Didier Stevens

Monday 19 November 2018

Quickpost: Compiling 32-bit Static ELF Files on Kali

Filed under: Quickpost — Didier Stevens @ 0:00

Here I compile EICARgen on Kali Linux to a 32-bit, statically linked Linux executable.

gcc’s option -m32 creates a 32-bit executable on 64-bit Linux.

If you get this error:

then one way to solve it is by installing libc6-dev-i386 (apt install libc6-dev-i386):

Then option -m32 can be used to create a 32-bit executable:

This executable will not run on 64-bit system that don’t have the libraries we just installed. A work-around is to statically link the ELF file with option -static:

 


Quickpost info


Wednesday 14 November 2018

Video: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt

Filed under: maldoc — Didier Stevens @ 0:00

I produced a video for my blog post “Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt“:

Monday 12 November 2018

Update: cut-bytes.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

cut-bytes.py is a tool I use to select (cut) a sequence of bytes out of a file, using a cut-expression. This expression specifies the start of the sequence and the end of the sequence.

In this example, I use a cut-expression to find the first occurrence of MZ (i.e. [‘MZ’]) and select 8 bytes (8l) starting at the position of that occurrence (-a is ASCII dump):

I realized that with a few changes, I could add a binary grep feature to cut-bytes. Option -g activates this binary grep:

In stead of one occurrence (the first), with option -g, all occurrences are selected.

JSON output is now also available with option –jsonoutput:

This JSON output contains all the selected byte sequences (BASE64 encoded and with metadata), and it can be piped into tools that accept this format, like file-magic.py:

file-magic will then identify each byte sequence. As you can guess, I’m looking for PE files embedded in file update.bin. But the byte sequences are too short (8 bytes) for file-magic.py to properly identify file types. By increasing the length to 512 bytes, file-magic.py has enough data to locate 2 PE files (a 32-bit DLL and a 64-bit DLL) inside update.bin:

Option -G is identical to -g, except that the selected byte sequences will not overlap.

And I also added a “run length encoded” ASCII dump (-A). If 2 or more consecutive output lines are identical, the duplicates are suppressed:

cut-bytes_V0_0_8.zip (https)
MD5: 1A69542E7E9D7348101B7E91884674B7
SHA256: 15BC253323FF162F26BEF784172A502383970E63514DF6B88A09952A19DAE826

Wednesday 7 November 2018

Update: hash.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds CSV output via option -C:

hash_V0_0_6.zip (https)
MD5: DE0AC3F7809E55E1577EB049A5F34EDF
SHA256: D66FF1D5173E3DDAFC842087B9E4E8447C18EF0AA8C03E02A365E3F9028BA8D9

Monday 5 November 2018

Quickpost: Using pcapy with Npcap on Windows

Filed under: Quickpost — Didier Stevens @ 0:00

I installed pcapy on a Windows machine, but importing in Python failed due to a missing DLL.

Process Monitor showed me what was missing: wpcap.dll, a WinPcap DLL:

The DLL was missing because I had installed Npcap (an alternative for WinPcap, that provides loopback packet capture).

This problem can be fixed by setting a toggle to install a WinPcap compatible API (e.g. wpcap.dll) during installation:


Quickpost info


Friday 2 November 2018

Overview of Content Published in October

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in October:

Blog posts:

SANS ISC Diary entries:

Tuesday 30 October 2018

Update: format-bytes.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

When using option -f to specify struct members, you can now also use new option -n (annotations) to annotate members.

Like in this example:

format-bytes_V0_0_6.zip (https)
MD5: D73C88AB15B8AE3B30BA2C5EBE8CC77E
SHA256: 3FB480B52F5BF535A54B66CABBD853666B3E306EFAE4BD9247B45255F223E0B6

Sunday 28 October 2018

Update: file-magic.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

I added a new option to file-magic.py to limit identification to the custom definitions: -C.

file-magic_V0_0_4.zip (https)
MD5: CCF170F09B1442D27AE6519A0BB0CBAB
SHA256: F240BAEE78C8AE4DB29724D8A8F2A5DEDEFE47570219D700FB3BB9A6707432BB

Saturday 27 October 2018

Update: file-magic.py Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 0:00

This is an update with a custom definition to recognize compressed RTF.

file-magic_V0_0_3.zip (https)
MD5: C46EBA4BC6BC63E097A86E30E6DE5432
SHA256: 3F3012B06182925C1A42678977089184B9C97C37CD025F9D71757B4227E7BE09

Thursday 25 October 2018

Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt

Filed under: maldoc,My Software — Didier Stevens @ 0:00

VBA macros inside a PowerPoint document are not stored directly inside streams, but as records in the “PowerPoint Document” stream. I have a plugin to parse the records of the “PowerPoint Document” stream, but I failed to extract the embedded, compressed OLE file with the macros. Until a recent tweet by @AngeAlbertini brought this up again. On his sample too I failed to extract the compressed OLE file, but then I remembered I had fixed a problem with zlib extraction in pdf-parser.py. Taking this code into plugin_ppt.py fixed the decompression problems.

VBA macros in a PowerPoint document do not appear directly in streams:

Plugin plugin_ppt parses records found in stream “PowerPoint Document”:

Each line represents a record, prefixed by an index generated by the plugin (to easily reference records). Records with a C indicator (like 1 and 435) contain sub-records. Records prefixed with ! contain an embedded object.

Record 441 (RT_ExternalOleObjectStg) interests us because it contains an OLE file with VBA macros.

Plugin option -s can be used to select this record:

Plugin option -a can then be used to do an hex/ascii dump:

The first four bytes are the size, and then follows the zlib compressed OLE file (as indicated by 0x78).

This OLE file can be decompressed and extracted with option -e, but pay attention to use option -q (quiet) so that oledump will only report the output of the plugin, and nothing else. This can then be piped into a second instance of oledump:

And now we can extract the VBA macros:

oledump_V0_0_38.zip (https)
MD5: C1D7F71A390497A516F67D798BA25128
SHA256: 4CADEE69D024E9242CDA0CE3A9C22BCB1CAFF9D5BA2D946519C6B7C18F895B81

Next Page »

Blog at WordPress.com.