March | 2017 | Didier Stevens

Monday 20 March 2017

That Is Not My Child Process!

Filed under: Forensics,Hacking — Didier Stevens @ 0:00

Years ago I released a tool to create a Windows process with selected parent process: SelectMyParent.

You can not blindly trust parent-child process relations in Windows: the parent of a process can be different from the process that created that process.

Here I start selectmyparent from cmd.exe to launch notepad.exe with parent explorer.exe (PID 328):

Process Explorer reports explorer.exe as the parent (and not selectmyparent.exe):

Process Monitor also reports explorer.exe as the parent:

If we look in the call stack of the process creation of notepad.exe, we see 2 frames (6 and 7) with unknown modules:

We should see entries in the call stack for explorer.exe if notepad.exe was started by explorer.exe, but we don’t.

The <unknown> module is actually selectmyparent.exe.

0x11b1461 is the address of the instruction after the call to _main in ___tmainCRTStarup in selectmyparent.exe.

0x11b12a8 is the address of the instruction after the call to CreateProcessW in _main in selectmyparent.exe.

System Monitor also reports explorer.exe as the parent:

Finally, Volatility’s pstree command also reports explorer.exe as the parent:

Comments (5)

Tuesday 7 March 2017

Update: oledump.py Version 0.0.27

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds some extra features for YARA rule scanning.

oledump.py declares 2 external variables that can be used in your YARA rules.

External variable streamname is a string with the stream name, as printed in oledump’s report.

External variable VBA is a boolean that is set to true when the data to scan is VBA source code. Previous versions of oledump would scan the raw stream content with YARA, but this new version also decompresses all streams with VBA macros, and concatenates them together to scan them after all streams have been scanned.

Example of a rule using external variable VBA:

rule VBA_Autorun
{
    strings:
        $a = "AutoExec" nocase fullword
        $b = "AutoOpen" nocase fullword
        $c = "DocumentOpen" nocase fullword
        $d = "AutoExit" nocase fullword
        $e = "AutoClose" nocase fullword
        $f = "Document_Close" nocase fullword
        $g = "DocumentBeforeClose" nocase fullword
        $h = "Document_Open" nocase fullword
        $i = "Document_BeforeClose" nocase fullword
        $j = "Auto_Open" nocase fullword
        $k = "Workbook_Open" nocase fullword
        $l = "Workbook_Activate" nocase fullword
        $m = "Auto_Close" nocase fullword
        $n = "Workbook_Close" nocase fullword
    condition:
        VBA and any of ($*)
}

The condition of this rule is true when external variable VBA is true and when at least one of the strings are found:

This rule is included in a new set of YARA rules I included with oledump.py: vba.yara.

I made a video to illustrate this:

And there is also a new plugin: plugin_str_sub. It tries to de-obfuscate strings with padded characters:

oledump_V0_0_27.zip (https)
MD5: A6C6728E20AE46A4FECC5F3976AF33BF
SHA256: 54FE550D5102A0E9428F6BD9B5170B50797EDA2076601634519CDBB574004A3C

Comments (4)

Monday 6 March 2017

Update: cut-bytes.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

I just updated the manual of this version, to explain here documents.

cut-bytes_V0_0_5.zip (https)
MD5: B20B9758D50C846CD0E0AEB9E0B15101
SHA256: B12D1E1C510ED4CC820C5D2F62897DF71E567B0D3B23AC36653236D30104157F

Comments (4)

Sunday 5 March 2017

New Tool: sets.py

Filed under: My Software — Didier Stevens @ 0:00

It’s a tool I started years ago, and I’m releasing it now.

sets.py allows you to perform operations on sets: union, intersection, subtraction and exclusive or. A set is a list of lines in a file, or a stream of bytes in a file.

I demo the tool in this video: