Didier Stevens

Wednesday 30 May 2012

Update: virustotal-search

Filed under: Malware,My Software,Update — Didier Stevens @ 9:04

I didn’t expect my virustotal-search program to be that popular, so here is a new version with new features and a few fixes (version 0.0.1 contained a buggy experimental feature I hadn’t planned to release then).

What I didn’t explain in my first post, is that virustotal-search builds a database (virustotal-search.pkl) of all your requests, so that recurring requests are served from that local database, and not from the VirusTotal servers. I’ve added a field (Requested) to indicate if the request was send to VirusTotal or served from the local database.

If you want all requests to be send to VirusTotal, regardless of the content of the local database, use option –force.

And if you don’t want to include your API key in the program source code, you have two alternatives:

  1. use option –key and provide the API key on the command line
  2. define environment variable VIRUSTOTAL_API2_KEY with the your API key

virustotal-search_V0_0_3.zip (https)
MD5: 89D48483B8CF48A11A26314CC3A7631C
SHA256: A66A264A772CB9AEE356E1CF902E93FCA8CDE77233A09DB4999BCF15FA45EDF9

Monday 21 May 2012

Searching With VirusTotal

Filed under: Malware,My Software — Didier Stevens @ 5:04

Did you know that you can search VirusTotal? You don’t have to submit a file, but you can search for the report of a file has been submitted before. You use a cryptographic hash (MD5, SHA1, SHA256) to identify the file.

There are several tools to submit a batch of files to VirusTotal, but I didn’t find any that just searches VirusTotal for a list of search terms via VirusTotal’s API.

Thus I wrote my own Python program. It accepts a file with a list of hashes, and produces a CSV file with the result. Here is an example displayed with InteractiveSieve:

To get this program working, you need to get a VirusTotal API key and add it to this program. You need a VirusTotal account to get your API key.

And my program respects VirusTotal’s rate limitation (4 requests per minute), I don’t want it to DoS VirusTotal.

virustotal-search_V0_0_2.zip (https)
MD5: 0d3c70213dd59cc935ed999a038237d6
SHA256: BD213BBC55A9048DBB7B890209E2831EF81049B45ABE9091E01F0692F4F23283

Monday 14 May 2012

ExitProcess Shellcode

Filed under: My Software,Shellcode — Didier Stevens @ 0:19

I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet.

Now I’ve added the asm files (sc-ep.asm for 32-bit and sc-64-ep.asm for 64-bit) for this shellcode to my library.

Remark that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a call to ExitProcess does not return.

You can find this shellcode on my shellcode page.

Tuesday 8 May 2012

Why Isn’t my PoC Launching calc.exe?

Filed under: Entertainment,Hacking,My Software,Nonsense — Didier Stevens @ 11:17

I quickly developed a dll that kills calc.exe when started from anything else than explorer.exe.

This way, you can mess with all those PoCs that launch calc.exe 😉

nocalcpoc_V0_0_0_1.zip (https)
MD5: 05798543571B45E19536181DC7346330
SHA256: ED0FEDC6096420F6F09F4980A1CE36F7C4BC0A8C9191F4DFC27FA4C77D547976

Tuesday 1 May 2012

Update: TaskManager.xls V0.1.3 Killer Shellcode

Filed under: My Software,Shellcode,Update — Didier Stevens @ 10:49

My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).

Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.

Here I’m using the command “e ep64”: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:

The result is that notepad will terminate itself.

When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.

FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.

TaskManager_V0_1_3.zip (https)
MD5: 38DED14A7A468923C3552A6135CC570C
SHA256: CABD1F73C8D069A85EA439D7AFF736723B5759A6ED929FB3F21A4ADD3D0605BC

Tuesday 17 April 2012

InteractiveSieve

Filed under: .NET,My Software — Didier Stevens @ 11:33

Interactive Sieve is a program I developed to help you analyze log files and other data in tabular form. It’s designed to help you when you don’t know exactly what you’re looking for. You sift through the data by hiding or coloring events (or data) that are not relevant.

I started writing this program in 2007 and use it often. But there is a problem I’ve not been able to fix: when you hide a lot of rows, it takes a long time, probably because of the redraw operation that takes place for each hidden row. Maybe someone will find a solution.
Update: big thanks to @woanware for fixing the redraw performance problem!

For more details on how to use the program, select Help / About.

InteractiveSieve_V_0_7_3_0.zip (https)
MD5: F36B245584DE143A15F484AA6220D67F
SHA256: AE0804EA739AEDC5FA32B7F6FD99AB99A35F7742B98953A653E0C24725E0FE6F

Thursday 29 March 2012

Update: SE_ASLR Version 0.0.0.2

Filed under: My Software,Update — Didier Stevens @ 9:14

I added Bottom Up Randomization to my SE_ASLR tool.

In this source code, I use a Windows Cryptographic Service Provider to generate random numbers.

SE_ASLR_V0_0_0_2.zip (https)
MD5: C835D1DDB64A68A1CD48CCF87AE03D18
SHA256: 1560BEE96CFC956A5E8954FEFD92ED227293418B19FE6B06D4ED703B6C50F4AC

Wednesday 14 March 2012

Update: PDFid And pdf-parser

Filed under: Uncategorized — Didier Stevens @ 9:15

To mark the occasion of my Malicious PDF Analysis workshop at Black Hat Europe 2012, I’m releasing version 0.0.12 of PDFiD and version 0.3.9 of pdf-parser.

The major change is that these 2 tools support Python 3 too now. And then there are a couple of bugfixes and new features given to me by readers.

You can find these tools on the PDF Tools page.

Monday 12 March 2012

NAFT Release

Filed under: My Software,Networking — Didier Stevens @ 19:41

You can find a first release of my Network Appliance Forensic Toolkit here. This first release contains a tool for generic network appliances, but also works on memory dumps of PC operating systems like Windows.

Monday 5 March 2012

Update: TaskManager.xls V0.1.2

Filed under: My Software,Update — Didier Stevens @ 12:03

This is a new version of TaskManager.xls with memory usage statistics, with code given to me by sciomathman.

I updated the code for 64-bit and edge cases.

TaskManager_V0_1_2.zip (https)
MD5: DEDB20DA6EE1A622DD3C234D07F5FE08
SHA256: 23EC10C7206BA43B56EF185E7C18EF528FD551FC0B34FFF9E4E183C37A114FF8

« Previous PageNext Page »

Blog at WordPress.com.