Didier Stevens

Tuesday 9 October 2007

WhoAmI? Firefox Extension

Filed under: My Software — Didier Stevens @ 7:19

Can you help me test my new Firefox extension WhoAmI?

It’s very simple, it displays the name of the current profile on the statusbar:

whoami-preview-01.png

I’ve been using the Firefox Profile Manager for some time now, but recently I learned how to run several instances of Firefox. There have been several posts about this, like this one, to help mitigate Google account vulnerabilities. But sometimes I forget which profile I’m running, until I developed my WhoAmI? extension.

You can download it here. It is also in Mozilla Add-ons site’s sandbox. Please report your test results back to me (OS & FF version), it will help me to get my extension out of the sandbox and into the public part of the Mozilla site.

Tuesday 21 August 2007

Twiddling Bits

Filed under: My Software — Didier Stevens @ 6:12

Here is a new little Python script to perform bitwise operations on files (like XOR, ROL/ROR, …). For maximum flexibility, it requires you to provide the operation as a Python expression, like this:

translate.py malware malware.decoded β€˜byte ^ 0x10’

This will read file malware, perform XOR 0x10 on each byte (this is, expressed in Python: byte ^ 0x10), and write the result to malware.decoded.

The script has been added to my software page.

translate-004.png

Tuesday 14 August 2007

XORSearch V1.2.0: XOR & ROL

Filed under: My Software — Didier Stevens @ 6:34

Last week I analyzed a piece of malware that had each byte of its strings ROL 1 (ROtate Left) encoded. I’ll give more details about this trick in an upcoming post.

It prompted me to update my XORSearch tool to deal with ROL encoding. Feeling lazy, I only coded ROL support, not ROR. πŸ˜‰ Or did I, what do you think?

Monday 23 July 2007

CyberSpeak interview

Filed under: My Software,Reverse Engineering — Didier Stevens @ 8:11

My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent πŸ˜‰ But I’m not French, I’m Flemish!

Tuesday 17 July 2007

UserAssist V2.3.0

Filed under: My Software,Reverse Engineering — Didier Stevens @ 6:05

I’m releasing version 2.3.0 of my UserAssist tool with these new features:

  • saved CSV files have a header.
  • entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
  • the Save command also supports HTML.
  • support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
  • registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).

Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.

The software is hosted on my site now, as Microsoft will phase-out the User Samples section of the gotDotNet site.

Thanks to Ovie and Bret of the CyberSpeak podcast for talking about my UserAssist tool on their show. The announced interview is recorded πŸ™‚

Wednesday 11 July 2007

ExtractScripts Update

Filed under: Malware,My Software,Update — Didier Stevens @ 0:06

I’ve updated ExtractScripts to handle comments inside <script> tags.

Tuesday 26 June 2007

ExtractScripts

Filed under: Malware,My Software — Didier Stevens @ 6:26

ExtractScripts is another one of my little tools I use to analyze malware.

Monday 23 April 2007

USBVirusScan V1.5.0

Filed under: My Software,Update — Didier Stevens @ 18:44

This new version of USBVirusScan adds a switch (-q) to stop a running instance of USBVirusScan.

The program can be found here.

Tuesday 6 March 2007

USBVirusScan v1.4.0

Filed under: My Software,Update — Didier Stevens @ 9:35

USBVirusScan v1.4.0 has a new “feature”: from this version on, only one instance can be running. This was requested by Alfredo.

I use a mutex to detect if an instance of USBVirusScan is already running, and if it is, I do not launch another instance.

Mutexes are used by programmers to orchestrate exclusive access to a resource. Suppose your program is multi-threaded and that separate threads are reading, checking and updating the same global variable. Thread A could read global variable G, followed by thread B writing global variable G. Thread A will then make decisions on an outdated value of global variable G (it has just been changed by thread B). To avoid this, we must be sure that reading, checking and updating is an atomic operation, i.e., that when thread B is using global variable G, threat A cannot start using it before thread B is done.

This can be done with a mutex. When thread B wants to use global variable G, it first has to create a mutex. Creating a mutex is requested to the OS. The OS guarantees that creating the mutex is also an atomic operation: 2 programs cannot create the same mutex simultaneously. If the mutex doesn’t exist, it is created and the program is informed of the creation. On the other hand, if the mutex already exists, the program is informed that the mutex already exists. So if thread B successfully creates the mutex, it knows that no other thread is using the global variable and that it can use it. If thread A tries to create a mutex, it will fail because it already exists, and therefor it knows it cannot use global variable G. When thread B has done reading, checking and writing global variable G, it releases the mutex, thereby giving other threads the opportunity to create the mutex and access global variable G.

A mutex can also be used to restrict the number of running instances of a program. When the program is started, it first creates a mutex. If it succeeds, it continues and never releases the mutex (the mutex will be released by the operating system when the program terminates). However, if the creation fails, the program knows that another instance is already running and it just stops. This makes that only one instance of the program can be running.

Mutexes can be named, for example “USBVirusScan”, this allows for the creation of many different mutexes.

Mutexes are also used by virus writers to limit the number of running instances of their virus. If a virus is allowed to reproduce uncontrolled on a machine, the huge number of running instances would soon kill the machine, thereby DoSing it.

Do you remember “inoculation” programs? They would prevent the execution of a particular virus strain on your machine. They work with mutexes: the inoculation program creates the same mutex as the virus would, and then stays resident, never releasing the mutex. If the virus wants to run on your inoculated machine, if fails to create the mutex and stops the infection, assuming your machine is already infected.

This tactic is also used in some viruses to disable competing viruses: not only do they create their own mutex, but also the mutex of the competing virus …

Thursday 15 February 2007

UserAssist article published in (IN)SECURE Magazine

Filed under: My Software — Didier Stevens @ 11:30

My article about my UserAssist forensic tool has been published in the February 2007 issue of (IN)SECURE Magazine .

« Previous PageNext Page »

Blog at WordPress.com.