Didier Stevens

Sunday 17 April 2022

Update: 1768.py Version 0.0.13

Filed under: My Software,Update — Didier Stevens @ 15:51

This new version of 1768.py brings option -H to include file hashes, introduces shellcode type detection and has updated statistics.

1768_v0_0_13.zip (http)
MD5: F7E85586045AA76C573E010E6FF5F701
SHA256: 33B43A5AB059556C17083E824D407891CD14544B5CA416223020076C5878D310

Saturday 16 April 2022

Update: cut-bytes.py Version 0.0.14

Filed under: My Software,Update — Didier Stevens @ 8:10

This new version of cut-bytes.py adds access to the read data for Python expressions in prefix and suffix options.

cut-bytes_V0_0_14.zip (http)
MD5: EC3434DAAEE06C6F35BD57B77F86833F
SHA256: BCCCE7A73C921BD2CC195155A3A709FBAD7ADC0A267288A4F7F58695A2F103D1

Saturday 9 April 2022

New Tool: myjson-filter.py

Filed under: Announcement,My Software — Didier Stevens @ 8:50

A couple of my tools can produce JSON output, using my own format (myjson).

This output can then be piped into another tool, like strings.py or file-magic.py.

I’m now releasing a tool that can be put into a command pipe to filter the JSON data: myjson-filter.py

For example, here I use myjson-filter.py to remove all items that are XML files (based on the content: starting with <?xml) before strings are extracted with strings.py:

More info in this ISC diary entry I wrote: “Method For String Extraction Filtering“.

myjson-filter_V0_0_2.zip (http)
MD5: 15DDC15DE65F447CE6DA94F8B34C5066
SHA256: EB330FE49421A13A8743F18064788DC2E8189A9B63FD19D517F0B830D1569321

Monday 4 April 2022

.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021

Filed under: maldoc,Malware,Uncategorized — Didier Stevens @ 0:00

We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack.

One of the reasons to do this, is to evade “mark-of-web propagation”.

When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).

When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).

But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View. That is something I observed 5 years ago.

But this has changed recently. When exactly, I don’t know (update: August 2021).

But when I open an Office document stored inside an ISO file marked with a ZoneIdentifier ADS, Office 2021 will open the document in protected view:

With an unpatched version of Office 2019, that I installed a year ago, that same file is not opened in Protected View:

After updating Office:

Word’s behavior has changed:

The file is now opened in Protected View.

If you want to test this yourself, you can use my ZoneIdentifier tool to easily settings a “mark-of-web” without having to download your test file from the Internet:

Or you can just add the ZoneIdentifier ADS with notepad.

I did the same test with Office 2016, I updated an old version and: the document is not opened in Protected View.

I don’t know exactly when Microsoft Office 2019 was updated so that it would open documents in Protected View when they are inside an ISO file marked as originating from the Internet. But if you do know, please post a comment.

Update: this change happened in August 2021. See comments below. Thanks Philippe.

Sunday 3 April 2022

Power Consumption Of A Philips Hue lamp In Off State

Filed under: Hardware,technology — Didier Stevens @ 17:25

A Philips Hue lamp is a LED lamp that can be controlled wirelessly. It always draws power for its control circuitry, also when the LED is turned off.

I wondered how much power it consumes in the off state. Doing some research, I found a couple of forums where people asked the same question, and getting answers that is was very little, varying from 0,01 A to 0,02 A.

I got similar results for the current when I measured this:

Figure 1: Switched off Philips Hue drawing 0,0175 A (varying easily with 25%)

But I wanted a more precise answer, and not only the current. I am more interested in the power (Watt) consumption. As our domestic electricity meters measure real power over a period of time.

Thus I measured the power consumption of a 1100 Lumen color Philips Hue lamp that I had switched of via the smartphone app over a period of 10 days.

Figure 2: Test setup

And these are the numbers I got after 10 days:

Figure 3: After 10 days of operation in the off state

0,07756 kWh over a period of 10 days, that’s 0,32316 W. Notice that the display indicates KWh, but that should be kWh (lowercase k for kilo).

Extrapolating to a whole year, that’s 2,831 kWh. Which in my case, correspond to a cost of €1,50 (roughly speaking) per lamp per year.

With online numbers claiming the current to be between 0,01 A and 0,02 A, at first I expected the power consumption to be higher. But the power factor is quite low (around 0,10), explaining a lower power consumption.

Friday 1 April 2022

Overview of Content Published in March

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in March:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts: NVISO Videos:

Thursday 31 March 2022

spring4shell Capture File

Filed under: Networking,Vulnerabilities — Didier Stevens @ 19:13

If you are interested, I’ve put a spring4shell exploit capture file on my GitHub.

It might trigger your AV, like Defender (Defender triggers on the webshell code).

First HTTP request in the capture file, is just a test query.

Second HTTP request is the exploit that drops a webshell.

Third HTTP request is using that webshell.

Figure 1: just a test request
Figure 2: exploit dropping a webshell
Figure 3: using the webshell

Wednesday 30 March 2022

New Tool: xlsbdump.py

Filed under: My Software — Didier Stevens @ 0:00

This is a new tool to parse XLSB files.

It is still in beta.

Tuesday 29 March 2022

Update: oledump.py Version 0.0.64

Filed under: My Software,Update — Didier Stevens @ 7:22

This new version of oledump brings option -u. This option is used to look for data past the end of the streams.

oledump_V0_0_64.zip (http)
MD5: D2FE33398A2BA85A760518972C0207D3
SHA256: C44F11D31CDCFDE0E7207363A9F35ED07A98A69A4A4228A8CA49292BA8EE9683

Saturday 5 March 2022

Overview of Content Published in February

Filed under: Announcement — Didier Stevens @ 14:15
Here is an overview of content I published in February:

Blog posts: YouTube videos: SANS ISC Diary entries:
« Previous PageNext Page »

Blog at WordPress.com.