Didier Stevens

Tuesday 6 October 2020

Update: oledump.py Version 0.0.54

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of oledump.py adds a new variable for option -E: %MOFULEINFO%

This variable need to be used together with option -i: it contains the size of the compiled VBA code and the compressed VBA code. For example: 123+65.

There’s a new option (-s) for plugin plugin_http_heuristics: with this option, the plugin ignores space characters (useful for hexadecimal bytes separated by a space character, for example).

And there is a new plugin: plugin_msg_summary. This is a new type of plugin, a plugin that operates on the complete document. Before, plugins could only operate on individual streams, and were instantiated for each stream.

This plugin produces a summary of a .msg file (something we needed for our “Epic Manchego” research).

Here is an example:

This plugin has a couple of options, for example to produce JSON output or to add header or body information:

 

Thursday 1 October 2020

Overview of Content Published in September

Filed under: Announcement — Didier Stevens @ 0:00

Here is an overview of content I published in September:

Blog posts:

SANS ISC Diary entries:

NVISO blog posts:

Tuesday 29 September 2020

“Epic Manchego” And My Tools

Filed under: Announcement — Didier Stevens @ 0:00

Over the last months, I’ve been quite busy working with my colleagues on report “Epic Manchego – atypical maldoc delivery brings flurry of infostealers“: we’ve tracked an actor creating a new type of malicious Office document.

To help with the automatic analysis of all the maldocs produced by this actor (several per day), I added new features to existing tools and created new tools.

I’m releasing this work in the coming months (some has already been published: oledump.py and zipdump.py).

Monday 28 September 2020

Quickpost: USB Passive Load

Filed under: Hardware,Quickpost — Didier Stevens @ 0:00

I just received a USB passive load. It’s basically 2 resistors connected to the USB power wires in parallel, each with a switch in series:

It can draw approximately 1, 2 or 3 amps (depending on switch positions) from a 5 volt USB source.

The resistors can dissipate 10 Watts, and will become very hot.

The resistor for 1 amp (4,7 ohms, tolerance 5%) maxed-out my FLIR One thermal camera (> 150 °C), but I could measure around 220°C (that’s close to 451°F) with another thermal imaging camera.

The second resistor (2 amps: 2,2 ohms, tolerance 5%) maxed-out that other thermal camera too: this one got hotter than 280°C.

I’m referring to 451°F, because presumably, that’s the temperature to ignite paper. Something I’ll have to test out in safe conditions.

I also measured the resistors, and they are well within tolerance:

Here is a short thermal imaging video of the first resistor heating up:

Quickpost info

Sunday 27 September 2020

Quickpost: Ext2explore

Filed under: Quickpost — Didier Stevens @ 17:17

I was looking for a solution to read my Wifi Pineapple’s recon.db file from the SD card (ext2 formatted) on my Windows 10 machine.

The solution I went with is Ext2explore, a tool that can access ext2 volumes.

 

You have to run it as administrator, otherwise the tool will not be able to get raw access to the ext2 volume:

 

When you run the tool as administrator, you see your volumes. Mine is an SD card:

I can then explore the content and save file recon.db to a folder on my Windows 10 machine:

Quickpost info

Thursday 10 September 2020

Quickpost: dig On Windows

Filed under: Quickpost — Didier Stevens @ 12:40

I found out there’s a dig command for Windows.

I group small tools like this inside a bin folder. But dig relies on a set of DLLs, that should also be in the PATH, so I put them in the same bin folder.

These are the DLLs dig.exe needs:

  • libbind9.dll
  • libcrypto-1_1-x64.dll
  • libdns.dll
  • libirs.dll
  • libisc.dll
  • libisccfg.dll
  • libuv.dll
  • libxml2.dll

I used procmon on my Win10 machine to figure out which DLLs are needed, as you get no error message (there’s probably a registry setting for that).

I do have a Windows 7 VM, that I can also use to figure out which DLLs are missing because it displays an error message:

And you might also need to install the Visual C redistribuable that is included with the downloaded ZIP:

And now I can run dig from my bin folder:

Quickpost info

Wednesday 9 September 2020

Quickpost: Downloading Files With Windows Defender & User Agent String

Filed under: Quickpost — Didier Stevens @ 7:29

@mohammadaskar2 found out you can use Windows Defender to download arbitrary files. Like this:

"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\mpcmdrun.exe" -DownloadFile -url http://didierstevens.com/index.html -path test.html

This command uses MpCommunication as User Agent String:

Update: this download feature has been disabled.

Quickpost info

Monday 7 September 2020

Overview of Content Published in August

Filed under: Announcement — Didier Stevens @ 6:12

Here is an overview of content I published in August:

Blog posts:

SANS ISC Diary entries:

Sunday 30 August 2020

Update: oledump.py 0.0.53

Filed under: My Software,Update — Didier Stevens @ 13:45

This new version of oledump.py has bug fixes, updates for -s and –raw -v options, plugins, and a bug fix for plugin_vbaproject.

Streams can now be select (-s –select) by name too. Make sure to include the single quotes:

oledump_V0_0_53.zip (https)
MD5: C26EB56580D65B2E856169A3EFC9BC03
SHA256: A10D90284F10C6D7811E2573049FE0F8315F04129846898C88E0184423988CD9

Sunday 23 August 2020

New Tool: XORSearch.py

Filed under: Announcement,My Software — Didier Stevens @ 19:42

XORSearch, written in C, is a tool of mine I started 10+ years ago. But more and more security tools don’t like it.

So I decided to stop adding new features to XORSeach in C, and start programming a Python version to implement new features. This is a work in progress.

For the moment, the Python version only supports XOR-encoding with a one-byte key, and can only search for printable content.

Take a look at my SANS ISC diary entry to see how I use it.

I will still maintain the C version: perform bug fixes and add new features that require the speed of compiled C.

But features like detecting printable content will normally be used on small files, and then speed is not an issue.

« Previous PageNext Page »

Blog at WordPress.com.