Didier Stevens

Monday 17 September 2018

Quickpost: Compiling EXEs and Resources with MinGW on Kali

Filed under: Quickpost — Didier Stevens @ 0:00

To compile a Windows executable with version information and an icon on Kali, we use MinGW again.

The version information and icon (demo.ico) we want to use are defined in a resource file (demo.rc):

#include "winver.h"

#define IDI_ICON1                       101

// Version

#define VER_FILEVERSION             0,0,0,1
#define VER_FILEVERSION_STR         "\0"

#define VER_PRODUCTVERSION          0,0,0,1
#define VER_PRODUCTVERSION_STR      "\0"

#ifndef DEBUG
#define VER_DEBUG                   0
#define VER_DEBUG                   VS_FF_DEBUG

    BLOCK "StringFileInfo"
        BLOCK "040904E4"
            VALUE "CompanyName", "example.com"
            VALUE "FileDescription", "demo"
            VALUE "FileVersion", VER_FILEVERSION_STR
            VALUE "InternalName", "demo.exe"
            VALUE "LegalCopyright", "Public domain"
            VALUE "OriginalFilename", "demo.exe"
            VALUE "ProductName", "demo"
            VALUE "ProductVersion", VER_PRODUCTVERSION_STR
    BLOCK "VarFileInfo"
        VALUE "Translation", 0x409, 1252

// Icon

// Icon with lowest ID value placed first to ensure application icon
// remains consistent on all systems.
IDI_ICON1               ICON                    "demo.ico"

More info on the VERSIONINFO resource can be found here.
We use the resource compiler windres, and then the gcc compiler.

Compile for 64-bit:

x86_64-w64-mingw32-windres demo.rc demo-resource-x64.o
x86_64-w64-mingw32-gcc -o demo-x64.exe demo-resource-x64.o demo.c

Compile for 32-bit:

i686-w64-mingw32-windres demo.rc demo-resource-x86.o
i686-w64-mingw32-gcc -o demo-x86.exe demo-resource-x86.o demo.c


DemoResource_V_0_0_0_1.zip (https)
MD5: 9104DDC70264A9C2397258F292CC8FE4
SHA256: 722B3B52BAE6C675852A4AC728C08DBEEF4EC9C96F81229EF36E30FB54DC49DE

Quickpost info

Tuesday 11 September 2018

WiFi Pineapple NANO: Persistent Recon DB

Filed under: WiFi — Didier Stevens @ 0:00

The WiFi Pineapple’s recon DB (recon.db) is volatile, because it is stored (by default) in the /tmp folder.

I store my recon.db on the SD card to make it persistent (survives a reboot).

First the SD card has to be formatted:

Then the “Scans Location” field can be changed from /tmp/ to /sd/:

recon.db is an SQLite database, that can be browsed with tools like sqlitebrowser:

Monday 10 September 2018

Firmware Upgrade: WiFi Pineapple NANO

Filed under: WiFi — Didier Stevens @ 0:00

This is mainly a reminder for myself, as I don’t often update my WiFi Pineapple NANO.

Updating the NANO performs a reset.

I connect my NANO via a USB cable to my laptop. The USB cable allows me to flip the NANO to access the reset button.

I login via HTTPS port 1471

I connect the NANO to a WiFi access point:

Once connected, I can check for upgrades:

And then perform the upgrade:

This will take several minutes, after the upgrade is performed, this dialog will appear:

From here on, the NANO has to be setup again:

I press the reset button quickly to perform a setup with WiFi disabled.

And configure the NANO, just like for first use:

I select France for Radio Country Code, because Belgium is not an option:

At this point, the setup is not yet complete for me.

I store the recon.db on an sd card, so this has to be configured:

And I also install modules:

That I install on the SD card:

Once installed, some modules need dependencies to be installed too:


Wednesday 5 September 2018

Overview of Content Published in August

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in August:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO blog:

Tuesday 28 August 2018

Quickpost: Compiling DLLs with MinGW on Windows

Filed under: Quickpost — Didier Stevens @ 0:00

MinGW is not only available on Kali, of course, but also on Windows. Compiling a DLL is very similar.

MinGW is installed in folder C:\msys64 on my machine.


