Didier Stevens

Tuesday 30 June 2009

MessageBox Shellcode

Filed under: My Software — Didier Stevens @ 5:40

Per request, I release my assembly code I’ve used in my previous blogposts to display a message box when the injected shellcode gets executed. It’s nothing special, but it will save you some time when you need a similar program.

Assemble the code with nasm like this:

nasm -o sc-mba-hello.bin sc-mba-hello.asm

I use the DLL locating code published in The Shellcoder’s Handbook, you can find it in the include file sc-api-functions.asm. MessageBoxA is located in user32.dll, this dll has to be loaded in the process you’re injecting with sc-mba-hello.

sc-ods.asm is a similar program, calling OutputDebugStringA in stead of MessageBoxA.

Download:

my-shellcode_v0_0_1.zip (https)

MD5: F215B29BA3C8F24CFBA5C24BED65B68A

SHA256: EA1DB8028954CEB18B8AD2EB37CA6BA0CD7CDC6B9A64F10561382152701C013F

The shellcode:

sc-mba-hello

Monday 29 June 2009

Quickpost: Time Lapse Photography With a Nokia Mobile

Filed under: Hardware,My Software,Quickpost — Didier Stevens @ 2:20

Did you know Nokia mobile phones with the S60 platform can be programmed in Python? During my last holiday, I wrote a small program for time lapse photography with my mobile. Here is the result, showing tidal ebbs and flows in Saint-Vaast-la-Hogue and Cancale:

This is the Python program I wrote to take a picture every minute:

#!/usr/bin/python

__description__ = 'Tool to take pictures with a Nokia phone at regular intervals'
__author__ = 'Didier Stevens'
__version__ = '0.1.1'
__date__ = '2009/06/22'

"""

Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk

History:
 2009/06/17: start
 2009/06/22: refactoring

Todo:
 Get Threading to work
"""

import camera
import time
import os

timelapseFolder = 'e:\\timelapse\\'
sleepTime = 57

def TakeAndSavePicture():
    global timelapseFolder

    now = '%04d%02d%02d-%02d%02d%02d' % time.localtime()[0:6]
    pic = camera.take_photo()
    pic.save(os.path.join(timelapseFolder, now, '.jpeg'))
    print 'Picture taken: %s' % now

def Main():
    global timelapseFolder
    global sleepTime

    print 'Timelapse photography started'
    if not os.path.isdir(timelapseFolder):
        os.mkdir(timelapseFolder)
        print 'Timelapse folder created: %s' % timelapseFolder
    print 'Wait between pictures %d' % sleepTime
    while True:
        TakeAndSavePicture()
        time.sleep(sleepTime)

if __name__ == '__main__':
    Main()

And then I use Avisynth to combine the jpeg pictures in a movie like this (I join pictures 00001.jpg through 00197.jpeg, 5 per second and produce a 25 fps movie):

ImageSource("%05d.jpeg", 1, 197, 5).ChangeFPS(25)

Quickpost info

Thursday 25 June 2009

bpmtk: Injecting VBScript

Filed under: bpmtk,Hacking,My Software — Didier Stevens @ 7:03

Here’s a new trick: injecting VBScript in a process. I’ve developed a DLL that will create a COM instance of the VBScripting engine and let it execute a VBScript. Injecting this DLL in a running program results in execution of the VBScript in the context of the running program. Here’s an example where I wrote a VBScript to search and replace a string in the memory of the notepad process:

Here is part of the VBScript I developed to search and replace inside the memory of a process. It uses custom methods like Peek, Poke and Output that I’ve added to the scripting engine:

20090609-205420

I’ll provide more details in an upcoming blogpost on bpmtk version 0.1.5.0, but you can already download it here.

YouTube, Vimeo and hires Xvid.

Monday 15 June 2009

Quickpost: Arduino XBee Shield Series 2 Configuration

Filed under: Hardware,Quickpost — Didier Stevens @ 8:08

I couldn’t get my 2 Arduinos with an XBee shield to talk to each other, despite the instructions on the Arduino site.

