http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2016-03-29 02:14:05 - Didier Stevens : Here is an overview of content I published in February Blog posts Update numbers-to-hexpy Version 002 Create Your Own CMDXLS Update translatepy Version 220 for Locky JavaScript Deobfuscation More Obfuscated MIME Type Files SANS ISC Diary entries Locky JavaScript Deobfuscation Tip Quick Analysis of Office Maldoc http://www.secuobs.com/revue/news/602235.shtmlhttp://www.secuobs.com/revue/news/602235.shtml Secuobs.com : 2016-03-29 02:14:05 - Didier Stevens - I wrote a Python program to decode encoded VBS scripts VBE decode-vbe_V0_0_1zip https MD5 87E61217BC77275DBACEA77B8EDF12B5 SHA256 11A9B5D47657C123845007E3E29FB331CAE7483B6A4A3AC54276DB90116911B5 http://www.secuobs.com/revue/news/602234.shtmlhttp://www.secuobs.com/revue/news/602234.shtml Secuobs.com : 2016-03-22 01:38:53 - Didier Stevens - Malicious documents that drop VBE scripts VBScript Encode scripts are in the wild Here is an example I have a YARA rule to detect VBE scripts yara-rules-V006zip https MD5 01CB37759AC30EEA8D2B66226609C73E SHA256 1B56C1D7D0E1A8F500674B74F93F3E7DE6B2EFC85259ABE3A57F1DCA458CCFF8 http://www.secuobs.com/revue/news/601659.shtmlhttp://www.secuobs.com/revue/news/601659.shtml Secuobs.com : 2016-03-11 10:57:05 - Didier Stevens - I m providing a 2-day training at Brucon Spring Training 2016 Analysing Malicious Documents Use promo-code SPRING16 for a 10pourcents discount This new version of oledump brings an update to the cut option and a new plugin plugin_hifo As I documented in this ISC Diary entry, maldocs can store URLs in properties of userforms The plugin http://www.secuobs.com/revue/news/600821.shtmlhttp://www.secuobs.com/revue/news/600821.shtml Secuobs.com : 2016-03-05 10:57:05 - Didier Stevens - I m providing a 2-day training at Brucon Spring Training 2016 Analysing Malicious Documents Use promo-code SPRING16 for a 10pourcents discount I received another maldoc sample MD5 73D06B898E03395DA3D60D11E49751CC Lines 2, 3, 6, 7 and 8 are there to obfuscate this MIME type file emldumppy now detects all lines without a colon in the first block all http://www.secuobs.com/revue/news/600247.shtmlhttp://www.secuobs.com/revue/news/600247.shtml Secuobs.com : 2016-02-29 22:37:12 - Didier Stevens - I m providing a 2-day training at Brucon Spring Training 2016 Analysing Malicious Documents Use promo-code SPRING16 for a 10pourcents discount I received a maldoc sample MD5 FAF75220C0423F94658618C9169B3568 You can see it s a MIME Type file, and that it is obfuscated The second line is a very long line of seemingly random letters and digits This http://www.secuobs.com/revue/news/599695.shtmlhttp://www.secuobs.com/revue/news/599695.shtml Secuobs.com : 2016-02-28 12:08:45 - Didier Stevens - Over at the ISC Diary I have an entry on Locky JavaScript Deobfuscation I use my translate tool to perform part of the static analysis When you read this diary entry, you ll see that I have to create 2 Python scripts to be used by translatepy to search with a regular expression and replace all http://www.secuobs.com/revue/news/599579.shtmlhttp://www.secuobs.com/revue/news/599579.shtml Secuobs.com : 2016-02-10 01:33:17 - Didier Stevens - For several years now I ve been using my modified cmdexe from Excel I m not releasing this spreadsheet with my cmd code, but I release the VBA code You can create your own spreadsheet or Word document with this VBA file If you don t know how, here s a video http://www.secuobs.com/revue/news/597807.shtmlhttp://www.secuobs.com/revue/news/597807.shtml