Didier Stevens

Tuesday 28 August 2018

Quickpost: Compiling DLLs with MinGW on Windows

Filed under: Quickpost — Didier Stevens @ 0:00

MinGW is not only available on Kali, of course, but also on Windows. Compiling a DLL is very similar.

MinGW is installed in folder C:\msys64 on my machine.

 

To compile 64-bit executables, you need to start the 64-bit shell first: launch C:\msys64\mingw64.exe

Then you can compile the DLL:

gcc -shared -o DemoDll-x64.dll DemoDll.cpp

For 32-bit executables, it’s the 32-bit shell: launch C:\msys64\mingw32.exe

Then you can compile the DLL:

gcc -shared -o DemoDll-x86.dll DemoDll.cpp

 

It’s also possible to start the shell and compile from a BAT file:

call C:\msys64\msys2_shell.cmd -mingw64 -here -c "gcc -shared -o DemoDll-x64.dll DemoDll.cpp"
call C:\msys64\msys2_shell.cmd -mingw32 -here -c "gcc -shared -o DemoDll-x86.dll DemoDll.cpp"

 

 

Quickpost info

Saturday 25 August 2018

Update: numbers-to-string.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 16:34

This new version of numbers-to-string.py has a new option: -S (–statistics).

Statistics can help identifying malicious scripts (text files in general)  with numbers:

numbers-to-string_v0_0_5.zip (https)
MD5: 02119AFAC1942A3C97B8E554C03B2DB6
SHA256: 36A5C346063C93B45C50ACF82C317379496A815F166E25F969168DDAB561F92D

Monday 20 August 2018

Obtaining Malware Samples for Analysis

Filed under: Announcement,Malware — Didier Stevens @ 0:00

In my malware analysis blog posts and videos, I always try to include the hash or VirusTotal link of the sample(s) I analyze. If I don’t, it means I’m not at liberty to share the hash.

For every video that I post on YouTube, I create a corresponding video blog post (https://videos.DidierStevens.com) with more info like the sample’s hash and a link to VirusTotal.

In the description of the YouTube video, you will find a link to the video blog post.

Example:

I will often use the MD5 hash, but since I include a link to VirusTotal, you can consult the report and find other hashes like sha256 in that report.

Regarding MD5: I don’t worry about hash collisions for malware samples. Actually, if there is an MD5 hash collision, VirusTotal will inform me, and that would make my day 🙂 .

Don’t ask me for the malware samples I analyze, I don’t host or send these malware samples. If you or your organization have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal.

If you don’t, there are several free repositories online (sometimes they require free registration). Lenny Zeltser has a list of repositories.

 

 

Saturday 18 August 2018

Quickpost: Revisiting JA3

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

A year ago I tried out JA3. Time for a new test.

This new version no longer crashes on some packets, it’s more stable. However, there’s a bug when producing json output, which is easy to fix.

The JA3 Python program no longer matches TLS fingerprints: it produces a list of data (including fingerprint) for each client Hello packet.

Running this new version on the same pcap file as a year ago (and extracting the fingerprints) yields exactly the same result: 445 unique fingerprints, 7588 in total.

I have more matches this time when matching with the latest version of ja3fingerprint.json: 75 matches compared to 24 a year ago.

Notice that Shodan is one of the matched fingerprints.

Let’s take a closer look:

I’m looking for connections with fingerprint digest 0b63812a99e66c82a20d30c3b9ba6e06:

80.82.77.33 is indeed Shodan:

Name: sky.census.shodan.io
Address: 80.82.77.33

Quickpost info

Tuesday 14 August 2018

Update: format-bytes Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version has many new features and options.

First there is the remainder (*) when using option -f to specify a parsing format.

For example, -f “<i25s” directs format-bytes to interpret the provided data as a little-endian integer followed by a 25-byte long string:

With the remainder (-f “<i25s*”), format-bytes will provide info for the remaining bytes (if any) after parsing (e.g. after the 25-byte long string):

Options -c and -s changed ito -C and -S, so that option -s can be used to select items (to be consistent across my tools).

Option -s can be used to select an item, like a string, to be dumped (options -a, -x and -d). If no dump option is provided, an hex-ascii dump (-a) is the default.

And option –jsoninput can be used to process JSON output produced by oledump.py or zipdump.py, for example.

 

format-bytes_V0_0_5.zip (https)
MD5: 3D92BCAF8E31BFBF6F4917B3AAB64AEF
SHA256: AD43756F69C8C2ABF0F5778BC466AD480630727FA7B03A6D4DEC80743549845A

Monday 13 August 2018

Update: oledump.py Version 0.0.37

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds option –vbadecompressskipattributes to decompress VBA code while skipping the initial attribute definitions (those that are hidden in the MS Office VBA Editor).

Here is an example of output with option -v you are familiar with:

When replacing option -v with option –vbadecompressskipattributes, the initial attributes are no longer displayed:

These attributes are actually hidden in the MS Office VBA Editor:

I added this option because lately, I’ve analyzed several samples where I had to extract all strings for further decoding, and the strings in the attribute definitions were interfering with the decoding. With this new options, I can prevent these strings from appearing in the output.

 

plugin_msg.py was updated to version 0.0.3 to include plugin option -k, to display only known MSG streams.

 

oledump_V0_0_37.zip (https)
MD5: BBC2F3B57266B557307E12E8BC950F98
SHA256: 573C73110CA35EE6451FD14EE7B7DCA3B53FF624ECCFF824799DA59F7767DA68

Friday 3 August 2018

Update: PDFiD.py Version 0.2.5

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

It’s the second time now that a friend reports to me that PDFiD produces no output at all when a pdf is analyzed.

In both cases, the filename was something like sample[1].pdf (a file you could find in Internet Explorer’s cache, for example).

PDFiD can process multiple files, and accepts UNIX shell-style wildcards. Not only * and ?, but also []. So with a filename like sample[1].pdf, PDFiD is actually looking for a file with filename sample1.pdf. Which it doesn’t find, and thus produces no output.

About two years ago, when first a friend reported this, I added option -l –literal. If you use this option, then PDFiD will do no wildcard expansion, and will thus find file sample[1].pdf.

Recently, another friend had the same problem. And was not aware of the existence of option -l.

This new version of PDFiD will display a warning when you use wildcard characters in filenames (without option -l) and when no files match. Like this:

I also renamed option –literal to –literalfilenames, to be consistent across my tools.

pdfid_v0_2_5.zip (https)
MD5: 9B835D9E934A7AA7E68C3649A7AA5DAF
SHA256: 4DD43D7BDA885C5A579FC1F797E93A536E1DB5A4AB52A9337759A69D3B0250E0

Thursday 2 August 2018

Overview of Content Published in July

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in July:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO blog:

Blog at WordPress.com.