Didier Stevens

Saturday 31 October 2020

Quickpost: VMware OS Version Snapshots

Filed under: Quickpost — Didier Stevens @ 0:00

Whenever I upgrade the operating system of my virtual machines, I take a snaphot right after the upgrade.

This gives me a tree of different OS versions:

I give each snapshot a small descriptive name, that starts with the date of the snapshot (YYYYMMDD).

This allows me to revert to older versions to experiment with patched vulnerabilities, like this one.

Quickpost info

Thursday 22 October 2020

Update: strings.py Version 0.0.5 Pascal Strings

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of strings.py, my tool to extract strings from arbitrary files, adds option -P to add support for Pascal strings.

A Pascal string is a string that is internally stored with a length-prefix: an integer that counts the number of characters inside the string.

The Unix strings command, and my strings.py tool, can extract Pascal strings without any problem, because they just search for a sequence of characters, without looking for a terminating NULL character (C-string) or a length-prefix (P-string ot Pascal string).

But with option -P, you can direct my tool strings.py to only extract Pascal strings, by checking if character sequences are prefixed with an integer that is equal to the number of characters inside the string. Strings that do not match that requirement are ignored.

Since an integer can be represented internally with different byte formats, you have to provide a value to option -P that indicates how the integer is stored internally. I use the same format as Python’s struct module to represent that format. For example, “<I” is a little-endian, unsigned 32-bit integer. That is how a string is represented in Delphi, as can be seen in this example of a Delphi malware sample:

The strings you see here are all found inside the sample, and are prefixed by their length. If you wouldn’t use option -P, then these strings would also be extracted, but they would not stand out amid the other strings that are not prefixed by their length.

Delphi also supports the ShortString type: one byte to encode the length. These can be found with option -P “<B”: little-endian, unsigned 8-bit integer:

strings_V0_0_5.zip (https)
MD5: A4BF314BE0A72972ECA7B14B558610E6
SHA256: 30E9E9BB618006445483AA78F804766D8FFA518974B81F9B68FF534BEA30B072

Sunday 18 October 2020

Update: translate.py version 2.5.9

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small bug fix release for Python 3.

translate_v2_5_9.zip (https)
MD5: 8EC7A9F0738C86CCF2F0B44D3994E798
SHA256: 3C469996F7014CC1BD5D4F02157B7D5803698D93018360904B79EA2A1601BD10

Saturday 10 October 2020

Quickpost: 4 Bytes To Crash Excel

Filed under: Hacking,Quickpost,Reverse Engineering — Didier Stevens @ 0:00

A couple of years ago, while experimenting with SYLK files, I created a .slk file that caused Excel to crash.

When you create a text file with content “ID;;”, save it with extension .slk, then open it with Excel, Excel will crash.

Microsoft Security Response Center looked at my DoS PoC last year: the issue will not be fixed. It is a “Safe Crash”, Excel detects the invalid input and calls MsoForceAppExitIf to terminate the Excel process.

If you have Excel crashing with .slk files, then look at the first line. If you see something like “ID;;…”, know that the absence of characters between the semi-colons causes the crash. Add a letter, or remove a semi-colon, and that should fix the issue.

Quickpost info

Tuesday 6 October 2020

Update: oledump.py Version 0.0.54

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds a new variable for option -E: %MOFULEINFO%

This variable need to be used together with option -i: it contains the size of the compiled VBA code and the compressed VBA code. For example: 123+65.

There’s a new option (-s) for plugin plugin_http_heuristics: with this option, the plugin ignores space characters (useful for hexadecimal bytes separated by a space character, for example).

And there is a new plugin: plugin_msg_summary. This is a new type of plugin, a plugin that operates on the complete document. Before, plugins could only operate on individual streams, and were instantiated for each stream.

This plugin produces a summary of a .msg file (something we needed for our “Epic Manchego” research).

Here is an example:

This plugin has a couple of options, for example to produce JSON output or to add header or body information:


Thursday 1 October 2020

Overview of Content Published in September

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in September:

Blog posts:

SANS ISC Diary entries:

NVISO blog posts:

Blog at WordPress.com.