Secuobs.com : 2016-02-09 01:08:40 - Didier Stevens - Here is an overview of content I published in January Blog posts BlackEnergy XLS Dropper Puzzle Update base64dumppy Version 004 Update emldumppy Version 006 Update xor-kpapy Version 002 Update cut-bytespy Version 003 YouTube Videos xor-kpapy XOR Known-Plaintext Attack Creating CMDXLS CMDDLL From DLL To VBA BlackEnergy XLS Dropper SANS ISC Diary entries Failure Is An http://www.secuobs.com/revue/news/597688.shtmlhttp://www.secuobs.com/revue/news/597688.shtml Secuobs.com : 2016-02-07 10:48:00 - Didier Stevens - A bugfix numbers-to-hex_V0_0_2zip https MD5 911D2BF2EC0839DD595C48FF4BE5E979 SHA256 41D5B19E401516CB134521E1F6973A16DBFE491303BD93429EEBE55C0B3AFEF6 http://www.secuobs.com/revue/news/597576.shtmlhttp://www.secuobs.com/revue/news/597576.shtml Secuobs.com : 2016-01-31 12:21:01 - Didier Stevens - When searching for a sequence example d0cf11e0 , you can now specify the instance to select d0cf11e0 finds the first match, d0cf11e0 1 too, d0cf11e0 2 find the second match, Search string expressions ASCII and hexadecimal can be followed by an instance a number equal to 1 or greater to indicate which instance needs to be taken http://www.secuobs.com/revue/news/596977.shtmlhttp://www.secuobs.com/revue/news/596977.shtml Secuobs.com : 2016-01-30 10:14:11 - Didier Stevens - I added support for ZIP files to xor-kpapy If you pass a ZIP file to xor-kpa, it will analyze the contained file The ZIP file can be password protected password infected xor-kpa_V0_0_2zip https MD5 CA4DB797A7C12E3E81F55D9634EE77BF SHA256 76344E06A2C1F121D4CDD1B063DC109E59B9D2351BA5CFDDEE8613DCD220283B http://www.secuobs.com/revue/news/596931.shtmlhttp://www.secuobs.com/revue/news/596931.shtml Secuobs.com : 2016-01-24 12:01:35 - Didier Stevens - A small update to emldumppy to handle intentionally malformed MIME files emldump_V0_0_6zip https MD5 682793840D895E473647F2A1F85A9867 SHA256 D76BADF2A332C3417BB7DD46B783CE90757DD76648D2313083982BFD74902C41 http://www.secuobs.com/revue/news/596350.shtmlhttp://www.secuobs.com/revue/news/596350.shtml Secuobs.com : 2016-01-23 19:29:44 - Didier Stevens - A quick update extended cut option like in oledump and added option -w to ignore whitespace base64dump_V0_0_4zip https MD5 5864B1AF997EBA6E5F6DD0C3B8ADBE56 SHA256 1B01023A97361A9DBBB16B9D8851FFD757F03FA3964C0ED72067F9117F283992 http://www.secuobs.com/revue/news/596332.shtmlhttp://www.secuobs.com/revue/news/596332.shtml Secuobs.com : 2016-01-22 01:16:10 - Didier Stevens - Over at the ISC diary I posted an entry with a puzzle to help you to practice the extraction of an embedded file in a spreadsheet This is the image I embedded http://www.secuobs.com/revue/news/596161.shtmlhttp://www.secuobs.com/revue/news/596161.shtml Secuobs.com : 2016-01-20 19:14:03 - Didier Stevens - Here is an overview of content I published in December Blog posts Windows Backup Privilege CMDEXE BruCON Spring Training 2016 Analysing Malicious Documents Update oledumppy Version 0022 MIME File With Header Maldoc GET Range SHA256 Code Signing and Microsoft YouTube videos MIME File With Header Analysis Of A Corrupt OLE File Videoblog posts SpiderMonkey Dump http://www.secuobs.com/revue/news/596066.shtmlhttp://www.secuobs.com/revue/news/596066.shtml Secuobs.com : 2016-01-07 01:37:00 - Didier Stevens - I m providing a 2-day training at Brucon Spring Training 2016 Analysing Malicious Documents I analyzed the spreadsheet 97b7577d13cf5e3bf39cbe6d3f0a7732 used in the recent BlackEnergy attacks against Ukrainian news media and electric industry