After the mimikatz !bsod blogpost, here’s the video:
Saturday 8 July 2017
Friday 7 July 2017
Quickpost: mimikatz !bsod
I’m going through the mimikatz source code and I’m finding all kind of gems :-).
Here is one of them, but be careful, do this only on a machine were you won’t mind losing data, because this will crash the machine.
There’s a mimikatz driver command to initiate a Blue Screen of Death: !bsod
Here I’m using mimikatz as administrator on a Windows 7 machine (because I’m not a fan of the new BSOD introduced with Windows 8):
It’s a MANUALLY_INITIATED_CRASH (STOP 0x000000E2).
Thursday 6 July 2017
I Will Follow (no, not talking about social media)
I can’t help feeling some kind of satisfaction when a friend uses my tools to analyze malware, and hacks his way to a solution when my tool falls short 🙂
In this nice blogpost, @bluejay00 analyzes RTF malware with my rtfdump.py tool. But because of obfuscation, rtfdump.py is not able to extract the object. @bluejay00 understands this, deobfuscates the RTF sample with an editor, and is then able to get my tool to work correctly.
I’ll just show how I would have used my translate.py tool to remove the obfuscation:
Wednesday 5 July 2017
Update: re-search.py Version 0.0.8
This new version of re-search.py introduces options –script and –execute to provide your custom Python functions.
Regular expressions can contain comments, like programming languages. This is a comment for regular expressions: (?#comment).
If you use re-search with regular expression comments, nothing special happens:
re-search.py “(?#comment)[a-z]+\.com” list.txt
However, if your regular expression comment prefixes the regular expression, and the comment starts with keyword extra=, then you can use gibberish detection, whitelist/blacklist filtering and Python function matching.
Python function matching is defined via directive P (Python). If you want to validate a string with a Python function, you use the following regular expression comment: (?#extra=P:Validate). Validate is a Python function that takes a string as argument and returns a boolean: True for a match and False if there is no match. You can provide your custom Python function(s) in a file via option –script or as a commandline argument via option –execute.
Example: Bitcoin address matching. Regular expression [13][a-km-zA-HJ-NP-Z1-9]{25,34} will match Bitcoin addresses, but also other strings that look like a Bitcoin address but are not a valid Bitcoin address. A valid Bitcoin address has a particular syntax, and a valid checksum. The regular expression can check the syntax, but not validate the checksum. Python function BTCValidate can check the checksum of a Bitcoin address. The following regular expression matches Bitcoin addresses with a valid syntax and uses Python function BTCValidate to validate the checksum:
(?#extra=P:BTCValidate)[13][a-km-zA-HJ-NP-Z1-9]{25,34}
re-search_V0_0_8.zip (https)
MD5: D4895B54268683BFBE0126D02B01A4A2
SHA256: 85919EB964FF9CF0EDE7DA64E9BCE6619480DAC71D0CB65B5EE667322B18DDBB
Tuesday 4 July 2017
Update: pecheck.py Version 0.7.0
This new version of pecvheck.py adds an overview of sections. More details here.
pecheck-v0_7_0.zip (https)
MD5: 7BE550EC71BF99FC31704C2DD4ED3C8A
SHA256: 12C03369362045DF5A9AAB83002E59A4A31050EC008DF45F777C87186D611F6E
Monday 3 July 2017
Update: zipdump.py Version 0.0.9
In this new version of zipdump.py, you can provide a YARA rule directly on the command line, without having to store it inside a file.
Just start the value of option -y with # and type your rule (use quotes because of spaces):
zipdump_v0_0_9.zip (https)
MD5: 2700AF663980204075107164AA12750A
SHA256: 5686F24373AF64E1F5D866C71B29A22CE97964EC563A2219681A6268CC9A1153
Sunday 2 July 2017
Update; base64dump.py Version 0.0.7
This new version of base64dump.py has a new option: -z. With this option, you can ignore leading null bytes (to be used for example to handle UNICODE).
You can see this option used in this video (starting 1:28):
base64dump_V0_0_7.zip (https)
MD5: D37DE7CEFDA55ADD1822EADDD84D5FFB
SHA256: 5F676DF8B36172A1D7B29F03E2B0CCB026BB9A96DF8830FDB137E65CBB59DD63
Saturday 1 July 2017
Overview of Content Published In June
Here is an overview of content I published in June:
Blog posts:
YouTube videos:
Videoblog posts:
SANS ISC Diary entries:
NVISO Labs blog posts:
NVISO YouTube videos:
Wednesday 7 June 2017
Overview of Content Published In May
Here is an overview of content I published in May:
Blog posts:
- Gzip Decompression Via Pipes
- Quickpost: Internet Zone IDs
- Crack A ZIP Password, And Fly To Dubai …
- Quickpost: ZIP Password Cracking With John The Ripper
- Update: re_search.py Version 0.0.5
- Quickpost: WannaCry Killswitch Check Is Not Proxy AwareQuickpost: WannaCry Killswitch Check Is Not Proxy Aware
- Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At The End)
- Update: re_search.py Version 0.0.7
- Update: zipdump.py Version 0.0.7
- Update: zipdump.py Version 0.0.8
- WannaCry Simple File Analysis
YouTube videos:
Videoblog posts:
NVISO Labs blog posts:
Tuesday 6 June 2017
Update: xor-kpa.py Version 0.0.5
Some small changes to my XOR known plaintext attack tool (xor-kpa), which will be detailed in an ISC Diary entry.
xor-kpa_V0_0_5.zip (https)
MD5: 023D8E3725E0EF7CEC449085AA96BB3A
SHA256: 7517DD44AFBFA11122FD940D76878482F50B7A2A2BCD1D7A2AF030F6CAC4F4E3
Didier Stevens 