My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent š But I’m not French, I’m Flemish!
Monday 23 July 2007
Tuesday 17 July 2007
UserAssist V2.3.0
I’m releasing version 2.3.0 of my UserAssist tool with these new features:
- saved CSV files have a header.
- entries are highlighted in red when they match a user-specified search term (which can be a regular expression). This is my answer to the persons asking for a search feature. As I didn’t want to bother with a Find Next function, I decided to implement a highlight feature.
- the Save command also supports HTML.
- support for the IE7 UserAssist GUID key {0D6D4F41-2994-4BA0-8FEF-620E43CD2812}
- registry hive files (usually called NTUSER.DAT files) can be loaded directly with the tool. The tool will load the DAT file temporarily in the registry, read the UserAssistkeys and unload the file. This feature is experimental, because I didn’t write the code yet for all the exceptions (invalid NTUSER.DAT file, no access rights to the file, no rights to load the file, failure to unload the file, …).
Other requests, like a command-line option, will be investigated.I’m also researching special values of the count property, for example when a program is removed from the start menu list.
The software is hosted on my site now, as Microsoft will phase-out the User Samples section of the gotDotNet site.
Thanks to Ovie and Bret of the CyberSpeak podcast for talking about my UserAssist tool on their show. The announced interview is recorded š
Monday 16 July 2007
Will it be late in Brussels again?
Yes, I’ve the feeling it will be late in Brussels again…
Tuesday 3 July 2007
The BlockSite Firefox Add-on
The Firefox add-on BlockSite by Erik van Kempen allows you to maintain a blacklist of sites you want to block for surfing. I extended his add-on with a whitelist: in stead of specifying the sites you want to block, you can decide to specify the sites you want to allow, and all other sites will be blocked. Erik has integrated my code in his add-on:
Version 0.5 ā December 30, 2006 ā 34 KB
[+] Whitelist/Blacklist feature (by Didier Stevens): Choose if the list is a blacklist or a whitelist.
[~] Password protection still pending (unfortunately), most probably in next major release
Reverse engineering a Firefox add-on is really simple. The file format for add-ons, XPI, is in fact a ZIP file. After unzipping the XPI file, you’ll find a JAR file (again, this is also based on ZIP). Unzip the JAR file and then you can analyze the JavaScript and XUL files.
You can also load an unpacked Firefox add-on in Firefox to test and debug it, how is explained here.
Wednesday 20 June 2007
UserAssist Q&A
I was a speaker at the local ISSA chapter last Monday. My talk explained how to use my UserAssist tool for forensic analysis. The audience had great questions for me at the Q&A, some of which I want to share here.
Does switching to the āClassic Start Menuā prevent the logging of data in the UserAssist registry keys?
No, it doesnāt. When you use the classic start menu (the start menu from Windows NT & 2000, without a frequently used programs pane), Windows explorer still continues to monitor and log the programs you execute. When you switch back to the āmodernā start menu, youāll see several of the programs you recently used in the frequently used programs pane.
Does disabling the Active Desktop prevent the logging of data in the UserAssist registry keys?
No, it doesnāt. In fact, I use the following litmus test to know if starting a program is recorded in the UserAssist keys: did a user perform the action through Windows explorer? If a user did, then the action is logged.
The only trick I know to permanently disable the UserAssist keys is this one:
- add a new subkey āSettingsā under the āUserAssistā key
- add a new DWORD value āNoLogā and set it to one.
My UserAssist tool allows you to toggle this setting via a simple menu command.
One audience member asked me if I was really sure that using a mandatory user profile (NTUSER.MAN) implied that the UserAssist registry keys where not persisted.
I promised him that I would test it, and I must admit that I was wrong.
A mandatory user profile is a profile that the user can change, but the changes are not saved when the user logs out.
This is how I tested the UserAssist tool with a mandatory user profile:
- a domain controller
- a member workstation
- a domain user with the profile path set to a share on the DC
- renaming NTUSER.DAT to NTUSER.MAN
- log on to the workstation with the domain user account
- start some programs
- analyse the profiles
I discovered that the NTUSER.MAN file in the local copy of the profile (file NTUSER.MAN in c:\document and settings\user on the workstation) had been modified, and that the UserAssist keys listed the program I had executed. As expected, the NTUSER.MAN file on the DC in the roaming user profile was not modified. And when I logged on to the workstation a second time, the local profile was overwritten with the mandatory profile, as expected.
