Didier Stevens

Thursday 20 September 2012

Didier Stevens Labs – Brucon 2012

Filed under: Announcement,Didier Stevens Labs — Didier Stevens @ 6:00

I founded my own company: Didier Stevens Labs

You can find videos of my workshops for sale on this new website.

And I will give a brand new workshop at Brucon next week: Windows x64: The Essentials

I will sell CDs with my workshops videos at Brucon with a 20% discount.

Friday 14 September 2012

New Authenticode Tools

Filed under: Announcement,Encryption,Forensics — Didier Stevens @ 14:43

I’ve worked on a couple of new tools to analyze the digital signature found in PE files. In this post, I’m sharing some invalid signatures I found on my machines.

This signature is invalid because the certificate expired:

Normally, the fact that it expired shouldn’t cause the signature to become invalid, but here it does because the author forgot to countersign the signature with a timestamping service:

I also found several files where the root certificate used in the signatures uses a signature algorithm based on the MD2 hash:

And last a signature with a revoked certificate:

Remember Realtek Semiconductor? Their private key was compromised and used to sign Stuxnet components.

Thursday 6 September 2012

Update & Split: TaskManager.xls Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 18:38

This is a small fix for TaskManager suggested by goglev: he had 2 network drives pointing to the same share, and this triggered a bug.

Since it was brought to my attention that some AV products detect the version with shellcode, I’m forking the project:

TaskManager.xls has no shellcode injection features, while TaskManagerSC.xls does.

TaskManager_V0_1_4.zip (https)
MD5: FBB30486CF0E7A1BEB7342EF4672DE52
SHA256: 30779E09B5B0D1D1AFE9C33B12EDD0982E775A9FA0B0D2A1189835004750FB5F

TaskManagerSC_V0_1_4.zip (https)
MD5: 61C6657B2E36F3240A67960BCA413E56
SHA256: FAAB1044318A1EB6FEA09109ABDD982CDFFAEE54DC1C81D3416CC2A69DEEEC70

Blog at WordPress.com.