Didier Stevens

Thursday 25 June 2009

bpmtk: Injecting VBScript

Filed under: bpmtk,Hacking,My Software — Didier Stevens @ 7:03

Here’s a new trick: injecting VBScript in a process. I’ve developed a DLL that will create a COM instance of the VBScripting engine and let it execute a VBScript. Injecting this DLL in a running program results in execution of the VBScript in the context of the running program. Here’s an example where I wrote a VBScript to search and replace a string in the memory of the notepad process:

Here is part of the VBScript I developed to search and replace inside the memory of a process. It uses custom methods like Peek, Poke and Output that I’ve added to the scripting engine:

20090609-205420

I’ll provide more details in an upcoming blogpost on bpmtk version 0.1.5.0, but you can already download it here.

YouTube, Vimeo and hires Xvid.

Monday 15 June 2009

Quickpost: Arduino XBee Shield Series 2 Configuration

Filed under: Hardware,Quickpost — Didier Stevens @ 8:08

I couldn’t get my 2 Arduinos with an XBee shield to talk to each other, despite the instructions on the Arduino site.

The XBee shields I obtained use a XBee series 2 module, while the instructions on the Arduino site are for the older XBee module.

20090606-111115

After configuring one of my XBee modules as coordinator, the XBee modules were able to communicate with each other.

You need the X-CTU configuration program to configure an XBee series 2 module as coordinator. To connect the XBee module to your PC, you’ve to:

1) remove the ATmega µp from the Arduino board (remember the orientation of the ATmega chip to put it back afterwards):

20090606-111211

2: set the jumpers on the XBee shield to USB:

20090606-111318

3) Connect the XBee shield to the Arduino, and then connect the Arduino via USB to your computer, run the X-CTU configuration program and read the configuration:

20090606-111328

4) Select the coordinator function set and write it to the XBee module:

20090606-111428

When the XBee module has restarted and if your other XBee module is powered on, you’ll see the LEDs of both modules starting to flash, indicating they formed a WPAN network.

After configuring the XBee module, revert to the original hardware configuration: disconnect the Arduino board from your PC, set the jumpers on the XBee shield back to XBee and reinsert your ATmega µp in the Arduino board (watch out for the polarity of the chip).

Now I’m able to run the simple example successfully.

Quickpost info

Tuesday 9 June 2009

Quickpost: Make Your Own Corrupted PDFs For Free

Filed under: Entertainment,Nonsense,PDF,Quickpost — Didier Stevens @ 14:37

In response to Bruce Schneier’s latest post, let me explain how you can corrupt your own PDF documents for free. Open your PDF document with a binary editor, search for references to the root object (/Root), and overwrite the reference (36 in my example) with a non-existing reference, like 00.

20090609-181712

Of course, be careful and make backups first.

Tested on several PDF readers:

20090609-181538

20090609-181556

20090609-181919

Sunday 7 June 2009

Update: Disitool V0.3

Filed under: My Software,Update — Didier Stevens @ 23:15

Last January, I got a little challenge from @hdmoore via my Twitter account: add data to a signed executable without invalidating the Authenticode signature. I updated my Digital signature tool, but I realize now I had only announced the update on Twitter, not on my blog.

The trick is to increase the size of the image data directory for the digital signature and inject the extra data after the digital signature. This way, the Authenticode validation algorithm ignores the extra data, because it considers it to be part of the signature. Use Disitool’s new inject command:

disitool.py inject ms-patch.exe data.bin ms-patch-data.exe

The authenticode signature of ms-patch.exe will remain valid in ms-patch-data.exe, provided that the length of the injected data (file data.bin) is a multiple of 8.

You can use the paddata option to make the injected data size a multiple of 8 if it isn’t:

disitool.py inject --paddata ms-patch.exe data.bin ms-patch-data.exe

Disitool can be downloaded here.

Saturday 6 June 2009

Quickpost: PDF Security Tidbits

Filed under: PDF — Didier Stevens @ 14:57

Some PDF Security Tidbits:

  1. I was a guest on the Securabit podcast. Thanks for having me guys!
  2. Eric Filiol has published his PDF Structazer tool he presented at Black Hat Europe 2008
    The tool: http://www.esiea-recherche.eu/data/PDF%20Structazer.exe
    The document (PDF): http://www.esiea-recherche.eu/data/PDF%20Structazer%20Short%20User%20Manual.pdf
  3. And I’ve an article in the latest issue of (IN)SECURE Magazine on how malicious PDFs could infect without getting opened.

Quickpost info

Monday 1 June 2009

Quickpost: Sending WiFi Beacon Frames with an AirPcap Adapter

Filed under: My Software,Quickpost,WiFi — Didier Stevens @ 10:29

While preparing for my OSWP exam, I came across an unpublished Python program for the AirPcap adapter. I cleaned-it up a bit and here it is: apc-b

This program allows you to send out beacon frames, a very simple way to spoof WiFi access points.

This is the command to generate beacon frames on channel 6 for a couple of ESSIDs listed in file apc-b-2.txt:

20090601-120518

And here is Kismet on my N800 capturing these beacon frames:

kismet-n800

Quickpost info

Wednesday 20 May 2009

Download My Hakin9 Article “Anatomy of Malicious PDF Documents”

Filed under: Malware,PDF — Didier Stevens @ 18:21

Hakin9 has released my article “Anatomy of Malicious PDF Documents” from their latest issue. Get it here in exchange for an e-mail address.

