Didier Stevens

Monday 21 November 2016

Update: base64dump.py Version 0.0.5

Filed under: My Software,Uncategorized — Didier Stevens @ 0:00

This new version supports different encodings besides base64 (but the name remains base64dump).

The new encodings are hexadecimal (hex), \u unicode (bu) and %u unicode (pu).

Here’s an example with escaped unicode in JavaScript (%u), namely a PDF with shellcode in JavaScript:

20161118-221959

The shellcode, escaped with %u, can be extracted with base64dump:

20161118-222032

20161118-222049

There’s also a new option to do a string dump: -S

20161118-222059

And a last small update: this version also counts unique bytes, i.e. the number of different byte values found in the data.

base64dump_V0_0_5.zip (https)
MD5: 7AACFD3E34FEAAF41897F60FBC5279A3
SHA256: B4AB7B3A9D2947F08C6CC94F88CD825C9B2B63EE65AF7475E66BE9565EC4337A

Sunday 20 November 2016

Update: zipdump.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to zipdump: this version displays the ZIP comment (if present) and also counts unique bytes, i.e. the number of different byte values found in the data.

zipdump_v0_0_4.zip (https)
MD5: 64EE6575309654B6671554D0A4DA50E5
SHA256: C323C0580E95F87406A72A542A7FBF5DE39EBEF7CAFC970A7C428CA1E870F9CF

Saturday 19 November 2016

Update: byte_stats.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 0:00

A small update to byte-stats: this version also counts unique bytes, i.e. the number of different byte values found in the data.

byte-stats_V0_0_4.zip (https)
MD5: B53CE5444618DCA78C46C7F72E356D8D
SHA256: 81EFED375FF666BFFDDB82D094ECE17074182F5016FE3BFA4D1CA33DE838754C

Friday 18 November 2016

Update: shellcode2vba.py Version 0.5

Filed under: My Software,Shellcode,Update — Didier Stevens @ 0:00

shellcode2vba.py is a Python program to create VBA code to inject shellcode. This new version has 1 new option:

Option –suffix allows you to instruct the program to add a suffix to the VBA function names.

shellcode2vba_v0_5.zip (https)
MD5: BAD6684A6887F9E90FF755609B4CA2D5
SHA256: C403CD8196593F2ADD6BED40E9E7A14E49DB48909788DE8BB27A95D71E58A13A

Thursday 17 November 2016

Quickpost: Zone.Identifier

Filed under: Quickpost — Didier Stevens @ 0:00

Mostly as a reminder for myself, here is how to set the Alternate Data Stream to mark a file as originating from the Internet.

notepad install.exe:Zone.Identifier

Text:
[ZoneTransfer]
ZoneId=3


Quickpost info


Monday 14 November 2016

Overview of Content Published In October

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in October:

Blog posts:

YouTube videos:

Videoblog posts:

SANS ISC Diary entries:

Wednesday 2 November 2016

Maldoc With Process Hollowing Shellcode

Filed under: maldoc,Malware — Didier Stevens @ 0:00

Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.

This maldoc uses VBA macros (no surprise) to execute its payload.

20161101-214505

The encoded shellcode is a property in stream 17:

20161101-220639

I used my decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit shellcode):

20161101-221418

The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.

The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.

The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:

20161101-223522

This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.

This exe tries to download a payload from 3 URLs:

20161101-224906

Sunday 23 October 2016

Update: virustotal-search.py Version 0.1.4

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of virustotal-search.py accepts input from stdin.

virustotal-search_V0_1_4.zip (https)
MD5: 867D6272792965D11317BFB6308E20A9
SHA256: 8C033B3C46767590C54C191AEEDC0162B3B8CCDE0D7B75841A6552CA9DE76044

Saturday 22 October 2016

Update: cut-bytes.py Version 0.0.4

Filed under: My Software,Update — Didier Stevens @ 9:49

I added dumps to this new version of cut-bytes.py:

20161022-114024

cut-bytes_V0_0_4.zip (https)
MD5: A44D8BBE9BAB9309E732F8995CB5C7BB
SHA256: F95453DE1CC5855C320AB947D9AE354BE8E3ABFA52418C0CF623351A9DBF6344

Monday 17 October 2016

Update: oledump.py Version 0.0.25

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version has a couple of new options (–decoderdir and –plugindir) and a bugfix.

oledump_V0_0_25.zip (https)
MD5: CED1602AEF505AE0388DB95414F9C00A
SHA256: 54510A54264E4EA3C4559545B5CE43A20D8AB290B4EDDA7B57983AD1396E29FC

« Previous PageNext Page »

Blog at WordPress.com.