This new version of USBVirusScan displays a banner when a USB stick is inserted. You specify the text of the banner in text file banner.txt.
Option -b enables this banner and displays it the first time a removable drive is mounted. Option -B displays the banner each time a removable drive is mounted.
You can find this new version here.
I fixed InstalledPrograms as earthsound suggested: now I include 32-bit installations on 64-bit systems (provided you use 64-bit Excel).
InstalledPrograms_V0_0_2.zip (https)
MD5: 383D9EC2B520E930A8484F1BD0B99534
SHA256: B174A5A9A366799B5C7CB99D6FD83643E5AE8155FBC52ADCEDA836FFF9281766
Help Net Security recorded a video with me speaking about EMET and HeapLocker at Hack In The Box Amsterdam 2012.
I had some problems with a Windows XP prefetch file, so I wrote a 010 Editor template using the Forensics Wiki’s information on prefetch files.
PFTemplate.zip (https)
MD5: 11F6BB8EC0D29CBCC7C2F269E9900AF0
SHA256: 4429380778C94E47427C1753BAF91E0D8AF78985AA9F3868CF3FC07456F7BAFA
Congratulations to the winners of the BlueHat Prize contest.
My entry was CounterHeapSpray:
CounterHeapSpray monitors the private memory usage of an application to guard against heap sprays. When the private memory usage of the application exceeds a predefined threshold, CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages and populate these pages with its own shellcode. When the heap spray terminates and the exploit executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will suspend all threads and display a warning message for the user. When the user clicks OK, CounterHeapSpray’s shellcode terminates the application.
By planting its own shellcode before the heap spray can fill the heap with malicious shellcode, CounterHeapSpray not only prevents execution of this malicious shellcode but is able to suspend the process and to inform the user of the attack.
CounterHeapSpray.zip (https)
MD5: 1947380F935AE0B1A8828DE79621F82F
SHA256: CA0BF635655EE05ABED117C858BC86ECDF3EBB4C39544D7D0C396D7C457F1BBC
I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.
Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.
UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45
Here is a new spreadsheet that lists all installed programs. It does this by enumerating registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall.
This spreadsheet works on 32-bit and 64-bit Excel.
InstalledPrograms_V0_0_1.zip (https)
MD5: 0BF27B9D4B6316381E0AADC1777B7F8F
SHA256: 60AF8234BD10E12221CAD3D2544222819CB0CC0834E339084590860F30E0D580
I’ve worked together with Daniel Miller (@bonsaiviking) on an Nmap version script to identify the McAfee ePO Agent. By default, this agent listens on port 8081 and replies to HTTP requests.
You can find the script here on the nmap site.
PORT STATE SERVICE VERSION 8081/tcp open http McAfee ePolicy Orchestrator Agent 4.5.0.1852 (ePOServerName: EPOSERVER, AgentGuid: D2E157F4-B917-4D31-BEF0-32074BADF081) Service Info: Host: TESTSERVER
Here is a new 010 Editor script to calculate the entropy of a file or a selection: Entropy.1sc.
About three years ago I released a Python program to send out WiFi beacon frames with an AirPCap adapter. During my last holiday, I took some time to add a new feature to apc-b.py: option nomap.
When you start apc-b.py with option nomap, it first listens for 60 seconds and records all ESSIDs in finds in beacon frames. Then it starts to broadcast beacon frames for these ESSIDs, but with string _nomap appended to each ESSID.
apc-b_v0_2_0.zip (https)
MD5: 849DE418A1F325B9DC133DBE2E7CC501
SHA256: C3F28DCEFE6FF747780E384E49BB4D373BC983518C592E1BB18E8455F78E7F95
Didier Stevens 