This is a bugfix version
pecheck-v0_7_11.zip (https)
MD5: D3B69575F0A08377D1A08886D34230FD
SHA256: 2B59F745377EABDF81118997CA70F5F4DBC1CE927370F02C6E0262869F988FA9
Thursday 30 July 2020
Update: pecheck.py Version 0.7.11
Tuesday 28 July 2020
Update: InteractiveSieve 0.9.1
There are many new features in this update to InteractiveSieve (I neglected to publish updates).
InteractiveSieve is a C# tool I developed to help me visualize and sift through logs (CSV files).
I want to record a couple of videos to show what this tool can do.
Here is a list of updates:
- Added Remember and >= <= popup menu commands
- Added Paste to Sift dialog
- Added separator option None
- Added choice for Pivot table: matrix, list and uniques
- Fixed Reveal all bug, thanks Bart Vanautgaerden for reporting
- Added Hide colored lines and Hine uncolored lines; Added Info and Set as index column
- Bugfix DataGridViewEx
- Added Load sieve and Save sieve
- Added m:n to pivot table
- Added Invert
- Added bookmarks
- Added Previous and Next Bookmark toolbar buttons
- Bugfix SaveSieve for bookmarks
- Added Comment…
- Added header when saving
- Fix for header when loading with filter
- Added load with lookup
- Added Treeview
- Added drag and drop; automatic and colon separator; invert with load filter
- Added Copy for row
- Pivot table list and uniques: Added support for Hide and Color buttons
- Added Sift… value
- Added Transform (regex) and restore
- Added Reload
InteractiveSieve_V_0_9_1_0.zip (https)
MD5: C8B5B3E768FB62B7508F055122453594
SHA256: 063A83D9DBA900C8B245532D510E822A305B258C9A3DD05F19F4F0ED2753B6E1
Monday 27 July 2020
Update: zipdump.py Version 0.0.20
I added detection of data descriptor records (PK 0x07 0x08) to option -f L (list all ZIP records found inside the provided file).
zipdump_v0_0_20.zip (https)
MD5: A0A826BB92805997ED3D9793C8B24385
SHA256: AC626299A6048FA4A7E8BE2993411870F77B4B89F647B6C4264E0CC22E180999
Sunday 26 July 2020
Update: oledump.py 0.0.52
This new version of oledump.py brings support for AES encrypted ZIP files via Python module pyzipper (Python 3 only). If module pyzipper is not installed, oledump will fall back to builtin module zipfile.
And plugin plugin_vbaproject.py does now a small dictionary attack on the extracted hash to try to recover the password.
I use the same dictionary as in zipdump.py, a dictionary that is the public domain, default wordlist used by John the Ripper, extended with a couple of passwords: infected, P@ssw0rd and VelvetSweatshop.
oledump_V0_0_52.zip (https)
MD5: 2528824D8A7CD2BE98615B1B1AE8C61A
SHA256: C47A9CC658571FF23E70264B4DD4F8F47D244708E7110EA0A28128F175CF80F5
Saturday 25 July 2020
ndisasm 2.15 stdin Bug Fix
I like to pipe commands together, especially when doing malware analysis.
ndisasm is the disassembler of NASM. I like to use it, because it’s a single executable (for major operating systems) and accepts input from stdin.
But there was an issue with Windows versions: stdin was opened in text mode, and not in binary mode. This can result in disassembly errors, like in the following example. I send 7 bytes to ndisasm via stdin, and the 4th byte is 0x1A (CTRL-Z): this is the end-of-file marker for Windows text files:
As can be seen, only the first 3 bytes are disassembled, and all bytes from 0x1A on are ignored.
I filled a bug fix with code the fix the issue, and this was integrated in version 2.15:
Monday 20 July 2020
Cracking VBA Project Passwords
VBA projects can be protected with a password. The password is not used to encrypt the content of the VBA project, it is just used as protection by the VBA IDE: when the password is set, you will be prompted for the password.
Tools like oledump.py are not hindered by a VBA password, they can extract VBA code without problem, as it is not encrypted.
