This version handles corrupt VBA macro streams without crashing. Corrupt VBA macro streams are marked with an E indicator (error).
And an update to the plugin_http_heuristics and plugin_dridex plugins.
oledump_V0_0_10.zip (https)
MD5: 450C28232254F8FF3AF5E289F58D2DAB
SHA256: 139671E5E69200CECCE0EF730365C1BF1B7B8904B90E3B1E08E55AB040464C73
The plugin_dridex plugin was updated.
And oledump.py has a new option: –quiet: only print output from plugins.
oledump_V0_0_9.zip (https)
MD5: 849C26F32397D2508381A8472FE40F90
SHA256: 74887EA3D4362C46CCBF67B89BB41D7AACE9E405E4CB5B63888FEDCE20FD6A07
Some time ago I had the chance to try out an image forensic method (Error Level Analysis) on a PDF. It was a fraudulent document (a form), but with a special characteristic: the criminal converted the original form (a PDF) to JPEG, edited the JPEG with a raster graphics editor, and then inserted the edited JPEG in a PDF document. This gave me the opportunity to try out Error Level Analysis (ELA) on a “text document”.
I can’t share the PDF, but I recreated one to use in this blogpost.
First I search for images in the PDF document:
pdf-parser.py -s image example-edited.pdf
Result:
obj 4 0
Type:
Referencing: 6 0 R
<<
/Font
/XObject
<<
/Im4 6 0 R
>>
/ProcSet [/PDF/Text/ImageC/ImageI/ImageB]
>>
obj 6 0
Type: /XObject
Referencing:
Contains stream
<<
/Type /XObject
/Subtype /Image
/Width 680
/Height 965
/BitsPerComponent 8
/ColorSpace /DeviceRGB
/Filter /DCTDecode
/Length 233133
>>
The image is in object 6. I extract the image:
pdf-parser.py -o 6 -d example-edited.jpeg example-edited.pdf
Here it is:
If you Google for Error Level Analysis, you’ll find a couple of websites that provide online image forensics. But that was not an option for me, I could not share the document.
I found this C program for ELA, and later I wrote my own Python program (what else?), that I’ll use for this example:
image-forensics-ela.py example-edited.jpeg example-edited-ela.png
The colored pixels reveal the word I edited. You can see it better when I overlay the 2 images:
image-overlay.py -a 0.6 example-edited.jpeg example-edited-ela.png example-edited-overlay.png
FYI: there is also a GIMP plugin for ELA.
You can download the examples and programs here:
blogpost-ela-files.zip (https)
MD5: 4F3071A9162C5CA8B7B10A41F662093A
SHA256: CBA786368D7BAF65E1E9F854C315BFB60FF89910429106513A0C41C180D8FCAB
This new version brings support for multiple YARA rule files.
The plugin_http_heuristics plugin was updated, and there is a new plugin: plugin_dridex.
oledump_V0_0_8.zip (https)
MD5: 29EBF73F5512B0BC250CD0A0977A2C72
SHA256: 09C451116FCDE7763173E1538C687734D92267A0D192499AFD118D8D923165B9
Version 2.1 of EICARgen can create an Excel spreadsheet (.xls) with the EICAR test file embedded with OLE.
Now that YARA version 3.3.0 supports word boundaries in regular expressions, I’ve updated my YARA Rule for Detecting JPEG Exif With eval().
yara-rules-V0.0.5.zip (https)
MD5: 298EB636B3A3CB6A073815A83A6D1BA6
SHA256: EA00D044A3A0FE29265817407E382034593E0DAAD9887416E7FC128DA24B8830
This new version adds support for the new office file format (.docx, .xlsx, …) stored inside a ZIP file (so a ZIP inside a ZIP) and an option to print YARA strings.
And the HTTP heuristics plugin has some extra heuristics.
oledump_V0_0_7.zip (https)
MD5: 7A953BAFFA1E5285651699996FA2DF84
SHA256: F5DC5F650F005E530A7D0CF510C33E3A4EF29AD85B1DA2618B237F53A46B86B5
I’m teaching a Wireshark WiFi and Lua 2-day class at Brucon Spring Training 2015. You get an AirPcap packet capture adapter when you attend this class.
I made a modification to my Python program to do channel hopping with the AirPcap adapter. Now you can specify a sequence of channels with option -c.
apc-channel_v0_2.zip (https)
MD5: 52169F5CB679E6C0DF1F8D47DA38F779
SHA256: 59F4BEE229F5EF5B7AF27BAF6AA972DCDC9E6A6007E8E468AE7BC7C3F1CB89DD
Didier Stevens 