Didier Stevens

Sunday 9 December 2018

Release: strings.py

Filed under: My Software,Release — Didier Stevens @ 0:00

I’ve been using my own Python implementation of command strings for 3 years now: time for a release (it was already available on my Beta github).

-L (–length) is an option I use often: it sorts the extracted strings from shortest to longest. When analyzing malicious documents and (binary) malware, often the interesting strings are rather long.

Like in this malicious Word document, where the longest string is the malicious PowerShell command.

It also supports JSON input.

For more options and information, take a look at the help (-h) and manual (-m):


strings_V0_0_3.zip (https)
MD5: DE008589A0B4B3C33B52BE3A171EB14D
SHA256: 9EBA69933B44DF41F4B51EE45B510E15FA85BCB38AD4CE45C863E8BBDAFED489

Thursday 6 December 2018

Update: oledump.py Version 0.0.39

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump brings several new features.

When option -i is used without selecting a stream, the overview will contain the size of the compiled code and the source code for all modules:

Selecting just the compiled code from a module stream can be done with suffix c: oledump.py -s A4c sample.xlsm.

Suffix s is to be used to select source code only: oledump.py -s A4s sample.xlsm.

A warning is displayed when option -s (selecting) does not result in the selection of a stream.

Option -A does a run-length encoded ASCII dump (cfr. -a).

Option -T does a head & tail: select the first 10 and last 10 lines of the output.

Ad-hoc YARA rules can now also be hexadecimal (#x#) or regular expression (#r#).

And offsets in a cut expression can now be hexadecimal too (prefix 0x).

oledump_V0_0_39.zip (https)
MD5: 5C9A1D94E1BC857877116E425D80A197
SHA256: DF7FFA0C707C8D66C0E0FBEE583286DBA9970824782C6B7AB6BFDC30A85BB419

Monday 3 December 2018

Quickpost: Developing for ESP32 with the Arduino IDE

Filed under: Hardware,Quickpost,WiFi — Didier Stevens @ 0:00

I have a couple of ESP32’s that can also be programmed with the Arduino IDE, provided the necessary board manager is installed:

After starting the IDE

I open the preferences:

And add the board manager URL for the ESP32 (https://dl.espressif.com/dl/package_esp32_index.json):

And via the Tools menu I launch the Boards Manager:

And install the ESP32 board manager:

And then I can select the right board (ESP32 Dev Module):

Then I can connect my ESP32 board to my Windows machine, and it will complain about missing drivers:

I install the CP210x drivers:

Then I can select the right port in the Tools menu:

And now everything is ready to program my ESP32. I will start with the WiFiScan example:

Which can then be compiled and uploaded to the ESP32 board:

Once it is uploaded and running, I can connect to the ESP32 board via the serial monitor:



Sunday 2 December 2018

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 12:32

Here is an overview of content I published in November:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Monday 26 November 2018

Quickpost: Compiling with Build Tools for Visual Studio 2017

Filed under: Quickpost — Didier Stevens @ 0:00

Compiling C/C++ programs with Microsoft’s command-line compilers is possible, even if you don’t have Visual Studio installed. You can do this with the Build Tools for Visual Studio 2017 (a free download).

Go to https://visualstudio.microsoft.com/downloads/ and download the Build Tools:

The downloaded file does not include the build tools, but it’s a stager that will download the necessary build tools. It requires .NET, you might get an error if the proper version is not installed:

Installing the correct .NET framework will fix this problem:

Once this download is completed, you can get to the actual installer where you choose the tools you want:

I selected the Visual C++ build tools, a download of about 1 GB:

Once the build tools are installed, you can open a shell via the start menu:

The C/C++ compiler is invoked with command cl:

As an example, I’m compiling the following program:

Quickpost info


Monday 19 November 2018

Quickpost: Compiling 32-bit Static ELF Files on Kali

Filed under: Quickpost — Didier Stevens @ 0:00

Here I compile EICARgen on Kali Linux to a 32-bit, statically linked Linux executable.

gcc’s option -m32 creates a 32-bit executable on 64-bit Linux.

If you get this error:

then one way to solve it is by installing libc6-dev-i386 (apt install libc6-dev-i386):

Then option -m32 can be used to create a 32-bit executable:

This executable will not run on 64-bit system that don’t have the libraries we just installed. A work-around is to statically link the ELF file with option -static:


Quickpost info

Wednesday 14 November 2018

Video: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt

Filed under: maldoc — Didier Stevens @ 0:00

I produced a video for my blog post “Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt“:

Monday 12 November 2018

Update: cut-bytes.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 0:00

cut-bytes.py is a tool I use to select (cut) a sequence of bytes out of a file, using a cut-expression. This expression specifies the start of the sequence and the end of the sequence.

In this example, I use a cut-expression to find the first occurrence of MZ (i.e. [‘MZ’]) and select 8 bytes (8l) starting at the position of that occurrence (-a is ASCII dump):

I realized that with a few changes, I could add a binary grep feature to cut-bytes. Option -g activates this binary grep:

In stead of one occurrence (the first), with option -g, all occurrences are selected.

JSON output is now also available with option –jsonoutput:

This JSON output contains all the selected byte sequences (BASE64 encoded and with metadata), and it can be piped into tools that accept this format, like file-magic.py:

file-magic will then identify each byte sequence. As you can guess, I’m looking for PE files embedded in file update.bin. But the byte sequences are too short (8 bytes) for file-magic.py to properly identify file types. By increasing the length to 512 bytes, file-magic.py has enough data to locate 2 PE files (a 32-bit DLL and a 64-bit DLL) inside update.bin:

Option -G is identical to -g, except that the selected byte sequences will not overlap.

And I also added a “run length encoded” ASCII dump (-A). If 2 or more consecutive output lines are identical, the duplicates are suppressed:

cut-bytes_V0_0_8.zip (https)
MD5: 1A69542E7E9D7348101B7E91884674B7
SHA256: 15BC253323FF162F26BEF784172A502383970E63514DF6B88A09952A19DAE826

Wednesday 7 November 2018

Update: hash.py Version 0.0.6

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version adds CSV output via option -C:

hash_V0_0_6.zip (https)
MD5: DE0AC3F7809E55E1577EB049A5F34EDF
SHA256: D66FF1D5173E3DDAFC842087B9E4E8447C18EF0AA8C03E02A365E3F9028BA8D9

Monday 5 November 2018

Quickpost: Using pcapy with Npcap on Windows

Filed under: Quickpost — Didier Stevens @ 0:00

I installed pcapy on a Windows machine, but importing in Python failed due to a missing DLL.

Process Monitor showed me what was missing: wpcap.dll, a WinPcap DLL:

The DLL was missing because I had installed Npcap (an alternative for WinPcap, that provides loopback packet capture).

This problem can be fixed by setting a toggle to install a WinPcap compatible API (e.g. wpcap.dll) during installation:

Quickpost info

« Previous PageNext Page »

Blog at WordPress.com.