Didier Stevens

Tuesday 31 July 2007

YACoSTO, One Year Ago

Filed under: Reverse Engineering — Didier Stevens @ 6:04

One year ago, to the day, I posted YACoSTO. I explained how I reversed a program that “protects” data. This is one of my favorite posts, but it hardly gets any hits. I encourage you to read it, because this time, I focus on reversing the protected data rather than the program itself. You might learn a couple of new and simple techniques.

The binary tools I used for the YACoSTO post can be found here, I published them afterwards.

Contrary to what some of you might think, this is not a “I’m on holiday” post 😦 . We took a short cruise in June. My sister-in-law, a professional wedding film producer, shot this movie (YouTube) during our holiday, hires version here. Absolutely no malware, hacking, revering, … in the movie, just holidaying.

Oh, and BTW, until now, nobody ever asked me what YACoSTO means…

Thursday 26 July 2007

Yes, It Will Be Late In Brussels Again…

Filed under: Reverse Engineering — Didier Stevens @ 8:17

Coming Soon: Reverse Engineering Khallenge

Give it a shot, last year, the first stage was very easy, you could even crack it just using Windows Notepad!

Tuesday 24 July 2007

RSR

Filed under: Malware,Reverse Engineering — Didier Stevens @ 6:53

This is an example of Really Simple Reversing of a piece of malware. It’s written in the AutoIt scripting language and compiled to an EXE.

It’s not intentional, I’m sure about this, but this AutoIt tool offers some interesting features for (inexperienced) malware authors. You can compile your script to a stand-alone executable that is automatically packed with UPX. And even after unpacking it, the strings are still obfuscated.

Decompiling the script is really easy, because the AutoIt authors include a decompilation utility with the AutoIt installation package (Exe2Aut). You can find a video of the decompilation here hosted on YouTube, and you can find a hires version (XviD) here. The icon of the bin.exe file you see in the video is the default AutoIt icon.

autoit.png

See how easy it becomes understanding what this malware does once you have the source code:

  • the URLs are defined in variables at the beginning
  • you can see from where the malware downloads updates and where they get installed
  • how it disables tools that can help you clean the infected machine, like Task Manager
  • that it tries to spread via IM applications

And did you notice the folder under F:\Documents and Settings at the beginning of the script? Oops!

When I submitted this malware to VirusTotal, only 4 AV engines detected it (July 18th 2007).

I played with the AutoIt compiler and decompiler and found some interesting things, I’ll probably blog about this later. Here is a hint: when you password-protect a compiled AutoIt script, you have to provide the password to decompile it, but not to execute it. Can you guess what this means? 😉 Post your answer in the comment section!

Monday 23 July 2007

CyberSpeak interview

Filed under: My Software,Reverse Engineering — Didier Stevens @ 8:11

My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent 😉 But I’m not French, I’m Flemish!

Tuesday 17 July 2007

UserAssist V2.3.0

Filed under: My Software,Reverse Engineering — Didier Stevens @ 6:05

I’m releasing version 2.3.0 of my UserAssist tool with these new features:

  • saved CSV files have a header.
  • entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
  • the Save command also supports HTML.
  • support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
  • registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

The software is hosted on my site now, as Microsoft will phase-out the User Samples section of the gotDotNet site.

Thanks to Ovie and Bret of the CyberSpeak podcast for talking about my UserAssist tool on their show. The announced interview is recorded 🙂

Monday 16 July 2007

Will it be late in Brussels again?

Filed under: Reverse Engineering — Didier Stevens @ 21:58

Yes, I’ve the feeling it will be late in Brussels again

Wednesday 11 July 2007

ExtractScripts Update

Filed under: Malware,My Software,Update — Didier Stevens @ 0:06

I’ve updated ExtractScripts to handle comments inside <script> tags.

