Didier Stevens

Monday 21 March 2011

Windows Security Center: Under the Hood

Filed under: Windows 7,Windows Vista — Didier Stevens @ 10:29

I’m sure you’ve seen the following warning before:

But have you ever wondered where the Windows Security Center gets its info? (BTW, Microsoft renamed it Windows Action Center in Windows 7).

It gets the information from the Windows Management Instrumentation interface, and more precisely, the WMI name spaces \root\SecurityCenter and \root\SecurityCenter2. I wrote a small script to display this info:

You can download the script here.

It’s also possible to modify this WMI information. Say you’ve uninstalled an antivirus program, but that it still shows up in the Windows Security Center. Then you can delete the WMI information with utility wbemtest.exe.

Start wbemtest (if you’re on Windows Vista or 7, you need to elevate wbemtest) and click on connect.

Type the name space you want to change: \root\SecurityCenter or \root\SecurityCenter2 (SecurityCenter2 is a recent addition). And then connect.

Click onEnum Classes…

Then click OK

Then double-click the type of information you want to change. Here we change AntiVirusProduct:

Then click Instances

And now you can change the information. Here we delete it:

Monday 14 March 2011

HeapLocker: Null Page Allocation

Filed under: My Software,Vulnerabilities — Didier Stevens @ 5:03

Just like EMET, HeapLocker can allocate a page at address 0 (null or 0x00000000) to mitigate null pointer dereferencing.

I actually implemented this code in HeapLocker because I wanted to find out how one can allocate a page at address 0. You see, when you call VirtualAlloc with address 0, VirtualAlloc will allocate a page at an address chosen by VirtualAlloc, and not at address 0. So I would think that the trick is to call VirtualAlloc with address 1, and that VirtualAlloc will allocate a page that contains address 1, and that this page must start at boundary 0.

But the problem is that you get an error when you try to allocate a page at address 1 with VirtualAlloc. Ivanlef0u explains this in his blogpost (French). VirtualAlloc rejects addresses inferior to 0x1000, one must use NtAllocateVirtualMemory to successfully allocate address 1.

Tuesday 8 March 2011


Filed under: Forensics,My Software — Didier Stevens @ 0:00

I wrote another script for my 010 Editor.

Like its name implies, DumpStrings will dump all the strings (ASCII and UNICODE) found in a file, or a selection in a file, to the output tab.
Strings must be at least 5 characters long (defined with a #define statement in the script).
UNICODE support is very simple for the moment: 7-bit values in a 16-bit character (MSB or LSB).

Take into account that this is not designed for large files: it will take too long. But its easy to analyze partial files without having to save the selection for analysis with another strings tool.


DumpStrings_V0_0_1.zip (https)

MD5: 50C0C92F28020E7BCABBF46CA8775CCE

SHA256: 7EC688DBB0FD95C828067662C9ED8BBCFFEFBE5EA37B607DC8DFA1BDCB94365C

Tuesday 1 March 2011

Update: TaskManager.xls Version 0.0.3

Filed under: My Software,Update — Didier Stevens @ 11:47

My TaskManager.xls spreadsheet is very popular, so here’s a new version.

I’ve added a couple of columns with info I need (the Filename, the process Creation time and a 32/64 bit indicator).

And this new version also enables the debug privilege to display info for processes of other users. Of course, you need the debug privilege in first place for this to work. So you have to be a local admin, and if you use an OS with UAC, you have to elevate the Excel application (run as administrator).

TaskManager.xls works on 64-bit Windows, provided you use 32-bit Excel. It doesn’t work on 64-bit Excel yet, I’ll release a new version that does later.


TaskManager_V0_0_3.zip (https)

MD5: BF40B4317C7E04E1F65B8CEE55ED3A7A

SHA256: 0D48C2E6986F1DD8FA3A0671A1A53F0FC489923701963031FDC4FA516603EEC1

Blog at WordPress.com.