Years ago I released a tool to create a Windows process with selected parent process: SelectMyParent.
You can not blindly trust parent-child process relations in Windows: the parent of a process can be different from the process that created that process.
Here I start selectmyparent from cmd.exe to launch notepad.exe with parent explorer.exe (PID 328):
Process Explorer reports explorer.exe as the parent (and not selectmyparent.exe):
Process Monitor also reports explorer.exe as the parent:
If we look in the call stack of the process creation of notepad.exe, we see 2 frames (6 and 7) with unknown modules:
We should see entries in the call stack for explorer.exe if notepad.exe was started by explorer.exe, but we don’t.
The <unknown> module is actually selectmyparent.exe.
0x11b1461 is the address of the instruction after the call to _main in ___tmainCRTStarup in selectmyparent.exe.
0x11b12a8 is the address of the instruction after the call to CreateProcessW in _main in selectmyparent.exe.
System Monitor also reports explorer.exe as the parent:
Finally, Volatility’s pstree command also reports explorer.exe as the parent:
This new version of oledump.py adds some extra features for YARA rule scanning.
oledump.py declares 2 external variables that can be used in your YARA rules.
External variable streamname is a string with the stream name, as printed in oledump’s report.
External variable VBA is a boolean that is set to true when the data to scan is VBA source code. Previous versions of oledump would scan the raw stream content with YARA, but this new version also decompresses all streams with VBA macros, and concatenates them together to scan them after all streams have been scanned.
Example of a rule using external variable VBA:
$a = "AutoExec" nocase fullword
$b = "AutoOpen" nocase fullword
$c = "DocumentOpen" nocase fullword
$d = "AutoExit" nocase fullword
$e = "AutoClose" nocase fullword
$f = "Document_Close" nocase fullword
$g = "DocumentBeforeClose" nocase fullword
$h = "Document_Open" nocase fullword
$i = "Document_BeforeClose" nocase fullword
$j = "Auto_Open" nocase fullword
$k = "Workbook_Open" nocase fullword
$l = "Workbook_Activate" nocase fullword
$m = "Auto_Close" nocase fullword
$n = "Workbook_Close" nocase fullword
VBA and any of ($*)
The condition of this rule is true when external variable VBA is true and when at least one of the strings are found:
This rule is included in a new set of YARA rules I included with oledump.py: vba.yara.
I made a video to illustrate this:
And there is also a new plugin: plugin_str_sub. It tries to de-obfuscate strings with padded characters:
I just updated the manual of this version, to explain here documents.
It’s a tool I started years ago, and I’m releasing it now.
sets.py allows you to perform operations on sets: union, intersection, subtraction and exclusive or. A set is a list of lines in a file, or a stream of bytes in a file.
I demo the tool in this video:
A very small update to re-search.py: I added a regular expression for strings to the library:
Here is an overview of content I published in February:
SANS ISC Diary entries:
NVISO Labs blog posts:
I released a tool to analyze password history.
To extract password history from ntds.dit with ntdsxtract/dsusers.py, use option –passwordhistory.
To extract password history from ntds.dit with secretsdump.py, use option -history.
When cracking Active Directory passwords as I explained in this series of blog posts, you can also crack the password history.
The program I’m releasing now will make a report of users who “recycle” their previous passwords by using a common string.
The man page:
Usage: password-history-analysis.py [options] [[@]file ...]
Program to analyze password history
@file: process each file listed in the text file specified
wildcards are supported
Source code put in the public domain by Didier Stevens, no Copyright
Use at your own risk
--version show program's version number and exit
-h, --help show this help message and exit
-m, --man Print manual
-o OUTPUT, --output=OUTPUT
Output to file
-s SEPARATOR, --separator=SEPARATOR
Separator used in the password files (default :)
-l, --lowercase Convert usernames to lowercase
-n, --nonmatching Print lines that do not match a password entry
-L LENGTH, --length=LENGTH
Minimum length common string
This program analyzes files with password history, and reports
statistics on common strings (prefix, suffix, infix) of passwords per
The minimum lenght of a common string is 3 characters by default. Use
option -L to change the minimum length of the common string.
Example of input file (passwords.txt):
The first field is the username.
The second field is the number of passwords for the given username.
The third field is the largest number of passwords for the given
username with the same prefix or suffix.
The fourth field is the percentage of third and second field.
The fifth field is the password's common string.
The report can be written to file with option -o.
Use option -l to convert usernames to lowercase.
Option -n will not produce a report, but output all lines that do not
match a password entry. Use this to detect entries not handled by this
The separator (for input and output) is :, and can be changed with
I added a feature similar to “here files” to translate.py. It’s something I already did in xor-kpa.py.
In stead of using an input filename, the content can also be passed in the argument. To achieve this, precede the text with character #.
If the text to pass via the argument contains control characters or non-printable characters, hexadecimal (#h#) or base64 (#b#) can be used.
translate.py #h#89B5B4AEFDB4AEFDBCFDAEB8BEAFB8A9FC “byte ^0xDD”
This is a secret!
This new version of rtfdump.py adds object extraction (-E) and can also handle objects obfuscated with \dde0000…