Didier Stevens

Friday 11 November 2022

Update: oledump.py Version 0.0.71

Filed under: Uncategorized — Didier Stevens @ 0:00

A new plugin and an updated plugin.

Plugin plugin_dttm is a plugin for Word documents: it searches for Dop structures. They contain DTTM timestamps.

And plugin plugin_metadata has been updated to parse digital signatures (option -s).

oledump_V0_0_71.zip (http)
MD5: BA1142136F28DB218BADEAA642EA0EA9
SHA256: FA09766D138A1AA60523B487D947BF29222D409CF1FCE078DE61BF62768A5950

Tuesday 1 November 2022

Overview of Content Published in October

Filed under: Announcement,Uncategorized — Didier Stevens @ 0:00
Here is an overview of content I published in October:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries:

Wednesday 20 July 2022

Update: sortcanon Version 0.0.2

Filed under: Uncategorized — Didier Stevens @ 0:00

This new version adds a sort function to sort email addresses by domain first.

sortcanon_V0_0_2.zip (http)
MD5: ED6DBE384707778E765C9BD6B6880C05
SHA256: 190922F347AC1B32D0CE503D1763F27A250D9BFDD15CB911EA4435BAB7E69CD3

Monday 4 April 2022

.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021

Filed under: maldoc,Malware,Uncategorized — Didier Stevens @ 0:00

We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack.

One of the reasons to do this, is to evade “mark-of-web propagation”.

When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).

When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).

But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View. That is something I observed 5 years ago.

But this has changed recently. When exactly, I don’t know (update: August 2021).

But when I open an Office document stored inside an ISO file marked with a ZoneIdentifier ADS, Office 2021 will open the document in protected view:

With an unpatched version of Office 2019, that I installed a year ago, that same file is not opened in Protected View:

After updating Office:

Word’s behavior has changed:

The file is now opened in Protected View.

If you want to test this yourself, you can use my ZoneIdentifier tool to easily settings a “mark-of-web” without having to download your test file from the Internet:

Or you can just add the ZoneIdentifier ADS with notepad.

I did the same test with Office 2016, I updated an old version and: the document is not opened in Protected View.

I don’t know exactly when Microsoft Office 2019 was updated so that it would open documents in Protected View when they are inside an ISO file marked as originating from the Internet. But if you do know, please post a comment.

Update: this change happened in August 2021. See comments below. Thanks Philippe.

Tuesday 30 November 2021

Update: cs-extract-key.py Version 0.0.3

Filed under: Uncategorized — Didier Stevens @ 0:00

This update brings a new option: -V –verbose.

Verbose output includes an hex/ascii dump of the decrypted data:

cs-extract-key_V0_0_3.zip (https)
MD5: C40C96B68701369F41EB6731FD83B28B
SHA256: CBB5EC3C8C36931D56AB42E3086CF7E95ABC7782D74F30DDCCF874BD4E89B6BB

Friday 20 August 2021

Update: pdf-parser.py Version 0.7.5

Filed under: My Software,PDF,Uncategorized,Update — Didier Stevens @ 0:00

This is a bug fix version.

pdf-parser_V0_7_5.zip (https)
MD5: D39E98981E6FEA48BF61CA2F78ED0B09
SHA256: 5D970AFAC501A71D4FDDEECBD63060062226BF1D587A6A74702DDA79B5C2D3FB

Monday 28 November 2016

Update: pdf-parser Version 0.6.6

Filed under: Uncategorized — Didier Stevens @ 0:00

This new version of pdf-parser is a bugfix for /FLATEDECODE.

pdf-parser_V0_6_6.zip (https)
MD5: 47326468E1B5A1AF7BB8AD63688804D9
SHA256: 51C9B25B939B135D9949E51463F58ECEC0BEBEFB9C0EAA0B93326CBFB4D8F061

Monday 21 November 2016

Update: base64dump.py Version 0.0.5

Filed under: My Software,Uncategorized — Didier Stevens @ 0:00

This new version supports different encodings besides base64 (but the name remains base64dump).

The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).

Here’s an example with escaped unicode in JavaScript (%u), namely a PDF with shellcode in JavaScript:

20161118-221959

The shellcode, escaped with %u, can be extracted with base64dump:

20161118-222032

20161118-222049

There’s also a new option to do a string dump: -S

20161118-222059

And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.

base64dump_V0_0_5.zip (https)
MD5: 7AACFD3E34FEAAF41897F60FBC5279A3
SHA256: B4AB7B3A9D2947F08C6CC94F88CD825C9B2B63EE65AF7475E66BE9565EC4337A

Monday 30 November 2015

Update: Authenticode Tools

Filed under: Uncategorized — Didier Stevens @ 0:00

I released new versions of my AnalyzePESig and ListModules authenticode tools.

Extra fields with information were added to the output of the tools, and the tools were adapted to use the SE_BACKUP_NAME privilege, giving the tools the privilege to read files even when the permissions do not allow it (running as administrator and elevated).

A new field that might require some extra explanation is the DEROIDHash field. The DEROIDHash is a sha-256 hash of the DER structure and OID numbers of a PKCS7 signature: it’s the sha-256 hash of the bytes that make up the PKCS7 signature, except for the data. In other words, it’s the sha-256 hash of the DER bytes that specify the tags and the OID numbers. Signatures with the same structure and OID numbers share the same DEROIDhash.

For example, if a new version of a signed executable is released and the DEROIDHash value is different from the previous version, then the author has changed his/her signing process or is using a certificate with a different structure; or the executable was signed by another party using another signing process.

Thursday 31 July 2014

Videos

Filed under: Uncategorized — Didier Stevens @ 8:50

I plan to produce short videos more frequently. I will not post them all here on my blog, I’ve created another blog for all my videos:
videos.didierstevens.com.

The RSS is http://videos.didierstevens.com/feed/.

And from time to time, I’ll repost an old video on that feed.

Next Page »

Blog at WordPress.com.