The XBee shields I obtained use a XBee series 2 module, while the instructions on the Arduino site are for the older XBee module.

20090606-111115

After configuring one of my XBee modules as coordinator, the XBee modules were able to communicate with each other.

You need the X-CTU configuration program to configure an XBee series 2 module as coordinator. To connect the XBee module to your PC, you’ve to:

1) remove the ATmega µp from the Arduino board (remember the orientation of the ATmega chip to put it back afterwards):

20090606-111211

2: set the jumpers on the XBee shield to USB:

20090606-111318

3) Connect the XBee shield to the Arduino, and then connect the Arduino via USB to your computer, run the X-CTU configuration program and read the configuration:

20090606-111328

4) Select the coordinator function set and write it to the XBee module:

20090606-111428

When the XBee module has restarted and if your other XBee module is powered on, you’ll see the LEDs of both modules starting to flash, indicating they formed a WPAN network.

After configuring the XBee module, revert to the original hardware configuration: disconnect the Arduino board from your PC, set the jumpers on the XBee shield back to XBee and reinsert your ATmega µp in the Arduino board (watch out for the polarity of the chip).

Now I’m able to run the simple example successfully.

Quickpost info

Tuesday 9 June 2009

Quickpost: Make Your Own Corrupted PDFs For Free

Filed under: Entertainment,Nonsense,PDF,Quickpost — Didier Stevens @ 14:37

In response to Bruce Schneier’s latest post, let me explain how you can corrupt your own PDF documents for free. Open your PDF document with a binary editor, search for references to the root object (/Root), and overwrite the reference (36 in my example) with a non-existing reference, like 00.

20090609-181712

Of course, be careful and make backups first.

Tested on several PDF readers:

20090609-181538

20090609-181556

20090609-181919

Sunday 7 June 2009

Update: Disitool V0.3

Filed under: My Software,Update — Didier Stevens @ 23:15

Last January, I got a little challenge from @hdmoore via my Twitter account: add data to a signed executable without invalidating the Authenticode signature. I updated my Digital signature tool, but I realize now I had only announced the update on Twitter, not on my blog.

The trick is to increase the size of the image data directory for the digital signature and inject the extra data after the digital signature. This way, the Authenticode validation algorithm ignores the extra data, because it considers it to be part of the signature. Use Disitool’s new inject command:

disitool.py inject ms-patch.exe data.bin ms-patch-data.exe

The authenticode signature of ms-patch.exe will remain valid in ms-patch-data.exe, provided that the length of the injected data (file data.bin) is a multiple of 8.

You can use the paddata option to make the injected data size a multiple of 8 if it isn’t:

disitool.py inject --paddata ms-patch.exe data.bin ms-patch-data.exe

Disitool can be downloaded here.

Saturday 6 June 2009

Quickpost: PDF Security Tidbits

Filed under: PDF — Didier Stevens @ 14:57

Some PDF Security Tidbits:

  1. I was a guest on the Securabit podcast. Thanks for having me guys!
  2. Eric Filiol has published his PDF Structazer tool he presented at Black Hat Europe 2008
    The tool: http://www.esiea-recherche.eu/data/PDF%20Structazer.exe
    The document (PDF): http://www.esiea-recherche.eu/data/PDF%20Structazer%20Short%20User%20Manual.pdf
  3. And I’ve an article in the latest issue of (IN)SECURE Magazine on how malicious PDFs could infect without getting opened.

Quickpost info

Monday 1 June 2009

Quickpost: Sending WiFi Beacon Frames with an AirPcap Adapter

Filed under: My Software,Quickpost,WiFi — Didier Stevens @ 10:29

While preparing for my OSWP exam, I came across an unpublished Python program for the AirPcap adapter. I cleaned-it up a bit and here it is: apc-b

This program allows you to send out beacon frames, a very simple way to spoof WiFi access points.

This is the command to generate beacon frames on channel 6 for a couple of ESSIDs listed in file apc-b-2.txt:

20090601-120518

And here is Kismet on my N800 capturing these beacon frames:

kismet-n800

Quickpost info

Blog at WordPress.com.