Didier Stevens

Monday 30 December 2013

UltraEdit Scripts

Filed under: My Software,UltraEdit — Didier Stevens @ 20:10

UltraEdit is my text editor on Windows. I developed a couple of simple scripts that I’m going to release.

The first one is SubstituteEachLine.js.

I run this script when I need to transform each line into another form. Take this example where I want to create a Python dictionary with these words:


I start my script and type this template (%% is the placeholder for each original line in the document):


The script replaces each line in the document like this:


I also often use this in a command-line environment with a limited shell. For example, to rename a bunch of files in “DOS”, I put the list of filenames in a text document and then run my script: “ren %% %%.old”. As shown in this example, you can use the placeholder (%%) more than once in the template. But you can’t escape the placeholder string.

PS: you can also use regex search and replace to do this, but there are cases were I prefer my script.

ultraedit_scripts_v0_0_1.zip (https)
MD5: C218BF518291499600B7B769AD3D14EE
SHA256: CE8FAFF9F7708B6CF596EE455735656F902C5DC99A47EB8AA35F217E6E03656C

Monday 23 December 2013

Update: Prefetch File 010 Template

Filed under: Forensics,My Software,Update — Didier Stevens @ 22:01

This update to my Prefetch File 010 Template adds Sections A through D.

PFTemplate_V0_0_2.zip (https)
MD5: 56A98A78BD4E8D1AED88385AF1DD8446
SHA256: E15D721E46FFB8158C6D14C9A38DE4E3DD5DCD0972896441DF17590C540DBCC3

Saturday 14 December 2013

Update: virustotal-submit.py V0.0.3

Filed under: Malware,My Software,Update — Didier Stevens @ 0:21

There is extra error handling in this new version.

virustotal-search and virustotal-submit have their own page now: VirusTotal Tools.

virustotal-submit_V0_0_3.zip (https)
MD5: 3F9F5421F711E2930AB6F80D87DF9E2B
SHA256: 37CCE3E8469DE097912CB23BAC6B909C9C7F5A5CEE09C9279D32BDB9D6E23BCC

Wednesday 11 December 2013

MS13-098: Fixing Authenticode

Filed under: Encryption,Hacking — Didier Stevens @ 23:17

In 2009 I added a command to my Disitool to inject data “into” an Authenticode signature without invalidating it.

This year I reported on some installer programs using this padding trick.

With MS13-098, Microsoft releases a patch to prevent this signature padding trick. This change in behavior will become active June 10th 2014.

But you can already activate it now by setting reg_sz key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Wintrust\Config\EnableCertPaddingCheck to “1”.

Here is the effect illustrated with my AnalyzePESig tool:


But beware of a potential issue with this regkey. Setting it to “0” will not revert to the old behavior (tested in VM with Windows XP SP3).

I had to deleted the key (actually, I renamed it) and reboot to revert to the old behavior. I informed Microsoft.

Monday 2 December 2013

4 Times Faster virustotal-search.py

Filed under: Malware,My Software,Update — Didier Stevens @ 0:26

This is an important update to virustotal-search.py.

Rereading the VT API, I noticed I missed the fact that the search query accepts up to 4 search terms.

This new version submits 4 hashes at a time, making it up to 4 times faster than previous versions.

virustotal-search_V0_1_0.zip (https)
MD5: 0141D3677F759317034C416EBF9FF30D
SHA256: FE07859C3FA09DA120D3104FF982AF0D78ADFCF099A10E46E254823502DF4EE4

Blog at WordPress.com.