Didier Stevens

Wednesday 30 December 2009

Detecting EICAR With a .NET Micro-controller

Filed under: .NET,Entertainment,Hardware — Didier Stevens @ 22:07

I’ve been playing with a .NET Micro Framework micro-controller: the USBizi. A few of its interesting characteristics are that you program it in C# with Visual Studio and that in-circuit debugging (including single-stepping) is supported.

The .NET Micro Framework has no assemblies to support USB in host mode (only guest mode), but the USBizi comes with assemblies for host mode providing support for removable drives like USB sticks. To illustrate this feature, I wrote a program to scan the files on a USB stick for the EICAR test file and replace the content with a message appropriate for the time of the year.

Some ideas I’ve for this device: program it as a hardware keylogger, a hardware password vault, …

using System.Threading;
using System;
using System.IO;
using Microsoft.SPOT.Hardware;
using Microsoft.SPOT;
using Microsoft.SPOT.IO;
using GHIElectronics.System.SystemDevices;
using GHIElectronics.System;
using GHIElectronics.System.IO;
using GHIElectronics.Hardware;

namespace USBiziEICARDetector
{
    public class Program
    {
        static string sEICAR = @"X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*";

        static void Main()
        {
            Boolean bFoundEicar;
            Debug.Print("Starting...");
            while (true)
            {
                // must start system first, no event is associated
                SystemManager.Start(null);
                // wait till we have a device
                while (SystemManager.GetDevices().Length == 0)
                    Thread.Sleep(500);
                // get a list of devices
                Device[] devices = SystemManager.GetDevices();
                // look for a device
                foreach (Device device in devices)
                {
                    // this loop will run once for every device
                    if (device.deviceType == DeviceType.Drive)
                    {
                        try
                        {
                            // USB drive is inserted
                            // Create a new storage device
                            PersistentStorage PS = new PersistentStorage(device.deviceID);
                            // now everything works just like on SD cards....
                            // Mount the file system
                            PS.MountFileSystem();
                            // Assume one storage device is available, access it through NETMF
                            string rootDirectory = VolumeInfo.GetVolumes()[0].RootDirectory;
                            bFoundEicar = false;
                            string[] files = Directory.GetFiles(rootDirectory);
                            Debug.Print("Files on root of USB drive...");
                            foreach (string file in files)
                            {
                                Debug.Print(file);
                                Boolean bFileIsEICAR = false;
                                FileStream fs = File.OpenRead(file);
                                Debug.Print(fs.Length.ToString());
                                if (fs.Length == sEICAR.Length)
                                {
                                    char[] acEICAR = sEICAR.ToCharArray();
                                    for (int iIter = 0; iIter < sEICAR.Length; iIter++)
                                    {
                                        int iByte = fs.ReadByte();
                                        if (acEICAR[iIter] != iByte)
                                            break;
                                        if (iIter == sEICAR.Length - 1)
                                        {
                                            bFoundEicar = true;
                                            bFileIsEICAR = true;
                                        }
                                    }
                                }
                                fs.Close();
                                if (bFileIsEICAR)
                                {
                                    byte[] abHappyNewYear2010 = {
                                        0x0D, 0x0A, 0x0D, 0x0A, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20,
                                        0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20,
                                        0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58,
                                        0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20,
                                        0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20,
                                        0x20, 0x20, 0x58, 0x0D, 0x0A, 0x20, 0x58, 0x58, 0x58, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x20, 0x58, 0x20, 0x20, 0x58,
                                        0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58,
                                        0x58, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
                                        0x20, 0x58, 0x0D, 0x0A, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58,
                                        0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x58, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x58, 0x58, 0x0D, 0x0A, 0x0D, 0x0A};

                                    File.WriteAllBytes(file, abHappyNewYear2010);
                                    Debug.Print("EICAR found!");
                                }
                            }
                            Debug.Print("... end of list!");
                            // if we need to unmount
                            Thread.Sleep(500);
                            PS.UnmountFileSystem();
                            Thread.Sleep(500);
                            PS.Remove();
                            OutputPort LED = new OutputPort(USBizi.Pins.E2x, false);
                            if (bFoundEicar)
                            {
                                Debug.Print("bFoundEicar = true");
                                BlinkXTimes(LED, 4, 300);
                            }
                            else
                            {
                                Debug.Print("bFoundEicar = false");
                                BlinkXTimes(LED, 2, 300);
                            }
                        }
                        catch (Exception e)
                        {
                            Debug.Print("Exception:");
                            Debug.Print(e.Message);
                        }
                    }
                }
                Thread.Sleep(500);
                SystemManager.Reboot(SystemManager.RebootMode.Normal);
            }
        }

        public static void BlinkXTimes(OutputPort LED, int times, int milliseconds)
        {
            for (int i = 0; i < times; i++)
            {
                LED.Write(true);
                Thread.Sleep(milliseconds);
                LED.Write(false);
                Thread.Sleep(milliseconds);
            }
        }
    }
}

Wednesday 23 December 2009

LoadDLLViaAppInit

Filed under: My Software — Didier Stevens @ 12:20

How do you load a DLL in every new process on a Windows machine? One way to do this is the AppInit_DLLs registry key (this key is frequently abused by malware). Every new process loading user32.dll, also loads the DLLs listed in AppInit_DLLs on startup.

