Didier Stevens

Monday 30 November 2015

Update: Authenticode Tools

Filed under: Uncategorized — Didier Stevens @ 0:00

I released new versions of my AnalyzePESig and ListModules authenticode tools.

Extra fields with information were added to the output of the tools, and the tools were adapted to use the SE_BACKUP_NAME privilege, giving the tools the privilege to read files even when the permissions do not allow it (running as administrator and elevated).

A new field that might require some extra explanation is the DEROIDHash field. The DEROIDHash is a sha-256 hash of the DER structure and OID numbers of a PKCS7 signature: it’s the sha-256 hash of the bytes that make up the PKCS7 signature, except for the data. In other words, it’s the sha-256 hash of the DER bytes that specify the tags and the OID numbers. Signatures with the same structure and OID numbers share the same DEROIDhash.

For example, if a new version of a signed executable is released and the DEROIDHash value is different from the previous version, then the author has changed his/her signing process or is using a certificate with a different structure; or the executable was signed by another party using another signing process.

Sunday 29 November 2015

Update: oledump.py Version 0.0.21

Filed under: My Software,Update — Didier Stevens @ 11:15

A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-0x100 select the whole stream except the last 256 bytes.

oledump_V0_0_21.zip (https)
MD5: F72CBB797CE8FB810ACE5E54DC832129
SHA256: 016C772575DF381C274F6408B242945DE35679904B7C8B1B693ABFB2B3C023FB

Saturday 28 November 2015

Update: virustotal-search.py Version 0.1.3

Filed under: My Software,Update — Didier Stevens @ 9:29

A small update: I added option -s (separator) so that you can choose your CSV separator.

virustotal-search_V0_1_3.zip (https)
MD5: 6D93F6CCE56AA74C830D66F9AE2E88C0
SHA256: 09D3BA6BCE1A69E8292AD0D44FB216FBCBF5686EA3C64DCD5FC877E91D4141F4

Tuesday 24 November 2015

Authenticode And Timestamping And sha256

Filed under: Encryption — Didier Stevens @ 0:00

I have a couple of how-to posts on digital signatures, like this code signing post. Let me revisit this topic now that Microsoft announced some upcoming changes to code signing.

I use signtool.exe that came with Visual Studio 2013 in my examples. Here is how to use signtool.exe from the command-line to sign an executable:

20151123-204917

FYI: in my case, I use option /a because I have more than one code signing certificate and I let signtool decide which one to use (option /a). But if you have only one code signing cert, you don’t need to use option /a.

As you can see, the version of signtool.exe I use (6.3.9600.16384) still uses sha1 by default.

20151123-204945

To use sha256 as digest algorithm (since Microsoft will deprecate sha1), use option /fd sha256, like this:

20151123-205150

20151123-205230

When we look at the details of the signature, we see that there is no Signing time or Countersignatures:

20151123-205310

The signature is valid, because we are still in the certificate validity period:

20151123-205524

But once we are outside the certificate validity period, the signature is no longer valid:

20151123-205921

And this is because a countersignature from a timestamping service is missing. A countersignature can be added with option /tr and the URL of a timestamping service, like this one:

20151123-210005

Correction: use this URL for sha256 timestamping: http://timestamp.globalsign.com/?signature=sha2

Option /tr URL specifies a timestamping service that supports the RFC 3161 protocol.

And now the signature remains valid, even after the code signing certificate has expired:

20151123-210052

To be sure that the timestamping service uses sha256, we can request this with option /td sha256:

20151123-210426

Conclusion: always use a timestamping service when signing code, this way your signature will not expire.

Remark: code signing and timestamping are 2 different operations. There is no requirement to execute these operation with a single command. You can also timestamp a signed executable like this:

20151123-211435

First command: sign

Second command: timestamp

And you don’t need a code signing certificate to timestamp a signed executable. You can take any executable with an embedded signature, and add a new timestamping signature with this signtool.exe timestamp command. Why do I mention this? This will become clear in a next post, where we take a closer look at Microsoft’s sha256 code signing announcement.

A last remark: as mentioned, option /a lets signtool.exe decide which certificate (from the certificate store) to use for the code signing (in case you have more than one code signing certificate). But if you want to explicitly select the code signing certificate to use, you can use option /sha1 with the sha1 fingerprint of the certificate you want to use. Important: /sha1 is a method to select a certificate, it does NOT instruct signtool to use the sha1 algorithm for the signature.

Sunday 22 November 2015

Update: emldump.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-5 select the whole file except the last 5 bytes.

emldump_V0_0_5.zip (https)
MD5: 5FAEDF1459114306D57FEABEF3CDDEFD
SHA256: B3D08E1768E1211C44680DD502AC096A324FF209330657F4ABC0CD09B888254C

Saturday 21 November 2015

Update: nsrl.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to my nsrl.py program: the CSV output now includes the ApplicationType.

nsrl_V0_0_2.zip (https)
MD5: 816DD5BEF94D289F489399A95824083D
SHA256: 65C4AF8F139651942062EB78D820AD3BE5DBEE2C4331B3105BAE62B220CD4F44

Wednesday 18 November 2015

Maldoc Social Engineering Trick

Filed under: maldoc — Didier Stevens @ 0:00

Xavier has an interesting SANS ISC Diary entry on a malicious Word document we analyzed. The VBA macro code contains a function (func_FormatDocument) for which Xavier has no clear explanation. This function pulls of a social engineering trick. It “decodes” the document by giving the text with a white font color (thus invisible) a black font color, and by removing the headers.

I created my own document to reproduce this trick in this video:

Sunday 15 November 2015

Update: find-file-in-file.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

A very small change to find-file-in-file:

find-file-in-file.py contained containing
0x00000000 0x00000014 (50%) (End of containing file)
Remaining 20 (50%)

When the tool reaches the end of the containing file, a message is printed to signal this: (End of containing file)

And I also added option -r (regular): to handle a ZIP file as a regular file.

find-file-in-file_v0_0_5.zip (https)
MD5: 1463DBAB808BBE40AC7919BC9A77303D
SHA256: C269B1995B61F0EDE24E4E9C64D5DD64E79B5ED6DD2126E94AF52E15D90C427F

Saturday 14 November 2015

Update: cut-bytes.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 8:50

A small change in this new version: the second term of the cut-expression can also be a negative number now. A negative number allows you to cut bytes from the end of the file. Example: cut-expression :-5 select the whole file except the last 5 bytes.

 cut-bytes_V0_0_2.zip (https)
MD5: B70F851CE74859B38AC3ABA9688593EB
SHA256: 1A0BD64334DA90B21888020B383004A18C3BAEE211D24AA91FF12719F8581AE9

Friday 13 November 2015

Update: emldump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

I’m adding the new -E option to my dump tools, this time it’s emldump’s turn. As announced with version 0.0.20 of oledump, option -E (extra) allows the user to specify which extra info needs to be displayed.

I’ve also made a video for oledump (the -E option is the same across my dump tools):

emldump_V0_0_4.zip (https)
MD5: 79DF66048849439E6034F082606A37A1
SHA256: B4AFDE89B6F3B025595A6FD1ACC5F60498BF900D18E624F134F618115DAC0E08

Next Page »

Blog at WordPress.com.