Didier Stevens

Monday 14 November 2016

Overview of Content Published In October

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in October:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Wednesday 2 November 2016

Maldoc With Process Hollowing Shellcode

Filed under: maldoc,Malware — Didier Stevens @ 0:00

Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.

This maldoc uses VBA macros (no surprise) to execute its payload.

20161101-214505

The encoded shellcode is a property in stream 17:

20161101-220639

I used my decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit shellcode):

20161101-221418

The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.

The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.

The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:

20161101-223522

This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.

This exe tries to download a payload from 3 URLs:

20161101-224906

Sunday 23 October 2016

Update: virustotal-search.py Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of virustotal-search.py accepts input from stdin.

virustotal-search_V0_1_4.zip (https)
MD5: 867D6272792965D11317BFB6308E20A9
SHA256: 8C033B3C46767590C54C191AEEDC0162B3B8CCDE0D7B75841A6552CA9DE76044

Saturday 22 October 2016

Update: cut-bytes.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 9:49

I added dumps to this new version of cut-bytes.py:

20161022-114024

cut-bytes_V0_0_4.zip (https)
MD5: A44D8BBE9BAB9309E732F8995CB5C7BB
SHA256: F95453DE1CC5855C320AB947D9AE354BE8E3ABFA52418C0CF623351A9DBF6344

Monday 17 October 2016

Update: oledump.py Version 0.0.25

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version has a couple of new options (–decoderdir and –plugindir) and a bugfix.

oledump_V0_0_25.zip (https)
MD5: CED1602AEF505AE0388DB95414F9C00A
SHA256: 54510A54264E4EA3C4559545B5CE43A20D8AB290B4EDDA7B57983AD1396E29FC

Friday 14 October 2016

Analyzing Office Maldocs With Decoder.xls

Filed under: maldoc,Malware,My Software — Didier Stevens @ 13:27

There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.

Tools: oledump.py, decoder.xls

Sample: 2f918f49c3f926bb1538eaad6e8e6883

Friday 7 October 2016

rtfdump Videos

Filed under: maldoc,My Software — Didier Stevens @ 10:05

I produced 3 videos to show you how to use my rtfdump.py tool to analyze (malicious) RTF files.

Here is a video for sample 07884483f95ae891845caf0d50ce507f:

Here is a video for sample 4483ad299158eb54f6ff58b5346a36ee:

 

Monday 3 October 2016

Overview of Content Published In September

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in September:

Blog posts:

YouTube videos:

SANS ISC Diary entries:

Friday 30 September 2016

Quickpost: Enhancing Radare2 Disassembly Listing

Filed under: My Software,Quickpost — Didier Stevens @ 9:00

I threw a program together to add information to Radare2 disassembly listings: radare2-listing.py. I’m putting it in beta, because I hope there is another way to do this in Radare2 (e.g. without a program). So if you know of a better way to do this, please post a comment.

The tool looks for text pushed on the stack, and then adds a comment with the string build up on the stack.

Before:

20160930-104507

After:

20160930-104558

 

Wednesday 28 September 2016

decoder-search.py Beta

Filed under: Beta,My Software — Didier Stevens @ 0:00

I’ve been developing a new Python program similar to XORSearch. decoder-search.py does brute-forcing and searching of a file like XORSearch, but it stead of simple operations like XOR, ROL, …, it can handle more complex translations. Templates for these translations have to be provided in a configuration file, for example like this:

expression ((byte + %i1:1-10%) ^ %i2:1-32%) % 0x100

This template specifies a translation expression that adds a number to each byte in the file, and then XORs the sum. The first integer added to each byte is brute-forced from 1 to 10 (%i1:1-10%), and the second integer used for the XOR operation is brute-forced from 1 to 32 (%i2:1-32%). Such an encoding has been used in the last hancitor maldoc samples.

Here is the result on a sample that contains an encoded EXE:
20160927-201559

And here is the result on a sample that contains encoded URLs:

20160927-201914

For me this tool is still in beta phase, because I might change the format of the configuration file in later versions, without providing backwards compatibility. You can find it in my GitHub Beta repository.

« Previous PageNext Page »

Blog at WordPress.com.