The VBA password is stored as the DPB value of the PROJECT stream:
You can remove password protection by replacing the values of ID, CMG, DPB and GC with the values of an unprotected VBA Project.
Thus a VBA password is no hindrance for staticanalysis.
However, we might still want to recover the password, just for the fun of it. How do we proceed?
The password itself is not stored inside the PROJECT stream. In stead, a hash is stored: the SHA1 hash of the password (MBCS representation) + 4 byte salt.
Then, this hash is encrypted (data encryption as described in MS-OVBA 2.4.3.2) and the hexadecimal representation of this encrypted hash is the value of DPB.
This data encryption is done according to an algorithm that does not use a secret key. I wrote an oledump.py plugin (plugin_vbaproject.py) to decrypt the hash and display it in a format suitable for John the Ripper and Hashcat:
The SHA1 of a password + salt is a dynamic format in John the Ripper: dynamic_24.
For Hashcat, it is mode 110 and you also need to use option –hex-salt.
Remark that the password passed as argument to the SHA1 function is represented in Multi Byte Character Set format. This means that ASCII characters are represented as bytes, but that non-ASCII characters might be represented with more than one byte, depending on the VBA project’s code page.
Sunday 19 July 2020
Update: oledump.py Version 0.0.51
This is a bugfix update to oledump.py, and a feature update for plugins.
plugin_biff.py has a new -S (–statistics) option:
This option can be combined with option -c (–csv).
And there is a new plugin for VBA projects: plugin_vbaproject.py. More info in tomorrow’s blog post.
oledump_V0_0_51.zip (https)
MD5: 9A55FC37AD0C4C2F3D08F252C72C1A82
SHA256: 071D1605D520A4BABBE2CDA461866C349628FE4B428AC54823492A6CD89EA487
Saturday 18 July 2020
Update XORSearch Version 1.11.4
This is a small bug fix version of XORSearch: fixing some printf format strings for Linux, thanks to Lenny Zeltser for reporting.
Because of Google, I can no longer host this tool on my website.
You have to get it from my FalsePositives GitHub repository.
XORSearch_V1_11_4.zip
MD5: E66290D1EB15D9394C8D1264A09ECFE6
SHA256: BF20A1D76AAD83FC3AABEDC6DDC7F96B655DC94BEC3FA276A50AF6046EBB554C
Sunday 12 July 2020
Quickpost: curl
Since I learned that Windows 10 has curl pre-installed now, I notice I use it more often.
Here are some quick notes, mainly for myself:
Using Tor:
curl --socks5-hostname 127.0.0.1:9050 http://didierstevens.com
Option socks5-hostname uses SOCKS5 protocol and does name resolution of the hostname via the SOCKS5 protocol (and not local DNS)
Removing the User-Agent header:
curl --header "User-Agent:" http://didierstevens.com
Option –header (-H) can also be used to remove a header: provide the header name with colon, provide no header value.
Using a custom User-Agent header (-A –user-agent):
curl --user-agent "Mozilla/5.0 DidierStevens" http://didierstevens.com
Saving received data:
curl --dump-header 01.headers --output 01.bin.vir --trace 01.trace --trace-time http://didierstevens.com
Option —dump-header (-D) saves the headers, option –output (-o) saves the body, –trace creates a trace file and –trace-time adds timestamps to the trace file.
Option to ignore certificate errors: -k –insecure
Putting it all together:
curl --socks5-hostname 127.0.0.1:9050 --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" --insecure --dump-header 01.headers --output 01.data --trace 01.trace --trace-time https://didierstevens.com
Tuesday 7 July 2020
Tampering With Digitally Signed VBA Projects
As I explained in blog post VBA Purging, VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode).
If you alter the compiled code (PerformanceCache) properly and leave the source code (CompressedSourceCode) of a signed VBA project untouched, you can change the behavior of a signed document without invalidating the signature. That’s because the code signing algorithm for VBA projects does not take the PerformanceCache into account.
Details in my NVISO blog post: Tampering with Digitally Signed VBA Projects
Didier Stevens 