This new version of pdf-parser is a bugfix for /FLATEDECODE.
Monday 28 November 2016
Sunday 27 November 2016
This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.
Tuesday 22 November 2016
When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the ciphertext, but later I wrote a small Python tool to help me.
The simple ciphers supported by this tool are XOR, ROT, Vigenère and subtract (I added that last one because it was used in a maldoc). You can use the man page (option -m) to learn more.
Monday 21 November 2016
This new version supports different encodings besides base64 (but the name remains base64dump).
The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).
The shellcode, escaped with %u, can be extracted with base64dump:
There’s also a new option to do a string dump: -S
And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.
Sunday 20 November 2016
A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.
Saturday 19 November 2016
A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.
Friday 18 November 2016
shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:
Option –suffix allows you to instruct the program to add a suffix to the VBA function names.
Thursday 17 November 2016
Mostly as a reminder for myself, here is how to set the Alternate Data Stream to mark a file as originating from the Internet.
Monday 14 November 2016
Here is an overview of content I published in October:
- rtfdump Videos
- Analyzing Office Maldocs With Decoder.xls
- Update: oledump.py Version 0.0.25
- Update: cut-bytes.py Version 0.0.4
- Update: virustotal-search.py Version 0.1.4
- rtfdump: intro
- rtfdump: MS12-027 Maldoc
- rtfdump: MS10-087 Maldoc
- oledump xor kpa
- ntds.dit: Mimikatz Golden Ticket & DCSync
- Visual Studio 2013 & OpenSSL
- Visual Studio 2013 & MFC
- Maldoc: numbers-to-string.py
- Training: Attacking with Excel
- Malware: Process Explorer & Procmon
- Malware: FakeNet-NG
- Maldoc VBA: .pub File
- Maldoc VBA: decoder.xls
- Maldoc VBA: Shellcode
- Maldoc VBA: Decoding With Excel
SANS ISC Diary entries:
Wednesday 2 November 2016
Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.
This maldoc uses VBA macros (no surprise) to execute its payload.
The encoded shellcode is a property in stream 17:
The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.
The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.
The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:
This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.
This exe tries to download a payload from 3 URLs: