attri (-y #s#attri). By including option –verbose, the YARA rule generated by oledump for string attri is displayed first:

Plugin plugin_http_heuristics has a new option: -c –contains.

By default, plugin_http_heuristics looks for (obfuscated) strings that start with keywords (http:// and https:// by default). Option -c changes this behavior: when this option is used, the keywords are searched in the entire string, and not just at the start.

In this example, I use this feature to search for the filename of the dropped executable (strings containing “.exe”):

And I also include plugin_vba: this is an old plugin that I failed to release. It searches for string concatenation in VBA code.

Video:

oledump_V0_0_45.zip (https)
MD5: FB9694358CCEAE4AFDFCF97FDA0D5205
SHA256: FB75B1E19E5067751E2DE1AD21826245B7E11EDBE03278566484754F606F3965

Sunday 2 February 2020

Update: pecheck.py Version 0.7.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a Python 3 bug fix version for pecheck.py, a tool to analyze PE files.

pecheck-v0_7_9.zip (https)
MD5: F69709C475D513A8D2031C21EEC13284
SHA256: 99E71A9FC917BB27CDD893F14AE77F2E810A4C7BB56A6E975BB619C978B12D47

Saturday 1 February 2020

Overview of Content Published in January

Filed under: Announcement — Didier Stevens @ 11:00

Here is an overview of content I published in January:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Tuesday 28 January 2020

etl2pcapng: Support For Process IDs

Filed under: Forensics,Networking — Didier Stevens @ 0:00

You can start a packet capture on a vanilla Windows machine with command “netsh trace start capture=yes” (and end it with “netsh trace stop”).

This packet capture file, with extension .etl, can not be opened with Wireshark. Until recently, I used Microsoft’s Message Analyzer, but this tool is no longer supported and installation files have been removed from Microsoft’s site.

In comes etl2pcapng, a new open-source utility from Microsoft that converts an .etl file to .pcapng format:

Utility that converts an .etl file containing a Windows network packet capture into .pcapng format“.

I contributed to version 1.3.0 of etl2pcapng, by adding a comment containing the Process ID to each packet. etl files contain metadata (like the PID of the process associated with the network traffic) that got lost when translating to pcapng format. As the pcapng format has no option to store the PID for each packet, but it supports packet comments, I stored the PID inside packet comments:

Notice this warning by Microsoft:

The output pcapng file will have a comment on each packet indicating the PID of the current process when the packet was logged. WARNING: this is frequently not the same as the actual PID of the process which caused the packet to be sent or to which the packet was delivered, since the packet capture provider often runs in a DPC (which runs in an arbitrary process). The user should keep this in mind when using the PID information.

Monday 27 January 2020

Update: hash.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

In this new version of hash.py, a tool to calculate hashes, I add “hash” checksum8.

Checksum8 calculates the sum of all bytes contained in the provided file(s), each byte is interpreted as an unsigned, 8-bit integer.

I recently had to validate that the path of a URL was a “valid” Meterpreter identifier. When the least significant byte of the 8-bit checksum of the path is equal to 92 (0x5C), then we have a valid URL for a Windows Meterpreter stager.

Take this URL: http://127.0.0.1/RVdP. Could this be a “Windows Meterpreter” URL? Let’s calculate the checksum of RVdP:

The 8-bit checksum of RVdP is 0x015C. The least significant byte is 0x5C, or 92: this matches URI_CHECKSUM_INITW, e.g. this could indeed be a URL used by a reverse http Meterpreter payload.

Besides this new feature, hash.py comes with other features like “pack expressions” and various bug fixes.

hash_V0_0_8.zip (https)
MD5: 03F928332874447F6198A9FDE46E3AA7
SHA256: 80C493639CA7160D1455FABA38A2A04556240326D4BA78B8207CA8FF8B09E1B2

Sunday 26 January 2020

Update: format-bytes.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 0:00

As announced in my previous blog post, this new version of format-bytes.py adds a pack expression (#p#) and other features and (Python 3) bug fixes.

A pack expression is another “here filename”, like #h# for hexadecimal data (which now accepts spaces too).

When format-bytes.py is given a filename as argument, the content of that file is read and processed.

File arguments that start with character # have special meaning. These are not processed as actual files on disk (except when option –literalfilenames is used), but as file arguments that specify how to “generate” the file content. Generating the file content with a # file argument means that the file content is not read from disk, but generated in memory based on the characteristics provided via the file argument. For example, file argument #ABCDE specifies a file containing exactly 5 bytes: ASCII characters A, B, C, D and E.

File arguments that start with #p# are a notational convention to pack a Python expression to generate data (using Python module struct): a “pack expression”.
The string after #p# must contain 2 expressions separated by a # character, like #p#I#123456.
The first expression (I in this example) is the format string for the Python struct.pack function, and the second expression (123456 in this example) is a Python expression that needs to be packed by struct.pack.
In this example, format string I represents an unsigned, 32-bit, little-endian integer, and thus #p#I#123456 generates byte sequence 40E20100 (hexadecimal).
Remark that the Python expression is evaluated with Python’s eval function: this can be abused to achieve arbitrary code execution. Don’t use this in a situation where you have no control over arguments.

I introduced “pack expressions” because I had an IPv4 number represented as a decimal integer, and I needed the dotted quad representation. format-bytes.py will represent 4 bytes as a dotted quad, but I still had to convert a decimal integer to 4 bytes. Hence the introduction of pack expressions (#p#).

For example, number 3232235786 is IPv4 address 192.168.1.10.

Pack expression #p#>I#3232235786 converts number 3232235786 to 4 bytes: >I is the struct format specifier for a big-endian, unsigned 32-bit integer. Remark that I enclose this pack expression in double-quotes (“), as most shells will interpret character > as file redirection if not escaped.

Because of CVE-2020-0601, I also introduced Object Identifier aka OID (DER) decoding. In DER encoding, an OID starts with byte 6 (excluding flags) followed by one byte indicating the length of the bytes representing the OID.

Hexadecimal sequence “06 07 2a 86 48 ce 3d 01 01” is the DER value for OID 1.2.840.10045.1.1.

I also added support for environment variable DSS_DEFAULT_HASH_ALGORITHMS to let you choose your favorite hashing algorithm, in case it is no longer MD5 🙂 .

And last, some (Python 3) bug fixes.

 

format-bytes_V0_0_11.zip (https)
MD5: D73D5FA410F882F03176CF5FD3E0D90A
SHA256: 34B37CA4E45E4EF0F36F5460CAD429343C0AE993297C104AA8A29C2EE4E7904F

Saturday 25 January 2020

Update: cut-bytes.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 21:59

Some bug fixes and new features (pack expression #p# and spaces allowed for #h#), to be covered in more detail in the next blog post on format-bytes.py.

cut-bytes_V0_0_11.zip (https)
MD5: 51F90BBBDE845DEC3EAB94FD30AFCF9B
SHA256: C805CBD23E09D80EB2AF39F8F940CC9188EF7F6B27197D018DA95093AC5D0932

Next Page »

Blog at WordPress.com.