Didier Stevens

Wednesday 26 July 2017

The Paste Command

Filed under: My Software — Didier Stevens @ 20:56

Clip is a useful command. Paste would be a useful command, unfortunately Windows has no paste command: paste would do the opposite of clip, read the clipboard and write it to stdout.

So I made my own command a couple of years ago, and yesterday I made it ready for publication.

I don’t use paste as often as clip, but sometimes I copy malware related data from my hex editor and then pipe it into my tools with paste.


Paste_V1_0_0_1.zip (https)
MD5: 2107C78DEA38EA98825BB686DB2291AD
SHA256: 329A0AA96E855219ACB99D7BC35F78CE552645F7829D1B475924F895BA614637

Tuesday 25 July 2017

The Clip Command

Filed under: Malware — Didier Stevens @ 20:17

You probably know that I like to pipe commands together when I analyze malware …

Are you familiar with Windows’ clip command? It’s a very simple command that I use often: it reads input from stdin and copies it to the Windows clipboard.

Here is an example where I use it to copy all the VBA code of a malicious Word document to the clipboard, so that I can paste it into a text editor without having to write it to disk.

Monday 24 July 2017

New Tool: headtail.py

Filed under: My Software — Didier Stevens @ 22:22

Someone asked me what this headtail command was that I’ve used a couple of times in my blog posts, like in this screenshot:

It’s a tool that I wrote (what else ;-)) to help me create screenshots of command-line output. It’s the combination of the well-known head and tail Unix command: headtail takes a text file as input (it accepts stdin too) and outputs the first 10 lines (head) and the last 10 (tail) of its input, with a … line in between. Like with head and tail, option -n can be used to choose the number of lines.

headtail_V0_0_1.zip (https)
MD5: F5FD067F94411D22B939D753B803ACFE
SHA256: CBB66EA335299801A4D3D80A6A9BD686C56058B203ABB1BC6144B3A2E2370979

Sunday 23 July 2017

Update: python-per-line.py Version 0.0.2

Filed under: My Software,Update — Didier Stevens @ 19:48

python-per-line is a tool to apply a Python expression on each line of input.

I updated it because I had to process large credential dumps (I’ll blog about this later).

This new version can process .gz files too, and includes three new predefined Python functions: IFF, RIN and SBC.

From the man page:

IFF is a predefined Python function that implements the if Function
(IFF = IF Function). It takes three arguments: expression, valueTrue,
valueFalse. If expression is true, then valueTrue is returned,
otherwise valueFalse is returned.

RIN is a predefined Python function that uses the repr function if
needed (RIN = Repr If Needed). When a string contains characters that
need to be escaped to be used in Python source code, repr(string) is
returned, otherwise the string itself is returned.

SBC is a predefined Python function that helps with selecting a value
from lines with values and separators (Separator Based Cut = SBC). SBC
takes five arguments: data, separator, columns, column, failvalue.
data is the data we want to parse (usually line), separator is the
separator character, columns is the number of columns per line, column
is the value we want to select (cut) starting from 0, and failvalue is
the value that SBC needs to return if the function fails (for example
because there are less columns in the line than specified by the
columns value).
Here is an example. We use this file with credentials (creds.txt):

And this is the command to extract the passwords:
python-per-line.py "SBC(line, ':', 2, 1, [])" creds.txt

The result:

If a line contains more separators than specified by the columns
argument, then everything past the last expected separator is
considered the last value (this includes the extra separator(s)). We
can see this with line "username3:pass:word". The password is
pass:word (not pass). SBC returns pass:word.
If a line contains less separators than specified by the columns
argument, then the failvalue is returned. [] makes python-per-line
skip an output line, that is why no output is produced for user2.

python-per-line_V0_0_2.zip (https)
MD5: AB2377D366AB33992A535AF1EE489CBD
SHA256: 045F398FBCF6DDFF4A25B38007ADDF89B3256C21C8808B58FBC96855D55E6171

Saturday 22 July 2017

oledump.py *.vir

Filed under: My Software — Didier Stevens @ 22:17

I was asked if oledump.py can “scan” multiple files: it can not, it can only analyze a single file at a time.

