Didier Stevens

Tuesday 17 July 2018

!exploitable Crash Analyzer – Statically Linked CRT

Filed under: Reverse Engineering — Didier Stevens @ 0:00

Regularly when I use Microsoft MSEC’s !exploitable WinDbg extension, it doesn’t load because the correct VC runtime is not installed (vcredist 2012) on the machine I’m debugging on.

Since it’s open-source, I decided to recompile it with a statically linked C runtime, making it independent of the installed runtime(s). I used Visual Studio 2017 and let it do the default upgrade of the Visual Studio 2012 solution (default implies Windows XP is no longer supported). The only change I made was option /MT to link the runtime into the DLL.

To load the extension, type command “.load” with the full path to the DLL.
Or you can copy the DLL into a folder of the “extension dll search path”. You can view this search path with command “.chain” or “.extpath”:

Then you can just type “.load msec” to load the extension. If you use folders like x86\winext and x64\winext, you can copy the respective x86 and x64 versions without having to rename the DLL.

You can also load the extension and execute the command with one line (!msec.exploitable), like this:

One downside of statically linking the C runtime, is that I will have to recompile the DLLs if the C runtime gets patched to fix a vulnerability.

You can download the recompiled plugins here:
MSECWinDbgExtensions.zip (https)
MD5: 090D9E4BE43B7272AA54673C366695E3
SHA256: 39AB11FDF9F80608235CE26833F57A850DD2C36C513EB92C97E28714BA0076FA

Wednesday 11 July 2018

New Tool: file-magic.py

Filed under: Announcement,My Software — Didier Stevens @ 0:00

I find the *nix tool file very useful. There’s no equivalent on Windows, that’s why I use a Windows port of this tool.

But it has some limitations, the most annoying to me being the lack of support for stdin. This prevents me from using it in a chain of commands.

That’s the main reason I developed file-magic.py, a Python tool that is essentially a wrapper for the Python magic module.

On Windows and OSX, install module python-magic-bin with pip (this will install binaries too), while on Linux install module python-magic.

Here is an example showing how output from base64dump is piped into file-magic:

And here is an example with jsonoutput I mentioned before:

You can also add your own definitions to file file-magic.def.

For example, I added a definition for VBE/JSE files (encoded .vbs/.js scripts).

file-magic_V0_0_2.zip (https)
MD5: EAE684E74731FF493D5EC5D243EB16B6
SHA256: 9B0E7B47CAED8F5627DEFCE19B737554BBF998EF380187D6DE4FC1C9572EC9ED

Tuesday 10 July 2018

Quickpost: Compiling DLLs with MinGW on Kali

Filed under: Quickpost — Didier Stevens @ 0:00

To compile the DLLs from this quickpost with MinGW on Kali, you first have to install MinGW.

Issue this command: apt install mingw-w64

Compile for 64-bit: x86_64-w64-mingw32-gcc -shared -o DemoDll.dll DemoDll.cpp

Compile for 32-bit: i686-w64-mingw32-gcc -shared -o DemoDll-x86.dll DemoDll.cpp

Option -shared is required to produce a DLL in stead of an EXE.

Quickpost info


Monday 9 July 2018


Filed under: My Software — Didier Stevens @ 0:00

My oledump.py and zipdump.py tools have a new option: –jsonoutput. With this option, my tools will output JSON data to stdout. For oledump, the JSON data will contain the content of all the streams found inside the analyzed OLE file, and for zipdump respectively, the JSON data will contain the content of all the files found inside the analyzed ZIP file.

This is meant to be piped into a new tool I will release soon.

Let’s take a small ZIP files with 2 small files as example (a binary file and a text file). Here is the content displayed with zipdump:

With zipdump’s option –jsonoutput, we output JSON data with the content of these 2 files encoded in BASE64:

Here is the same data pretty-printed:

This can now be piped into other tools that support this JSON data format.


Sunday 8 July 2018

Update: oledump.py Version 0.0.36

Filed under: My Software,Update — Didier Stevens @ 0:00

I was a bit too quick with my release for –jsonoutput, I made yet some more changes in version 0.0.36 now.

oledump_V0_0_36.zip (https)
MD5: D8C9FBFD1AA2238D6EB3CA164EE91A65
SHA256: BE609FD0D976984A8856939B76D7DF54AB5ED4934F58F7AD47E4D6E42CDFCCBF

Update: zipdump.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 0:00

I was a bit too quick with my release for –jsonoutput, I made yet some more changes in version 0.0.14 now.

zipdump_v0_0_14.zip (https)
MD5: FB7D1A9F90E8453DF7F3154EC52AF4E7
SHA256: ADFF99677DB512A27EBDEBBAC77FA08FFF8B180EF620CB6F9725C06511FC38BF

Saturday 7 July 2018

Update: zipdump.py Version 0.0.13

Filed under: My Software,Update — Didier Stevens @ 0:00

This update introduces option -j (–jsonoutput) to zipdump.py. Soon I will explain how to use this option together with a new tool I will release soon.

zipdump_v0_0_13.zip (https)
MD5: 264D32D0DC863FC29FED161D4A73560F
SHA256: 14D11D5244973A484E5754F20747D4B544C228AC951C885FE8B9FC6D26C86088

Tuesday 3 July 2018

Update: oledump.py Version 0.0.35

Filed under: My Software,Update — Didier Stevens @ 0:00

This updated brings some changes to option -j (–jsonoutput), an option introduced with version 0.0.33. Soon I will explain how to use this option together with a new tool I will release soon.

oledump_V0_0_35.zip (https)
MD5: 2089AFC496FFE2E44F67CF9C44EB101B
SHA256: C232282BD8AE050EECA1455E6A58EAB8D5CBBDF0D61E9FE2077CDA3DEB15D325

Monday 2 July 2018

Overview of Content Published in June

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in June:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Sunday 1 July 2018

Update: re-search.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 13:28

This new version of re-search.py comes with a new option: -e. This option instructs re-search to read its input as a binary file and extract strings from it, to be matched with the chosen regular expression. This allows, for example, the processing of UNICODE strings.

re-search_V0_0_11.zip (https)
MD5: 72F160A83E214351162704EB4B94EB9E
SHA256: 624E2864738008F6A63CC4E3F7B5FCB3738389DBC7E6EF29BC8C2F749ABAD9DE

Blog at WordPress.com.