To compile 64-bit executables, you need to start the 64-bit shell first: launch C:\msys64\mingw64.exe

Then you can compile the DLL:

gcc -shared -o DemoDll-x64.dll DemoDll.cpp

For 32-bit executables, it’s the 32-bit shell: launch C:\msys64\mingw32.exe

Then you can compile the DLL:

gcc -shared -o DemoDll-x86.dll DemoDll.cpp


It’s also possible to start the shell and compile from a BAT file:

call C:\msys64\msys2_shell.cmd -mingw64 -here -c "gcc -shared -o DemoDll-x64.dll DemoDll.cpp"
call C:\msys64\msys2_shell.cmd -mingw32 -here -c "gcc -shared -o DemoDll-x86.dll DemoDll.cpp"



Quickpost info

Saturday 25 August 2018

Update: numbers-to-string.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 16:34

This new version of numbers-to-string.py has a new option: -S (–statistics).

Statistics can help identifying malicious scripts (text files in general)  with numbers:

numbers-to-string_v0_0_5.zip (https)
MD5: 02119AFAC1942A3C97B8E554C03B2DB6
SHA256: 36A5C346063C93B45C50ACF82C317379496A815F166E25F969168DDAB561F92D

Monday 20 August 2018

Obtaining Malware Samples for Analysis

Filed under: Announcement,Malware — Didier Stevens @ 0:00

In my malware analysis blog posts and videos, I always try to include the hash or VirusTotal link of the sample(s) I analyze. If I don’t, it means I’m not at liberty to share the hash.

For every video that I post on YouTube, I create a corresponding video blog post (https://videos.DidierStevens.com) with more info like the sample’s hash and a link to VirusTotal.

In the description of the YouTube video, you will find a link to the video blog post.


I will often use the MD5 hash, but since I include a link to VirusTotal, you can consult the report and find other hashes like sha256 in that report.

Regarding MD5: I don’t worry about hash collisions for malware samples. Actually, if there is an MD5 hash collision, VirusTotal will inform me, and that would make my day 🙂 .

Don’t ask me for the malware samples I analyze, I don’t host or send these malware samples. If you or your organization have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal.

If you don’t, there are several free repositories online (sometimes they require free registration). Lenny Zeltser has a list of repositories.



Saturday 18 August 2018

Quickpost: Revisiting JA3

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

A year ago I tried out JA3. Time for a new test.

This new version no longer crashes on some packets, it’s more stable. However, there’s a bug when producing json output, which is easy to fix.

The JA3 Python program no longer matches TLS fingerprints: it produces a list of data (including fingerprint) for each client Hello packet.

Running this new version on the same pcap file as a year ago (and extracting the fingerprints) yields exactly the same result: 445 unique fingerprints, 7588 in total.

I have more matches this time when matching with the latest version of ja3fingerprint.json: 75 matches compared to 24 a year ago.

Notice that Shodan is one of the matched fingerprints.

Let’s take a closer look:

I’m looking for connections with fingerprint digest 0b63812a99e66c82a20d30c3b9ba6e06: is indeed Shodan:

Name: sky.census.shodan.io

Quickpost info

Tuesday 14 August 2018

Update: format-bytes Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version has many new features and options.

First there is the remainder (*) when using option -f to specify a parsing format.

For example, -f “<i25s” directs format-bytes to interpret the provided data as a little-endian integer followed by a 25-byte long string:

With the remainder (-f “<i25s*”), format-bytes will provide info for the remaining bytes (if any) after parsing (e.g. after the 25-byte long string):

Options -c and -s changed ito -C and -S, so that option -s can be used to select items (to be consistent across my tools).

Option -s can be used to select an item, like a string, to be dumped (options -a, -x and -d). If no dump option is provided, an hex-ascii dump (-a) is the default.

And option –jsoninput can be used to process JSON output produced by oledump.py or zipdump.py, for example.


format-bytes_V0_0_5.zip (https)
SHA256: AD43756F69C8C2ABF0F5778BC466AD480630727FA7B03A6D4DEC80743549845A

Monday 13 August 2018

Update: oledump.py Version 0.0.37

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds option –vbadecompressskipattributes to decompress VBA code while skipping the initial attribute definitions (those that are hidden in the MS Office VBA Editor).

Here is an example of output with option -v you are familiar with:

When replacing option -v with option –vbadecompressskipattributes, the initial attributes are no longer displayed:

These attributes are actually hidden in the MS Office VBA Editor:

I added this option because lately, I’ve analyzed several samples where I had to extract all strings for further decoding, and the strings in the attribute definitions were interfering with the decoding. With this new options, I can prevent these strings from appearing in the output.


plugin_msg.py was updated to version 0.0.3 to include plugin option -k, to display only known MSG streams.


oledump_V0_0_37.zip (https)
MD5: BBC2F3B57266B557307E12E8BC950F98
SHA256: 573C73110CA35EE6451FD14EE7B7DCA3B53FF624ECCFF824799DA59F7767DA68

Next Page »

Blog at WordPress.com.