But you can’t use this key to load hook-createprocess.dll, because it will load it in every process, and your Windows machine will stop working.

To selectively load DLLs, I developed a new DLL: LoadDLLViaAppInit.dll. Copy LoadDLLViaAppInit.dll to system32 and add it to the AppInit_DLLs registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows). This way it gets loaded in every new process. LoadDLLViaAppInit.dll will consult config file LoadDLLViaAppInit.bl.txt in system32, this config file contains the list of processes we want to load a particular DLL into. Here’s an example:

acrord32.exe    hook-createprocess.dll
winword.exe    hook-createprocess.dll
excel.exe    hook-createprocess.dll
powerpnt.exe    hook-createprocess.dll

This config file instructs LoadDLLViaAppInit.dll to load hook-createprocess.dll into Adobe Acrobat (acrord32.exe) and Microsoft Office (Word, Excel and PowerPoint). Important remark: the separator between the executable name and the dll name must be a TAB character. For debugging purposes, LoadDLLViaAppInit.dll logs the DLLs it loads to the debug console.

If you want to prevent a DLL from being loaded (for example to allow Adobe Reader to update itself), you’ll just have to temporarily modify the config file. And be careful with this tool, a wrong configuration can render your machine unusable (for example, if you load hook-createprocess.dll into every process, Windows won’t be able to create new processes).

Be sure to allow only administrators to write to the config file, otherwise you’re opening your machine to elevation attacks.

Starting with Windows Vista, AppInit_DLLs is not enabled by default for security reasons (it’s used a lot by malware). To enable it, you’ve to set the value of LoadAppInit_DLLs to 1. But be aware that this makes your Windows Vista (and later) machine less secure, as from then on, malware will also be able to use AppInit_DLLs to autorun.

Download:

LoadDLLViaAppInit_V0_0_0_1.zip (https)

MD5: 60B93BAF4B0F973C3EC920F2F4A180E8

SHA256: 3B528A3BAF593A2740D5655CF18BC0932801D4DF1750DE8F9C8229C0FF51E8BE

Sunday 20 December 2009

Quickpost: Read-Only USB Stick

Filed under: Forensics,Hardware,Quickpost — Didier Stevens @ 20:52

When someone asks me for a read-only USB stick, I recommend to use an SD card with a SD-to-USB adapter, because these are easier to find than USB sticks with write-protection. Most SD cards have a write-protection tab.

But last time I got a surprise: when testing a new SD card reader, I was able to write to the write-protected SD card. Turns out that this particular SD card reader doesn’t support the write-protection tab and always allows the OS to write to the SD card.

Quickpost info

Friday 4 December 2009

Quickpost: New EICARgen Version

Filed under: My Software,Quickpost — Didier Stevens @ 14:58

I never expected to release a new version of EICARgen, but I’m forced to: EICARgen.exe generates just too many false positives.

The new version contains the EICAR string an XOR-encode string (key 0xFF). It has only a couple of detections. Kaspersky and VBA32 shouldn’t actually detect this. EICAR clearly specifies that the presence of the EICAR test string inside a file (like an executable) shouldn’t be detected. As to why AVG needs to detect EICAR test file droppers, I have no idea…

Quickpost info

Sunday 22 November 2009

Quickpost: SelectMyParent or Playing With the Windows Process Tree

Filed under: Forensics,My Software,Windows 7,Windows Vista — Didier Stevens @ 20:36

I read something very interesting in “Windows via C/C++” today: starting with Windows Vista, CreateProcess can start a program where you specify the parent process! This is something forensic investigators must be aware of when they analyse processes running on a Windows machine.

Normally the parent process of a new process is the process that created the new process (via CreateProcess). But when using STARTUPINFOEX with the right LPPROC_THREAD_ATTRIBUTE_LIST to create a process, you can arbitrarely specify the parent process, provided you have the rights (i.e. it’s your process or you have debug rights).

I developed a small tool to start a program while specifying its parent process: SelectMyParent. Here I use it to start notepad as a child of lsass.exe:

2 remarks about this example:

  1. to make lsass.exe a parent process, you need to use SelectMyParent with admin rights and elevate its rights (Run as administrator)
  2. the notepad process takes over the parent process’ account: NT AUTHORITY\SYSTEM

I don’t know how one can detect that a process’ parent is not the process that created it, because a process has no access to its extended startup info (only to its startup info). And it is the extended startup info that contains the attribute list with the handle to the parent process.

SelectMyParent version 0.0.0.1 is available here.

Quickpost info

 

Thursday 19 November 2009

Update: bpmtk with hook-createprocess.dll

Filed under: bpmtk,Hacking,My Software,PDF,Update — Didier Stevens @ 19:32

There are no real changes in this new version of bpmtk, only a new DLL (hook-createprocess.dll) was added. You can use this DLL to protect your Windows machine from getting infected by the current malicious documents found in-the-wild.

