Years ago I released a tool to create a Windows process with selected parent process: SelectMyParent.
You can not blindly trust parent-child process relations in Windows: the parent of a process can be different from the process that created that process.
Here I start selectmyparent from cmd.exe to launch notepad.exe with parent explorer.exe (PID 328):
Process Explorer reports explorer.exe as the parent (and not selectmyparent.exe):
Process Monitor also reports explorer.exe as the parent:
If we look in the call stack of the process creation of notepad.exe, we see 2 frames (6 and 7) with unknown modules:
We should see entries in the call stack for explorer.exe if notepad.exe was started by explorer.exe, but we don’t.
The <unknown> module is actually selectmyparent.exe.
0x11b1461 is the address of the instruction after the call to _main in ___tmainCRTStarup in selectmyparent.exe.
0x11b12a8 is the address of the instruction after the call to CreateProcessW in _main in selectmyparent.exe.
System Monitor also reports explorer.exe as the parent:
Finally, Volatility’s pstree command also reports explorer.exe as the parent:
This new version of oledump.py adds some extra features for YARA rule scanning.
oledump.py declares 2 external variables that can be used in your YARA rules.
External variable streamname is a string with the stream name, as printed in oledump’s report.
External variable VBA is a boolean that is set to true when the data to scan is VBA source code. Previous versions of oledump would scan the raw stream content with YARA, but this new version also decompresses all streams with VBA macros, and concatenates them together to scan them after all streams have been scanned.
Example of a rule using external variable VBA:
$a = "AutoExec" nocase fullword
$b = "AutoOpen" nocase fullword
$c = "DocumentOpen" nocase fullword
$d = "AutoExit" nocase fullword
$e = "AutoClose" nocase fullword
$f = "Document_Close" nocase fullword
$g = "DocumentBeforeClose" nocase fullword
$h = "Document_Open" nocase fullword
$i = "Document_BeforeClose" nocase fullword
$j = "Auto_Open" nocase fullword
$k = "Workbook_Open" nocase fullword
$l = "Workbook_Activate" nocase fullword
$m = "Auto_Close" nocase fullword
$n = "Workbook_Close" nocase fullword
VBA and any of ($*)
The condition of this rule is true when external variable VBA is true and when at least one of the strings are found:
This rule is included in a new set of YARA rules I included with oledump.py: vba.yara.
I made a video to illustrate this:
And there is also a new plugin: plugin_str_sub. It tries to de-obfuscate strings with padded characters:
I just updated the manual of this version, to explain here documents.
It’s a tool I started years ago, and I’m releasing it now.
sets.py allows you to perform operations on sets: union, intersection, subtraction and exclusive or. A set is a list of lines in a file, or a stream of bytes in a file.
I demo the tool in this video:
A very small update to re-search.py: I added a regular expression for strings to the library:
Here is an overview of content I published in February:
SANS ISC Diary entries:
NVISO Labs blog posts:
I released a tool to analyze password history.
To extract password history from ntds.dit with ntdsxtract/dsusers.py, use option –passwordhistory.
To extract password history from ntds.dit with secretsdump.py, use option -history.