Tuesday 3 July 2007

The BlockSite Firefox Add-on

Filed under: Reverse Engineering — Didier Stevens @ 8:00

The Firefox add-on BlockSite by Erik van Kempen allows you to maintain a blacklist of sites you want to block for surfing. I extended his add-on with a whitelist: in stead of specifying the sites you want to block, you can decide to specify the sites you want to allow, and all other sites will be blocked. Erik has integrated my code in his add-on:

Version 0.5 — December 30, 2006 — 34 KB

[+] Whitelist/Blacklist feature (by Didier Stevens): Choose if the list is a blacklist or a whitelist.
[~] Password protection still pending (unfortunately), most probably in next major release

Reverse engineering a Firefox add-on is really simple. The file format for add-ons, XPI, is in fact a ZIP file. After unzipping the XPI file, you’ll find a JAR file (again, this is also based on ZIP). Unzip the JAR file and then you can analyze the JavaScript and XUL files.

You can also load an unpacked Firefox add-on in Firefox to test and debug it, how is explained here.

Tuesday 26 June 2007

ExtractScripts

Filed under: Malware,My Software — Didier Stevens @ 6:26

ExtractScripts is another one of my little tools I use to analyze malware.

Wednesday 20 June 2007

UserAssist Q&A

Filed under: Reverse Engineering — Didier Stevens @ 6:29

I was a speaker at the local ISSA chapter last Monday. My talk explained how to use my UserAssist tool for forensic analysis. The audience had great questions for me at the Q&A, some of which I want to share here.

Does switching to the “Classic Start Menu” prevent the logging of data in the UserAssist registry keys?
No, it doesn’t. When you use the classic start menu (the start menu from Windows NT & 2000, without a frequently used programs pane), Windows explorer still continues to monitor and log the programs you execute. When you switch back to the “modern” start menu, you’ll see several of the programs you recently used in the frequently used programs pane.

Does disabling the Active Desktop prevent the logging of data in the UserAssist registry keys?
No, it doesn’t. In fact, I use the following litmus test to know if starting a program is recorded in the UserAssist keys: did a user perform the action through Windows explorer? If a user did, then the action is logged.
The only trick I know to permanently disable the UserAssist keys is this one:

  • add a new subkey “Settings” under the “UserAssist” key
  • add a new DWORD value “NoLog” and set it to one.

My UserAssist tool allows you to toggle this setting via a simple menu command.

One audience member asked me if I was really sure that using a mandatory user profile (NTUSER.MAN) implied that the UserAssist registry keys where not persisted.

I promised him that I would test it, and I must admit that I was wrong.
A mandatory user profile is a profile that the user can change, but the changes are not saved when the user logs out.
This is how I tested the UserAssist tool with a mandatory user profile:

  1. a domain controller
  2. a member workstation
  3. a domain user with the profile path set to a share on the DC
  4. renaming NTUSER.DAT to NTUSER.MAN
  5. log on to the workstation with the domain user account
  6. start some programs
  7. analyse the profiles

I discovered that the NTUSER.MAN file in the local copy of the profile (file NTUSER.MAN in c:\document and settings\user on the workstation) had been modified, and that the UserAssist keys listed the program I had executed. As expected, the NTUSER.MAN file on the DC in the roaming user profile was not modified. And when I logged on to the workstation a second time, the local profile was overwritten with the mandatory profile, as expected.

So you can use the NTUSER.MAN file in a forensic investigation, but some restrictions apply:

  1. use the local copy, not the file hosted on the DC (in fact, you should compare the UserAssist entries from both files, because some entries in the UserAssist keys might come from the original NTUSER.MAN file)
  2. make sure to grab a copy before the user logs on again, otherwise the file will be overwritten (you could try to recover it)
  3. entries in the UserAssist keys will pertain to the last session of the user, it is not a complete history of all the sessions (and remember restriction 1, comparing the profiles)

Raymond Chen has started a series of blog posts about the Start Menu’s frequently used programs. Keep in mind that he discusses the rules that govern the display and ranking of programs on the start menu, and not actually the rules for collecting the data (i.e. UserAssist keys). What he calls points is not the same as the counter in a UserAssist entry.

« Previous PageNext Page »

Blog at WordPress.com.