You can download bpmtk version 0.1.6.0 here.

Hook-createprocess.dll is a DLL that patches the process into which it is loaded to prevent it from creating new processes. It does this by patching the Import Address Table of kernel32.dll for ntdll.dll to hook API functions NtCreateProcessEx, NtCreateProcess and NtCreateUserProcess.
Calls to these functions are intercepted and not passed on to the original functions. Instead, a code is returned indicating that the operation was blocked. The result is that functions in kernel32 used to create new processes fail (like WinExec) and hence that the patched process can’t create new processes.
This is all it takes to block most shellcode found in malicious documents like PDF malware. Shellcode like this does the following:


Of course, since this protective measure is taken by patching the process, shellcode could undo this patching and bypass our protection. Or it could use the ntdll API and not be hindered by our patch. But actual malware found in-the-wild doesn’t do this (not talking about targeted attacks) and is thus prevented from executing the trojan it just downloaded or extracted from the PDF document.

If you want better protection, you’ll have to use something that works at the level of the kernel, like sandboxing software.

However, this patch comes with some drawbacks, because it also blocks bening new processes. For example, the update function of Adobe Acrobat requires the creation of a new process. To reenable the creation of processes, you have to unload hook-createprocess.dll (unloading removes the hooks). bpmtk has a function to unload DLLs from a process (reject).

There are a couple of trick to load this DLL with the program you want to protect. I’ll describe a generic method in an upcoming post, but now I want to explain it for a specific program.
Programs have a list of DLLs they need for their execution. We will use a PE-file editor to add our hook-createprocess.dll to this list. hook-createprocess.dll exports a dummy function (_Dummy) just so you can add to the imports table of an executable. We will use LordPE to add hook-createprocess.dll with _Dummy to Adobe Reader:

Right-click the Import table:

And don’t forget to save…

Monday 9 November 2009

Quickpost: “Hiding” a PDF Document

Filed under: Entertainment,My Software,PDF,Quickpost — Didier Stevens @ 15:00

Here’s some Python code (it uses my mPDF module) to append a new PDF document to an existing PDF document to “hide” the original document. Recovering the original is trivial, you open the PDF document with a HEX-editor and delete the appended document (starting after the second %%EOF counting from the end of the file). This trick uses incremental updates.

20091107-172245

#!/usr/bin/python

__description__ = 'make-pdf-hide-original, use it to "hide" the original PDF document'
__author__ = 'Didier Stevens'
__version__ = '0.0.1'
__date__ = '2009/11/07'

"""
Source code put in public domain by Didier Stevens, no Copyright
https://DidierStevens.com
Use at your own risk

History:
 2009/11/07: start

Todo:

"""

import mPDF
import time
import zlib
import optparse

def Main():
    oParser = optparse.OptionParser(usage='usage: %prog [options] pdf-file\n' + __description__, version='%prog ' + __version__)
    oParser.add_option('-s', '--line', default='Hello World', help='The line of text to print on the screen (default Hello World')
    (options, args) = oParser.parse_args()

    if len(args) != 1:
        oParser.print_help()
        print ''
        print '  %s' % __description__
        print '  Source code put in the public domain by Didier Stevens, no Copyright'
        print '  Use at your own risk'
        print '  https://DidierStevens.com'

    else:
        pdffile = args[0]
        oPDF = mPDF.cPDF(pdffile)
        oPDF.template1()
        oPDF.stream(5, 0, 'BT /F1 24 Tf 100 700 Td (%s) Tj ET' % options.line)
        oPDF.xrefAndTrailer('1 0 R')

if __name__ == '__main__':
   Main()

Quickpost info

 

Monday 2 November 2009

CVE-2009-2979 Or The XML-Bombed PDF

Filed under: PDF,Vulnerabilities — Didier Stevens @ 7:15

The Extensible Metadata Platform is an Adobe standard to represent metadata with XML.

More than a year ago, I added an XML-bomb to XMP-data inside a PDF document:

20091031-194428

As this made Adobe Reader 8 & 9 crash, I reported it to Adobe. It has been fixed with the last patch cycle.

Why do I disclose the details of this vulnerability? Because XMP is not only intended to be used in PDF documents, but many other file formats. So be sure to check your software for this vulnerability.

Wednesday 21 October 2009

A Windows 7 Launch Party Trick!

Filed under: Entertainment,Forensics,My Software,Windows 7 — Didier Stevens @ 17:19

In search of a new trick for that Windows 7 Launch Party you’re invited to? 😉

Here’s one:

20091021-190621

You can download a beta version of my UserAssist tool here. Soon I’ll be posting a final version with details and source code.

Wednesday 14 October 2009

Update: WhoAmI? Version 0.1.3

Filed under: My Software,Update — Didier Stevens @ 18:00

I’ve updated my WhoAmI? Firefox add-on for Firefox version 3.5.

You can download it here or get it from the Mozilla site. I’ve nominated it to leave the Sandbox. If you use it, please post a review on the Mozilla page to help it on its way out of the the Sandbox (or keep it there if it’s too buggy).

« Previous PageNext Page »

Blog at WordPress.com.