However, you can use it in a loop (bash, cmd, …) and call it each time with a different file. oledump.py will return 0 if there were no errors, 1 if there were, and 2 if the analyzed file contains VBA code.

My process-command.py tool can also be used to run a tool on many files. Here is an example with oledump:

process-command.py -r “oledump.py %f%” *.vir

While doing the analysis on all *.vir files in the current directory, 2 log files will be created in the current directory, one being a CSV file with the return value of the command (e.g. oledump):


Friday 21 July 2017

Update: emldump.py Version 0.0.10

Filed under: My Software,Update — Didier Stevens @ 22:15

This new version outputs the filename for attachments:

emldump_V0_0_10.zip (https)
MD5: 34DBB3BCB1A2B04C45286C0583F11C07
SHA256: C5877E252DDB61B40BFFCC5403DB500E672DACFE96FAA7D1E0668246C5202DE5

Thursday 20 July 2017

Update: oledump.py Version 0.0.28

Filed under: My Software,Update — Didier Stevens @ 18:45

Like I did with zipdump, this oledump version now also supports YARA rules provided via the command-line (# and #s#).

oledump_V0_0_28.zip (https)
MD5: D89C1E0DA9A95A166EF8F36165F6A873
SHA256: 58F44B68BC997C2A7F329978E13DC50E406CCCCD2017C0375AA144712F029BFB

Wednesday 19 July 2017

Update:zipdump.py Version 0.0.11

Filed under: My Software,Update — Didier Stevens @ 22:20

Sometimes I just need to search for a string in the files of a ZIP container, and for that I need to create a small YARA rule.

With this new version, I can let zipdump generate the rule, I just need to provide the string. The value provided to option -y needs to start with #s# (s stands for string). Here is an example where I search for string HUBBLE:

zipdump_v0_0_11.zip (https)
MD5: E97E0191757230D2C7F9109B91636BF7
SHA256: 6640F971F61F7915D89388D3072854C00C81C47476A96CAC7BE6740DA348467B

Tuesday 18 July 2017

.ISO Files With Zone.Identifier

Filed under: maldoc,Malware — Didier Stevens @ 22:20

An .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained files.

Here is an example with file demo.iso, marked as downloaded from the Internet:

When this file is opened (double-clicked), it is mounted as a drive (E: in this example), and we see the content (a Word document: demo.docx):

This file is not marked as downloaded from the Internet:

Word does not open it in Protected View:

Monday 17 July 2017

Quickpost: Analyzing .ISO Files Containing Malware

Filed under: Malware,Quickpost — Didier Stevens @ 22:15

Searching through VirusTotal Intelligence, I found a couple of .iso files (CD & DVD images) containing a malicious EXE spammed via email like this one. Here is the attached .iso file (from May 25th 2017) on VirusTotal, with name “REQUEST FOR QUOTATION,DOC.iso”.

Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.

I found Python library isoparser to help me analyze .iso files.

Here is how I use it interactively to look into the ISO file. I create an iso object from an .iso file, and then I list the children of the root object:

The root folder contains one file: DIALOG42.EXE.

Looking into the content of file DIALOG42.EXE, I see the header is MZ (very likely a PE file):

And I can also retrieve all the content to calculate the MD5 hash:

This is a quick & dirty Python script to dump the first file in an ISO image to stdout:

import isoparser
import sys
import os

oIsoparser = isoparser.parse(sys.argv[1])

if sys.platform == 'win32':
    import msvcrt
    msvcrt.setmode(sys.stdout.fileno(), os.O_BINARY)

This allows me to pipe the content into other programs, like pecheck.py:


Quickpost info

« Previous PageNext Page »

Blog at WordPress.com.