Didier Stevens

Friday 18 February 2011

HeapLocker: String Detection

Filed under: My Software,Vulnerabilities — Didier Stevens @ 12:43

A third protection technique I implemented in HeapLocker is string detection.

When you enable string monitoring, HeapLocker will create a new thread to periodically check (every second) newly committed virtual pages that are readable and writable. When a specific string (configured in the registry) is detected inside these pages, HeapLocker will suspend all threads (except this monitoring thread used by HeapLocker) and warn the user that the string was detected.

I’ve had very good result with this technique searching for string “unescape” in Adobe Reader (the string “unescape” must be preceded by an equal sign or followed by a left parentheses). Almost all malicious PDF documents in my collection were detected by this. But like NOP-sled detection, it’s not 100% reliable. Sometimes HeapLocker will scan a page before the string “unescape” has been written to that page.

Friday 11 February 2011

Update: WhoAmI? Version 0.1.5

Filed under: My Software,Update — Didier Stevens @ 10:05

I’ve updated my WhoAmI? Firefox add-on for Firefox version 4.

You can get it from the Mozilla site.

Thursday 3 February 2011

TaskManager.xls

Filed under: My Software — Didier Stevens @ 9:45

TaskManager.xls is a simple taskmanager implemented in Excel/VBA. It can list the running processes; and terminate, suspend or resume selected processes.

I wrote this script because I was in a restricted environment where I could not use Task Manager or Process Explorer. It will also come in handy when fixing an infected machine, where the malware prevents one from launching Task Manager or Process Explorer.

Push  button “List processes” to list all processes:

Here’s how you would use it to disable malware. List processes, identify malicious processes, type command s (suspend) in column Command for the malicious processes you want to disable. Push button “Execute commands”, this will suspend the selected processes.

Now terminate them with the t command:

Doing this in 2 steps (suspend and terminate) in stead of just terminating, is more suited for multi-process malware that monitors itself.

Download:

TaskManager_V0_0_1.zip (https)

MD5: A0A7584C83F4DD85F57F8511E332893B

SHA256: A0A128DA6297968CB2F434628AD4F045E14EBDC8AE3B05DD3D0F21CC954C13CE

Blog at WordPress.com.