20090520-200713

Tuesday 19 May 2009

Another Lowcost RFID Detector

Filed under: Hardware,RFID,smart card — Didier Stevens @ 21:30

Patrick Gueulle published a logging program (French article) for BasicCards. A BasicCard is a smartcard programmable in a variant of the BASIC language. Patrick’s BasicSPY program logs all APDU requests to a file stored on the smartcard. After using the BasicCard programmed with BasicSPY in a reader, you can retrieve the log file and observe the commands send by the reader to the card.

Patrick’s terminal program to manage the internal file (I translated the menu to English):

20090519-220442

A new type of BasicCard was announced in January: the Dual Interface BasicCard. This smartcard also has a contactless ISO14443/A interface. In other words, this smartcard has a HF RFID interface!

This smartcard is handy to make another lowcost RFID detector: I install BasicSPY on my Dual Interface BasicCard and hold it against an (unknown) RFID reader. When the reader supports ISO14443/A , it will send APDUs to the BasicCard which will log them in the internal file. Later retrieval of the internal file reveals the APDUs send to the smartcard:

20090519-220614

20090519-221114

Thursday 14 May 2009

Malformed PDF Documents

Filed under: Malware,My Software,PDF — Didier Stevens @ 7:55

For the sake of this post, I consider a PDF document malformed when it doesn’t observe the basic structure of a PDF document.

I’ve seen a couple of malicious, malformed PDF documents. The most recent was a malicious swine flu PDF document that contains another, bening, PDF document with information about the swine flu (obtained from the CDC site). This second PDF document is displayed to mislead the user while the exploit runs.

20090513-211945

This second PDF document is XOR-encoded and appended to the end of the malicious PDF document, making the malicious PDF document malformed (FYI: the PDF file format supports embedded files, but this wasn’t used here). A PDF reader like Adobe or Foxit has no problems opening this malformed PDF, because it scans a PDF document for the trailer (%%EOF) starting from the end of the document. Everything that follows this trailer and doesn’t adhere to the PDF syntax is just ignored.

20090513-213940

I’ve added some new features to my PDF tools to handle malformed PDF documents.

PDFiD

The new version of PDFiD has an –extra option. Like it names imply, use it to add extra analysis data to the PDFiD report. The extra option adds entropy calculations to the report:

20090513-220050

For a normal PDF file, expect the total entropy and the entropy of bytes inside stream objects to be close to the maximum value 8.0. This means that the distribution of byte values is close to random, which is characteristic of compressed and encrypted data.

Outside streams objects, the data appears much less random, and the entropy is much lower, usually around 4.0 or 5.0.

However, for malformed PDF documents, where data is added without using stream objects, the entropy outside stream objects is much higher. Here is the report for the malicious swine flu PDF:

20090513-203729

Another datum added to the report by using the –extra option is for the end-of-file marker %%EOF.

The “%%EOF” line mentions the number of times %%EOF appears in the document (more than once usually indicates incremental updates). “After last %%EOF” counts the number of bytes after the last %%EOF. This value will be not be zero when data has been appended.

pdf-parser

The previous versions of pdf-parser output a lot of “todo 10” data (an indication of malformed PDF data) when they parse a malformed PDF document. I’ve suppresed this behavior, you’ll need to use option –verbose to enable it from now on, should you need it. Since I first use PDFiD to check a PDF document before using pdf-parser, I don’t consider the “todo” output relevant anymore, as PDFiDs entropy and %%EOF report will tell me if a PDF document is malformed.

20090513-223049

But the other new option in pdf-parser, –extract, is more important. Example:

pdf-parser.py –extract payload.bin malformed.pdf

This option will extract all malformed data from malformed.pdf and write it to file payload.bin, giving you easy access to the embedded payload.

Samples

You can download a normal and malformed Hello World PDF file here to get familiarized with my updated tools. 4096 random bytes have been appended to the end of the PDF document to make it malformed.

Here is a last example when the entropy calculation can be handy even if the payload is stored inside a stream object:

20090513-203522

The reason the total entropy and entropy of bytes inside stream objects is very low here, is that this malicious PDF document has a payload with a very long, uncompressed NOP-sled (more than one million times 0x90).

Monday 11 May 2009

PDF Filter Abbreviations

Filed under: My Software,PDF — Didier Stevens @ 0:00

@binjo ‘s tweet made me realize PDF filter abbreviations do apply to stream objects too, although the PDF reference document only defines them for inline images. Here are the abbreviations:

  • ASCIIHexDecode -> AHx
  • ASCII85Decode -> A85
  • LZWDecode -> LZW
  • FlateDecode -> Fl
  • RunLengthDecode -> RL
  • CCITTFaxDecode -> CCF
  • DCTDecode -> DCT

This means that, for example, a flatedecode filter for a stream object can not only be specified as /Filter /FlateDecode, but also as /Filter /Fl.

I updated my PDF-tools to support this.

And jprosco e-mailed me an update to my pdf-parser tool to support ASCIIHexDecode, because he had to analyze some malicious PDF documents that used it to encode the JavaScript.

« Previous PageNext Page »

Blog at WordPress.com.