So you can use the NTUSER.MAN file in a forensic investigation, but some restrictions apply:
- use the local copy, not the file hosted on the DC (in fact, you should compare the UserAssist entries from both files, because some entries in the UserAssist keys might come from the original NTUSER.MAN file)
- make sure to grab a copy before the user logs on again, otherwise the file will be overwritten (you could try to recover it)
- entries in the UserAssist keys will pertain to the last session of the user, it is not a complete history of all the sessions (and remember restriction 1, comparing the profiles)
Raymond Chen has started a series of blog posts about the Start Menuās frequently used programs. Keep in mind that he discusses the rules that govern the display and ranking of programs on the start menu, and not actually the rules for collecting the data (i.e. UserAssist keys). What he calls points is not the same as the counter in a UserAssist entry.
Monday 12 February 2007
Reverse Engineering Mentoring
I started mentoring someone on Reverse Engineering. We use a Wiki to communicate, feel free to join as a mentor or mentee.
Tuesday 19 December 2006
Teaching a SpiderMonkey a new trick
Have you read NJ Verenini post on Websense’s Blog were he explains how to use SpiderMonkey to deobfuscate Javascript? As SpiderMonkey has no document object, Verenini shows a way to define your own document object to support document.write().
I’ve adapted the SpiderMonkey source code to include the document object. Not that my method is better than Verenini’s, I just wanted to play with SpiderMonkey.
An upcoming “Virus Lab” post will explain how I use this adapted SpiderMonkey, but for now I want to explain how I proceeded to modify SpiderMonkey.
If you’re not familiar with the SpiderMonkey source-code (like me), were do you start? I want to implement a document object with a write method. Is there something similar in JavsScript? Take a look at the Math object.
js
js>Math
[object Math]
The Math object has several methods, like sin:
js> Math.sin(3.1415926/2)
0.9999999999999997
document does not exist:
js> document
2: ReferenceError: document is not defined
The trick is to add a document object that has the same behaviour as the Math object (i.e. same members), and if this works, we adapt the document object by removing all Math members and adding a write method.
Greping for Math in the source code reveals that the object is defined in jsmath.c and jsmath.h. This is good, the Math object is defined in it’s own source files. So we will make our own source files for document based on Math: copy jsmath.[ch] to jsdocument.[ch]. Then edit jsdocument.[ch] and replace Math with document (there are some execeptions, like math.h).
Then we add jsdocument.[ch] to the makefile.
Greping for jsmath.h reveals that it’s included in jsapi.c. A quick search for
Math in jsapi.c reveals this code:
js_InitMathClass(cx, obj) &&
{js_InitMathClass, ATOM_OFFSET(Math)},
We add our own code:
js_InitDocumentClass(cx, obj) &&
{js_InitDocumentClass, ATOM_OFFSET(Document)},
Now when we build, we’ll get an error because we use a Document ATOM that we didn’t define. A bit of searching in the source code shows that atoms are defined in jsatom.[ch]. We search for Math and add extra code for Document.
And now the build succeeds!
js
js> document
[object document]
js> document.sin(3.1415926/2)
0.9999999999999997
Now we have to remove all members and add our own write method, but this is for another post, where I’ll publish my modified spidermonkey (it’s GPLed).
Reversing with the commented source code is not so difficult as reversing binaries, especially the patching process. If you want to add a new feature, look for an existing similar feature and do an “intelligent” copy-paste of the source code.
Once upon a time, long ago, I read the Dragon Book, and this also explains how I was able to quickly understand how to modify SpiderMonkey.
Sunday 19 November 2006
OllyStepNSearch v0.6.1
Iāve released a bugfix for my OllyDbg plugin OllyStepNSearch.
Thanks to Ngan Truong for finding and reporting bugs in the help function. My program worked with an uninitialized pointer, shame on me.
