Didier Stevens

Tuesday 29 December 2015

SHA256 Code Signing and Microsoft

Filed under: Encryption — Didier Stevens @ 10:28

In a couple of days Windows will no longer trust sha-1 code-signing. It happened in the past that Microsoft announced changes to AuthentiCode, and then did not follow though, but it looks like this one is going to happen.

First of all, the loss of trust will not happen for all executables with a sha-1 signature. It will only happen with executables with a “Mark of the Web” attribute and without a timestamp or a timestamp after 1/1/2016.

A “Mark of the Web” attribute means that the executable is flagged as downloaded from an untrusted source (the Internet), like this one:


This is done with an Alternate Data Stream (ADS) named Zone.Identifier and with content like this:


If you develop executables that will be downloaded and you sign with a sha-1 certificate, check that you also include a timestamp. As I explained in my blogpost, you can add a missing timestamp after signing. You don’t even need a code signing certificate to add a timestamp.

Monday 28 December 2015

Maldoc GET Range

Filed under: maldoc,Malware — Didier Stevens @ 13:06

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed a malicious document (365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3) that does something I hadn’t seen done before in VBS.

This maldoc drops a VBS script, that proceeds to download an executable. The PE file is XOR-encoded and embedded in a valid JPEG file. Here is the image:


Look at the obfuscated code:


Notice SetRequestHeader: This code is using HTTP and is adding something to the headers. Here is the deobfuscated code:


This code is downloading a picture (wp.jpg), but not the complete picture. It sets a header (Range: bytes=28141-) to download only the XOR-encoded PE file hidden in the JPEG image.


Tuesday 22 December 2015

MIME File With “Header”

Filed under: maldoc,My Software — Didier Stevens @ 0:00

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

Malicious MS Office documents are also distributed as MIME files. A blog reader asked for help with a MIME file that gave him problems: f67aa5a3ede3d31c5a68494c0678e2ee.

Accoring to emldump.py, the file is just text (not a multipart file):


But if you look at the file, you’ll notice a line preceding the MIME-Version line:


You can instruct emldump to skip this line with option -H:


Now emldump is able to analyze the multipart MIME file, and detect the MSO file (part 3). oledump can analyze MSO files:


Monday 21 December 2015

Update: oledump.py Version 0.0.22

Filed under: maldoc,My Software,Update — Didier Stevens @ 16:27

Some changes when you use the –raw option. Now plugins can also be used when the VBA code is corrupted.

oledump_V0_0_22.zip (https)
MD5: CA91850BBC92E82D705F707704000F82
SHA256: 16763BCF15BFB3301FFAE0BDA26F18EE2946EDD7478994B798127DBBEF5FF9E7

Monday 14 December 2015

BruCON Spring Training 2016: Analysing Malicious Documents

Filed under: Announcement — Didier Stevens @ 0:00

I teach a class on analyzing malicious documents at BruCON Spring Training 2016.

First day covers PDF, second day covers MS Office documents. When you attend, you also get my PDF and MS Office workshop videos.

Early bird registration till the end of the year.

Sunday 13 December 2015

Windows Backup Privilege: CMD.EXE

Filed under: Forensics,My Software — Didier Stevens @ 0:00

You probably encountered the situation where you could not access a file, even as an administrator. For example hiberfil.sys.

There is a way in Windows to read any file regardless of DACLs: the backup privilege.

I updated ReactOS’ cmd.exe shell to use the backup privilege.

I added a new command: privilege. This command enables the backup privilege. To be able to enable a privilege, you need to have the privilege: you have the backup privilege if you’re an administrator and elevate the process (cmd.exe).

And I updated the copy and type command to make use of the enabled backup privilege.

Finally, there’s yet another new command: info. This command gives the MAC timestamps, file attributes and SDDL of the given file/folder.

cmd-dll_v0_0_4.zip (https)
MD5: D9D75A10F2C328B708303F9BD24B9AD3
SHA256: 952CFB833D4F22093D7DF837372239A1199C1738FFFFED76124AF8668F4D3877

Friday 11 December 2015

Overview of Content Published In November

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Blog at WordPress.com.