Didier Stevens

Friday 27 July 2012

My BlueHat Prize Entry: CounterHeapSpray

Filed under: My Software,Shellcode — Didier Stevens @ 10:24

Congratulations to the winners of the BlueHat Prize contest.

My entry was CounterHeapSpray:

CounterHeapSpray monitors the private memory usage of an application to guard against heap  sprays. When the private memory usage of the application exceeds a predefined threshold,  CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages  and populate these pages with its own shellcode. When the heap spray terminates and the exploit  executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will  suspend all threads and display a warning message for the user. When the user clicks OK,  CounterHeapSpray’s shellcode terminates the application.
By planting its own shellcode before the heap spray can fill the heap with malicious shellcode,  CounterHeapSpray not only prevents execution of this malicious shellcode but is able to suspend the process and to inform the user of the attack.

CounterHeapSpray.zip (https)
MD5: 1947380F935AE0B1A8828DE79621F82F
SHA256: CA0BF635655EE05ABED117C858BC86ECDF3EBB4C39544D7D0C396D7C457F1BBC

Thursday 19 July 2012

UserAssist Windows 2000 Thru Windows 8

Filed under: Forensics,My Software,Update — Didier Stevens @ 13:26

I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.

Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.

UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45

Friday 13 July 2012


Filed under: My Software — Didier Stevens @ 13:01

Here is a new spreadsheet that lists all installed programs. It does this by enumerating registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.

This spreadsheet works on 32-bit and 64-bit Excel.

InstalledPrograms_V0_0_1.zip (https)
MD5: 0BF27B9D4B6316381E0AADC1777B7F8F
SHA256: 60AF8234BD10E12221CAD3D2544222819CB0CC0834E339084590860F30E0D580

Thursday 5 July 2012

Nmap McAfee ePO Agent Script

Filed under: My Software,Networking — Didier Stevens @ 19:13

I’ve worked together with Daniel Miller (@bonsaiviking) on an Nmap version script to identify the McAfee ePO Agent. By default, this agent listens on port 8081 and replies to HTTP requests.

You can find the script here on the nmap site.

8081/tcp  open  http    McAfee ePolicy Orchestrator Agent (ePOServerName: EPOSERVER, AgentGuid: D2E157F4-B917-4D31-BEF0-32074BADF081)
Service Info: Host: TESTSERVER

Blog at WordPress.com.