Didier Stevens

Monday 28 November 2016

Update: pdf-parser Version 0.6.6

Filed under: Uncategorized — Didier Stevens @ 0:00

This new version of pdf-parser is a bugfix for /FLATEDECODE.

pdf-parser_V0_6_6.zip (https)
MD5: 47326468E1B5A1AF7BB8AD63688804D9
SHA256: 51C9B25B939B135D9949E51463F58ECEC0BEBEFB9C0EAA0B93326CBFB4D8F061

Sunday 27 November 2016

Update: xor-kpa.py Version 0.0.4

Filed under: Encryption,My Software,Update — Didier Stevens @ 0:00

This new version of xor-kpa adds the option -x to encode/decode, and also prints the hexadecimal value of the found keys.

xor-kpa_V0_0_4.zip (https)
MD5: FCE75B6125104D8AFC56A67B65FF75C0
SHA256: 3DCCA479D4C8CAC9B248B24F799184A69D0F10403593CB002248DD35CCE60FD4

Tuesday 22 November 2016

Simple Ciphers: cipher-tool.py

Filed under: Encryption,My Software — Didier Stevens @ 0:00

When I left my last position, my friends and colleagues with whom I’ve worked for years gave me a little challenge: a PDF with a hidden ciphertext. At first I had to use Excel to decipher the ciphertext, but later I wrote a small Python tool to help me.

The simple ciphers supported by this tool are XOR, ROT, Vigenère and subtract (I added that last one because it was used in a maldoc). You can use the man page (option -m) to learn more.

cipher-tool_V0_0_1.zip (https)
MD5: B7D44090A76F66D7194D0A0D890E2CEB
SHA256: 1E8E1F112595FC08C3C20A06D172C21DDE6375EC8651A8DE6EF57B938F3E67E8

Monday 21 November 2016

Update: base64dump.py Version 0.0.5

Filed under: My Software,Uncategorized — Didier Stevens @ 0:00

This new version supports different encodings besides base64 (but the name remains base64dump).

The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).

Here’s an example with escaped unicode in JavaScript (%u), namely a PDF with shellcode in JavaScript:


The shellcode, escaped with %u, can be extracted with base64dump:



There’s also a new option to do a string dump: -S


And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.

base64dump_V0_0_5.zip (https)
MD5: 7AACFD3E34FEAAF41897F60FBC5279A3
SHA256: B4AB7B3A9D2947F08C6CC94F88CD825C9B2B63EE65AF7475E66BE9565EC4337A

Sunday 20 November 2016

Update: zipdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.

zipdump_v0_0_4.zip (https)
MD5: 64EE6575309654B6671554D0A4DA50E5
SHA256: C323C0580E95F87406A72A542A7FBF5DE39EBEF7CAFC970A7C428CA1E870F9CF

Saturday 19 November 2016

Update: byte_stats.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.

byte-stats_V0_0_4.zip (https)
MD5: B53CE5444618DCA78C46C7F72E356D8D
SHA256: 81EFED375FF666BFFDDB82D094ECE17074182F5016FE3BFA4D1CA33DE838754C

Friday 18 November 2016

Update: shellcode2vba.py Version 0.5

Filed under: My Software,Shellcode,Update — Didier Stevens @ 0:00

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:

Option –suffix allows you to instruct the program to add a suffix to the VBA function names.

shellcode2vba_v0_5.zip (https)
MD5: BAD6684A6887F9E90FF755609B4CA2D5
SHA256: C403CD8196593F2ADD6BED40E9E7A14E49DB48909788DE8BB27A95D71E58A13A

Thursday 17 November 2016

Quickpost: Zone.Identifier

Filed under: Quickpost — Didier Stevens @ 0:00

Mostly as a reminder for myself, here is how to set the Alternate Data Stream to mark a file as originating from the Internet.

notepad install.exe:Zone.Identifier



Zone IDs: here.

Quickpost info

Monday 14 November 2016

Overview of Content Published In October

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in October:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Wednesday 2 November 2016

Maldoc With Process Hollowing Shellcode

Filed under: maldoc,Malware — Didier Stevens @ 0:00

Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.

This maldoc uses VBA macros (no surprise) to execute its payload.


The encoded shellcode is a property in stream 17:


I used my decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit shellcode):


The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.

The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.

The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:


This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.

This exe tries to download a payload from 3 URLs:


Blog at WordPress.com.