I had a locksmith make a duplicate key of my mailbox lock, and it didn’t work (didn’t open the lock).
The cutting looked good, I saw no difference with the original key.
Until I noticed this notch:
Turns out this notch accepts this tiny “bump” on the cylinder:
This notch was missing on the duplicate. I milled a notch and now the duplicate key opens the lock:
A new plugin and an updated plugin.
Plugin plugin_dttm is a plugin for Word documents: it searches for Dop structures. They contain DTTM timestamps.
And plugin plugin_metadata has been updated to parse digital signatures (option -s).
oledump_V0_0_71.zip (http)This new version adds a sort function to sort email addresses by domain first.
sortcanon_V0_0_2.zip (http)We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack.
One of the reasons to do this, is to evade “mark-of-web propagation”.
When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).
When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).
But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View. That is something I observed 5 years ago.
But this has changed recently. When exactly, I don’t know (update: August 2021).
But when I open an Office document stored inside an ISO file marked with a ZoneIdentifier ADS, Office 2021 will open the document in protected view:
With an unpatched version of Office 2019, that I installed a year ago, that same file is not opened in Protected View:
After updating Office:
Word’s behavior has changed:
The file is now opened in Protected View.
If you want to test this yourself, you can use my ZoneIdentifier tool to easily settings a “mark-of-web” without having to download your test file from the Internet:
Or you can just add the ZoneIdentifier ADS with notepad.
I did the same test with Office 2016, I updated an old version and: the document is not opened in Protected View.
I don’t know exactly when Microsoft Office 2019 was updated so that it would open documents in Protected View when they are inside an ISO file marked as originating from the Internet. But if you do know, please post a comment.
Update: this change happened in August 2021. See comments below. Thanks Philippe.
This update brings a new option: -V –verbose.
Verbose output includes an hex/ascii dump of the decrypted data:
This is a bug fix version.
pdf-parser_V0_7_5.zip (https)This new version of pdf-parser is a bugfix for /FLATEDECODE.
pdf-parser_V0_6_6.zip (https)
MD5: 47326468E1B5A1AF7BB8AD63688804D9
SHA256: 51C9B25B939B135D9949E51463F58ECEC0BEBEFB9C0EAA0B93326CBFB4D8F061
This new version supports different encodings besides base64 (but the name remains base64dump).
The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).
Here’s an example with escaped unicode in JavaScript (%u), namely a PDF with shellcode in JavaScript:
The shellcode, escaped with %u, can be extracted with base64dump:
There’s also a new option to do a string dump: -S
And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.
base64dump_V0_0_5.zip (https)
MD5: 7AACFD3E34FEAAF41897F60FBC5279A3
SHA256: B4AB7B3A9D2947F08C6CC94F88CD825C9B2B63EE65AF7475E66BE9565EC4337A
I released new versions of my AnalyzePESig and ListModules authenticode tools.
Extra fields with information were added to the output of the tools, and the tools were adapted to use the SE_BACKUP_NAME privilege, giving the tools the privilege to read files even when the permissions do not allow it (running as administrator and elevated).
A new field that might require some extra explanation is the DEROIDHash field. The DEROIDHash is a sha-256 hash of the DER structure and OID numbers of a PKCS7 signature: it’s the sha-256 hash of the bytes that make up the PKCS7 signature, except for the data. In other words, it’s the sha-256 hash of the DER bytes that specify the tags and the OID numbers. Signatures with the same structure and OID numbers share the same DEROIDhash.
For example, if a new version of a signed executable is released and the DEROIDHash value is different from the previous version, then the author has changed his/her signing process or is using a certificate with a different structure; or the executable was signed by another party using another signing process.
Didier Stevens 