Didier Stevens

Tuesday 9 December 2008

Updates: bpmtk and Hakin9; PDF and Metasploit

Filed under: Announcement,Hacking,Malware,My Software,PDF,Update — Didier Stevens @ 21:23

Hakin9 has published my bpmtk article. The article mentions bpmtk version; however, this new version has no new features. But it comes with extra PoC code, like a LUA-mode keylogger and “rootkit”. New blogposts will explain this new PoC code.


And upcoming bpmtk version contains a new feature to inject shellcode. Just have to update the documentation.

On the PDF front: I’ve produced my first Ruby code ;-). I worked together with MC from Metasploit to optimize the PDF generation code in this util.printf exploit module. It uses some obfuscation techniques I described 8 months ago.


  1. I’m curious to read that hakin9 article, is it already out? In wich issue can I find it?
    thank you and keep up the good work 😉

    Comment by freagan — Thursday 11 December 2008 @ 7:52

  2. It’s in the last issue, published this week.

    Comment by Didier Stevens — Thursday 11 December 2008 @ 12:02

  3. Thank you for your reply, since I live in Italy I think that I have to wait for the pdf version 😉

    Comment by freagan — Thursday 11 December 2008 @ 20:59

  4. Hey there,

    I’ve bought the Hackin9 magazine and read your article.
    To me its a little confusing but that’s because im new to this kind of thing.
    It may sound a little n00bish but how do you find out that there is a reference to DisableCMD and the like?
    I would appreciate any help you can give me as this toolkit really interests me.
    Ryan J
    p.s I love your work!

    Comment by Ryan J — Friday 24 April 2009 @ 9:33

  5. Well, for DisableCMD I did it with dynamic analysis, i.e. observing the process started with and without the setting and see what’s different.

    Comment by Didier Stevens — Friday 24 April 2009 @ 12:22

  6. I’m sorry but how did you observe the process?
    Did you use the Toolkit? Or some other tool?
    I had a look at your Reverse Engineering Mentoring and found a reference to DisableCMD in the cmd.exe but couldn’t understand what it meant.
    Thanks for your Blog and Programs.
    Ryan J

    Comment by Ryan J — Wednesday 29 April 2009 @ 9:17

  7. The Sysinternals tools, like Procmon. I noticed cmd.exe accessed registry key DisableCMD just before the warning was displayed the cmd.exe is disabled by the administrator.

    Comment by Didier Stevens — Wednesday 29 April 2009 @ 9:21

  8. Thanks for the swift reply!
    I’ll have to look into it, thanks for pointing me in the right direction
    Ryan J

    Comment by Ryan J — Wednesday 29 April 2009 @ 10:41

  9. […] To protect confidential data, don’t let it be accessed by systems with Internet access. That’s not very practical, but it’s reliable. Or use strong encryption with strong passwords (not the default RC4 Excel encryption). The info stealer will have the extra difficulty to steal the password too. […]

    Pingback by PDF Info Stealer PoC « Didier Stevens — Monday 8 March 2010 @ 0:01

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.