numbers-to-hex_V0_0_1zip https MD5 9050768633DDADF34900DAB0061F3B24 SHA256 00B099F3939251F2027F2705AD08AE352C0FC447C86EB3271721FB2935CF71B6 hex-to-bin_V0_0_1zip https MD5 18FC870888B333D8B081CE3E31428A1B SHA256 17B4257C6951C792FFE64EDDDFF20674AD07DE2699EF066BDF7A548DA09E6592 http://www.secuobs.com/revue/news/595035.shtmlhttp://www.secuobs.com/revue/news/595035.shtml Secuobs.com : 2016-01-02 15:12:29 - Didier Stevens - shellcode2vbapy is a Python program to create VBA code to inject shellcode This new version has 3 new options Option nocreatethread allows you to instruct the program not to add the VBA code to create a new thread Option writememory from now on, the VBA code uses RtlMoveMemory in stead of WriteProcessMemory To use WriteProcessMemory, http://www.secuobs.com/revue/news/594674.shtmlhttp://www.secuobs.com/revue/news/594674.shtml Secuobs.com : 2016-01-01 17:13:48 - Didier Stevens - To celebrate my Microsoft MVP award 2016, I m releasing a new XOR-tool Because you can never have enough XOR-tools in your toolbox - When data is XOR-encrypted with a repeating key and you known some of the plaintext, you can perform a simple known-plaintext attack Because when you XOR the ciphertext with the plaintext, you http://www.secuobs.com/revue/news/594643.shtmlhttp://www.secuobs.com/revue/news/594643.shtml Secuobs.com : 2015-12-29 11:44:13 - Didier Stevens - In a couple of days Windows will no longer trust sha-1 code-signing It happened in the past that Microsoft announced changes to AuthentiCode, and then did not follow though, but it looks like this one is going to happen First of all, the loss of trust will not happen for all executables with a sha-1 http://www.secuobs.com/revue/news/594388.shtmlhttp://www.secuobs.com/revue/news/594388.shtml Secuobs.com : 2015-12-28 17:58:32 - Didier Stevens - I m providing a 2-day training at Brucon Spring Training 2016 Analysing Malicious Documents I analyzed a malicious document 365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3 that does something I hadn t seen done before in VBS This maldoc drops a VBS script, that proceeds to download an executable The PE file is XOR-encoded and embedded in a valid JPEG file Here is http://www.secuobs.com/revue/news/594256.shtmlhttp://www.secuobs.com/revue/news/594256.shtml Secuobs.com : 2015-12-22 01:22:40 - Didier Stevens - I m providing a 2-day training at Brucon Spring Training 2016 Analysing Malicious Documents Malicious MS Office documents are also distributed as MIME files A blog reader asked for help with a MIME file that gave him problems f67aa5a3ede3d31c5a68494c0678e2ee Accoring to emldumppy, the file is just text not a multipart file But if you look at http://www.secuobs.com/revue/news/593879.shtmlhttp://www.secuobs.com/revue/news/593879.shtml Secuobs.com : 2015-12-21 18:06:09 - Didier Stevens - Some changes when you use the raw option Now plugins can also be used when the VBA code is corrupted oledump_V0_0_22zip https MD5 CA91850BBC92E82D705F707704000F82 SHA256 16763BCF15BFB3301FFAE0BDA26F18EE2946EDD7478994B798127DBBEF5FF9E7 http://www.secuobs.com/revue/news/593847.shtmlhttp://www.secuobs.com/revue/news/593847.shtml Secuobs.com : 2015-12-14 01:24:16 - Didier Stevens - I teach a class on analyzing malicious documents at BruCON Spring Training 2016 First day covers PDF, second day covers MS Office documents When you attend, you also get my PDF and MS Office workshop videos Early bird registration till the end of the year http://www.secuobs.com/revue/news/593024.shtmlhttp://www.secuobs.com/revue/news/593024.shtml Secuobs.com : 