This new version of pdf-parser is a bugfix for /FLATEDECODE.
pdf-parser_V0_6_6.zip (https)
MD5: 47326468E1B5A1AF7BB8AD63688804D9
SHA256: 51C9B25B939B135D9949E51463F58ECEC0BEBEFB9C0EAA0B93326CBFB4D8F061
Monday 28 November 2016
Update: pdf-parser Version 0.6.6
Sunday 27 November 2016
Update: xor-kpa.py Version 0.0.4
This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.
xor-kpa_V0_0_4.zip (https)
MD5: FCE75B6125104D8AFC56A67B65FF75C0
SHA256: 3DCCA479D4C8CAC9B248B24F799184A69D0F10403593CB002248DD35CCE60FD4
Tuesday 22 November 2016
Simple Ciphers: cipher-tool.py
When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the ciphertext, but later I wrote a small Python tool to help me.
The simple ciphers supported by this tool are XOR, ROT, Vigenère and subtract (I added that last one because it was used in a maldoc). You can use the man page (option -m) to learn more.
cipher-tool_V0_0_1.zip (https)
MD5: B7D44090A76F66D7194D0A0D890E2CEB
SHA256: 1E8E1F112595FC08C3C20A06D172C21DDE6375EC8651A8DE6EF57B938F3E67E8
Monday 21 November 2016
Update: base64dump.py Version 0.0.5
This new version supports different encodings besides base64 (but the name remains base64dump).
The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).
Here’s an example with escaped unicode in JavaScript (%u), namely a PDF with shellcode in JavaScript:
The shellcode, escaped with %u, can be extracted with base64dump:
There’s also a new option to do a string dump: -S
And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.
base64dump_V0_0_5.zip (https)
MD5: 7AACFD3E34FEAAF41897F60FBC5279A3
SHA256: B4AB7B3A9D2947F08C6CC94F88CD825C9B2B63EE65AF7475E66BE9565EC4337A
Sunday 20 November 2016
Update: zipdump.py Version 0.0.4
A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.
zipdump_v0_0_4.zip (https)
MD5: 64EE6575309654B6671554D0A4DA50E5
SHA256: C323C0580E95F87406A72A542A7FBF5DE39EBEF7CAFC970A7C428CA1E870F9CF
Saturday 19 November 2016
Update: byte_stats.py Version 0.0.4
A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.
byte-stats_V0_0_4.zip (https)
MD5: B53CE5444618DCA78C46C7F72E356D8D
SHA256: 81EFED375FF666BFFDDB82D094ECE17074182F5016FE3BFA4D1CA33DE838754C
Friday 18 November 2016
Update: shellcode2vba.py Version 0.5
shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:
Option –suffix allows you to instruct the program to add a suffix to the VBA function names.
shellcode2vba_v0_5.zip (https)
MD5: BAD6684A6887F9E90FF755609B4CA2D5
SHA256: C403CD8196593F2ADD6BED40E9E7A14E49DB48909788DE8BB27A95D71E58A13A
Thursday 17 November 2016
Quickpost: Zone.Identifier
Mostly as a reminder for myself, here is how to set the Alternate Data Stream to mark a file as originating from the Internet.
notepad install.exe:Zone.Identifier
Text:
[ZoneTransfer]
ZoneId=3
Zone IDs: here.
Monday 14 November 2016
Overview of Content Published In October
Here is an overview of content I published in October:
Blog posts:
- rtfdump Videos
- Analyzing Office Maldocs With Decoder.xls
- Update: oledump.py Version 0.0.25
- Update: cut-bytes.py Version 0.0.4
- Update: virustotal-search.py Version 0.1.4
YouTube videos:
Videoblog posts:
- rtfdump: intro
- rtfdump: MS12-027 Maldoc
- rtfdump: MS10-087 Maldoc
- CreateCertGUI
- oledump xor kpa
- ntds.dit: Mimikatz Golden Ticket & DCSync
- Visual Studio 2013 & OpenSSL
- Visual Studio 2013 & MFC
- Maldoc: numbers-to-string.py
- Training: Attacking with Excel
- Malware: Process Explorer & Procmon
- Malware: FakeNet-NG
- Maldoc VBA: .pub File
- Maldoc VBA: decoder.xls
- Maldoc VBA: Shellcode
- Maldoc VBA: Decoding With Excel
SANS ISC Diary entries:
Wednesday 2 November 2016
Maldoc With Process Hollowing Shellcode
Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.
This maldoc uses VBA macros (no surprise) to execute its payload.
The encoded shellcode is a property in stream 17:
I used my decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit shellcode):
The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.
The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.
The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:
This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.
This exe tries to download a payload from 3 URLs:
Didier Stevens 