Monday 6 November 2006
Challenger
Challenger is a small program Iāve used in reverse-engineering challenges (without success ;-)). It performs dictionary and brute-force attacks on the reverse-engineering challenge program.
The programs used in reverse-engineering challenges are usually console programs. You start the program, it asks for the password (standard output), you type the password (standard input), the program responds and ends.
Challenger automates this process: it runs the program against a list of passwords (dictionary) or it tries out all combinations (brute-force).
Challenger is also a console program taking command-line arguments.
- /executable:program is the only required argument, you use it to specify the program to be challenged
- /arguments:parameters is needed when the program to be challenged also takes command-line arguments. You cannot provide them with the /executable argument, you need to use the /arguments argument. This parameter is optional
- /log:file allows you to write all results to a file. Results are always displayed on the console, with /log:log.txt, all results are also appended to file log.txt
- /dictionary:file is used to perform a dictionary attack and specify the file containing the words to test as a password
- /bruteforce:password is used to specify the starting password of a brute-force attack. By default, Challenger will execute a brute-force attack, starting with password a.
- /characters:characters allows you to specify the characters used in a brute-force attack. By default, this is abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789
- /search:keyword allows you to specify a keyword that will stop the attack. Once this keyword is detected in the output of the challenged program, Challenger will stop the attack. Searching for the keyword is case-sensitive. Challenger will go on indefinitely if no keyword is provided, it will only report each time the challenged program produces output it has not produced before. If you now what the challenged program outputs when you provide the correct password, you use this search argument to look for it. If you donāt know it, you just let Challenger run and review its output
- /timeout:milliseconds allows you to specify the timeout for the challenged program. By default, this is 100 ms: if the challenged program runs longer than 100 ms, Challenger will stop it.
- /heartrate:count allows you to define how often Challenger writes status info to the log. By default, itās every 1000 passwords tested
Here is an example where I use my program on F-secure’s Khallenge level 1 program with a tiny wordlist from Openwall. Since I don’t know the output produced by the program when a correct password is entered, I don’t use the search argument: challenger /executable:level1.exe /dictionary:lower.lst /log:log.txt
Here is the result:
Start > 2/11/2006 21:49:45
Start > Challenger v1.0.0.0 (https://DidierStevens.com) Config > dictionary Config > file: lower.lst Config > executable: level1.exe Config > arguments: Config > timeout: 100 Config > heartbeat: 1000 Config > search: not enabled Config > log: log.txt New output> a -> ASSEMBLY'06 REVERSE ENGINEERING CHALLENGE
*** LEVEL 1 *** Challenge Copyright (c) 2006 F-Secure Corporation
For more information, please see http://www.f-secure.com/weblog/asm.htm
Enter the password:
Try another one.
Heartbeat > 2/11/2006 21:49:58 counter: 1000 password: anonymity Heartbeat > 2/11/2006 21:50:11 counter: 2000 password: barge Heartbeat > 2/11/2006 21:50:23 counter: 3000 password: brass Heartbeat > 2/11/2006 21:50:34 counter: 4000 password: cement Heartbeat > 2/11/2006 21:50:45 counter: 5000 password: compendia Heartbeat > 2/11/2006 21:50:57 counter: 6000 password: cuisine Heartbeat > 2/11/2006 21:51:10 counter: 7000 password: disavow Heartbeat > 2/11/2006 21:51:21 counter: 8000 password: emergency Heartbeat > 2/11/2006 21:51:34 counter: 9000 password: feeble Heartbeat > 2/11/2006 21:51:45 counter: 10000 password: g Heartbeat > 2/11/2006 21:51:58 counter: 11000 password: handbarrow Heartbeat > 2/11/2006 21:52:11 counter: 12000 password: identical Heartbeat > 2/11/2006 21:52:23 counter: 13000 password: ion Heartbeat > 2/11/2006 21:52:35 counter: 14000 password: lev Heartbeat > 2/11/2006 21:52:47 counter: 15000 password: meatball Heartbeat > 2/11/2006 21:53:00 counter: 16000 password: naivete New output> obvious -> ASSEMBLY'06 REVERSE ENGINEERING CHALLENGE
*** LEVEL 1 *** Challenge Copyright (c) 2006 F-Secure Corporation
For more information, please see http://www.f-secure.com/weblog/asm.htm
Enter the password:
Yup, thats it!
