Didier Stevens

Wednesday 31 October 2012

“Please Buy Our Competitor’s Products”

Filed under: Hacking,Vulnerabilities — Didier Stevens @ 19:55

I had a very good Samurai WTF training at Brucon by Raul Siles.

When Raul discussed the fact that clients are not worried about cross-site scripting when you demonstrate it with an alert box, I got the following idea:

Let’s redirect the customer to the competitor’s website. So instead of alert(“XSS”); let’s do window.location = “www.competitor.com”;. This will demonstrate that a cross-site script can cost your client money.

BTW, our training took place in a church:

Monday 22 October 2012

Workshops and Promo

Filed under: Announcement,Didier Stevens Labs — Didier Stevens @ 16:43

My Windows x64 The Essentials Workshop at BruCON 2012 was a success. Today I finished the production of the videos of this workshop, it is for sale on my company’s site.

And tomorrow I’m doing my White Hat Shellcode Workshop at Hack.lu 2012, so I started a promotional sale during Hack.lu 2012.

Wednesday 10 October 2012

XORSearch Video

Filed under: Announcement,My Software — Didier Stevens @ 17:41

I will release free stuff on my company’s website Didier Stevens Labs. Like this new XORSearch video.

XORSearch is one of my popular tools, but I hadn’t made a video for it yet:

Tuesday 9 October 2012

Hack.lu 2012

Filed under: Announcement,Shellcode — Didier Stevens @ 12:57

I’m doing my White Hat Shellcode workshop at Hack.lu 2012.

Monday 1 October 2012

Searching For That Adobe Cert

Filed under: Encryption,Forensics,My Software — Didier Stevens @ 19:24

You probably know by now that Adobe will revoke a compromised code signing certificate in a couple of days. As we seem to have more code signing related security incidents recently, I started to develop a couple of new tools.

AnalyzePESig is a tool to check signatures in PE files, just like Sysinternals’ sigcheck. But with a couple of differences.

First, when a signature is not valid, AnalyzePESig will tell you why and still display information about the invalid signature and related certificates. Second, AnalyzePESig displays more information and third, it is open source.

Here is how you use AnalyzePESig to look for executables signed with that Adobe certificate that will soon be revoked:

analyzepesig -e -v -s -o windows.csv c:\windows

This will produce a CSV list of all executables found in the c:\windows directory.

Filter this list for lines including string fdf01dd3f37c66ac4c779d92623c77814a07fe4c (this is the fingerprint of the compromised certificate):

As you can see, I’ve Flash components signed with this compromised certificate. Now, this does not mean that these executables are compromised. To get a better idea, I can use my virustotal-search tool to search VirusTotal.

And here is another example, JP2KLib.dll, a DLL of Adobe Reader X:

AnalyzePESig_V0_0_0_1.zip (https)
MD5: 4BE29E4A5DE470C6040241FD069010C4
SHA256: FB83C6491690402273D42A3335777E77EA29328F5FE8503FF6F5EF62833D1FBC

Blog at WordPress.com.