To continue, send an email to: level1-solution_was_obvious@khallenge.com
Heartbeat > 2/11/2006 21:53:13 counter: 17000 password: orthograph Heartbeat > 2/11/2006 21:53:26 counter: 18000 password: pestle Heartbeat > 2/11/2006 21:53:39 counter: 19000 password: presume Heartbeat > 2/11/2006 21:53:51 counter: 20000 password: recount Heartbeat > 2/11/2006 21:54:04 counter: 21000 password: sandy Heartbeat > 2/11/2006 21:54:16 counter: 22000 password: sis Heartbeat > 2/11/2006 21:54:29 counter: 23000 password: stomp Heartbeat > 2/11/2006 21:54:42 counter: 24000 password: tenor Heartbeat > 2/11/2006 21:54:54 counter: 25000 password: tunisia Heartbeat > 2/11/2006 21:55:07 counter: 26000 password: venerate Heartbeat > 2/11/2006 21:55:19 counter: 27000 password: withhold
For the first password (a), the challenge program outputs “Try another one.”. The challenge program outputs this for every password in the list, until the password “obvious” is tested. When obvious is entered as the password, the output of the challenge program is “Yup, thats it!”, allong with the e-mail address. Since no /search argument was provided, the Challenger program continues until the wordlist is exhausted.
The “New output>” line lists the exact output produced by the tested program, except that all newlines are replaced by a space character to make it fit on one line (for clarity, I’ve added the newlines back in this example).
Had I known that the level 1 program outputed “Yup, thats it!” when the correct password is entered, I could have issued this command: challenger /executable:level1.exe /dictionary:lower.lst /log:log.txt /search:Yup
And the program would stop once the correct password was found:
Found > counter: 16663 password: obvious ASSEMBLY’06 REVERSE …
It’s also possible to start a brute-force attack, like this: challenger /executable:level1.exe
This will start with password ‘a’ and try all alphanumeric combinations.
During the reversing of the level 3 challenge of F-Secure’s Khallenge, I discovered that only characters 2, 4, 6 and 8 were used in the password. So I used my Challenger program to try all combinations, while I continued reversing:
challenger /executable:level3.exe /bruteforce:2 /characters:2468 /log:log.txt
Output:
Start > 2/11/2006 22:09:25 Start > Challenger v1.0.0.0 (https://DidierStevens.com) Config > brute force Config > start: 2 Config > characters: 2468 Config > executable: level3.exe Config > arguments: Config > timeout: 100 Config > heartbeat: 1000 Config > search: not enabled Config > log: log2.txt New output> 2 -> ASSEMBLY'06 REVERSE ENGINEERING CHALLENGE
*** LEVEL 3 *** Challenge
Copyright (c) 2006 F-Secure Corporation
For more information, please see http://www.f-secure.com/weblog/asm.htm
Enter password:
Nope. Heartbeat > 2/11/2006 22:09:40 counter: 1000 password: 66428 Heartbeat > 2/11/2006 22:09:53 counter: 2000 password: 264868 Heartbeat > 2/11/2006 22:10:06 counter: 3000 password: 464628 Heartbeat > 2/11/2006 22:10:20 counter: 4000 password: 664268 Heartbeat > 2/11/2006 22:10:34 counter: 5000 password: 862828 Heartbeat > 2/11/2006 22:10:48 counter: 6000 password: 2262468 Heartbeat > 2/11/2006 22:11:02 counter: 7000 password: 2462228
...
But I found the correct password through reversing before my Challenger program found it with brute-force: the password was so long that my program would take too long…
Challenger is written in C# with Microsoft Visual C# 2005 Express Edition.
Download:
MD5: FC71CAA3F99CB6EE9094098D60B7E4C3
Monday 30 October 2006
OllyStepNSearch v0.6.0
I’ve released a new version of my OllyDbg plugin called OllyStepNSearch.
The new features are:
- an options dialog
- Disable After Break option
- Search in Information Pane
- a new help function
And this time, there is also a demo movie here on YouTube, a hires (XviD) version can be found here.
Didier Stevens 