2015-12-13 01:29:02 - Didier Stevens - You probably encountered the situation where you could not access a file, even as an administrator For example hiberfilsys There is a way in Windows to read any file regardless of DACLs the backup privilege I updated ReactOS cmdexe shell to use the backup privilege I added a new command privilege This command enables the http://www.secuobs.com/revue/news/592994.shtmlhttp://www.secuobs.com/revue/news/592994.shtml Secuobs.com : 2015-12-11 01:30:51 - Didier Stevens - Here is an overview of content I published in November Blog posts Analysis Of An Office Maldoc With Encrypted Payload Quick And Dirty Analysis Of An Office Maldoc With Encrypted Payload Slow And Clean Analysis Of An Office Maldoc With Encrypted Payload oledump plugin Update translatepy V210 byte-statspy Update oledump V0020 Update emldumppy Version 004 http://www.secuobs.com/revue/news/592831.shtmlhttp://www.secuobs.com/revue/news/592831.shtml Secuobs.com : 2015-11-30 01:11:48 - Didier Stevens - I released new versions of my AnalyzePESig and ListModules authenticode tools Extra fields with information were added to the output of the tools, and the tools were adapted to use the SE_BACKUP_NAME privilege, giving the tools the privilege to read files even when the permissions do not allow it running as administrator and elevated A http://www.secuobs.com/revue/news/591497.shtmlhttp://www.secuobs.com/revue/news/591497.shtml Secuobs.com : 2015-11-29 12:30:09 - Didier Stevens - A small change in this new version the second term of the cut-expression can also be a negative number now A negative number allows you to cut bytes from the end of the file Example cut-expression -0x100 select the whole stream except the last 256 bytes oledump_V0_0_21zip https MD5 F72CBB797CE8FB810ACE5E54DC832129 SHA256 016C772575DF381C274F6408B242945DE35679904B7C8B1B693ABFB2B3C023FB http://www.secuobs.com/revue/news/591486.shtmlhttp://www.secuobs.com/revue/news/591486.shtml Secuobs.com : 2015-11-28 10:50:57 - Didier Stevens - A small update I added option -s separator so that you can choose your CSV separator virustotal-search_V0_1_3zip https MD5 6D93F6CCE56AA74C830D66F9AE2E88C0 SHA256 09D3BA6BCE1A69E8292AD0D44FB216FBCBF5686EA3C64DCD5FC877E91D4141F4 http://www.secuobs.com/revue/news/591444.shtmlhttp://www.secuobs.com/revue/news/591444.shtml Secuobs.com : 2015-11-24 01:04:20 - Didier Stevens - I have a couple of how-to posts on digital signatures, like this code signing post Let me revisit this topic now that Microsoft announced some upcoming changes to code signing I use signtoolexe that came with Visual Studio 2013 in my examples Here is how to use signtoolexe from the command-line to sign an executable http://www.secuobs.com/revue/news/590980.shtmlhttp://www.secuobs.com/revue/news/590980.shtml Secuobs.com : 2015-11-22 01:17:48 - Didier Stevens - A small change in this new version the second term of the cut-expression can also be a negative number now A negative number allows you to cut bytes from the end of the file Example cut-expression -5 select the whole file except the last 5 bytes emldump_V0_0_5zip https MD5 5FAEDF1459114306D57FEABEF3CDDEFD SHA256 B3D08E1768E1211C44680DD502AC096A324FF209330657F4ABC0CD09B888254C http://www.secuobs.com/revue/news/590780.shtmlhttp://www.secuobs.com/revue/news/590780.shtml Secuobs.com : 2015-11-21 01:12:50 - Didier Stevens - A small update to my nsrlpy program the CSV output now includes the ApplicationType nsrl_V0_0_2zip https MD5 816DD5BEF94D289F489399A95824083D SHA256 65C4AF8F139651942062EB78D820AD3BE5DBEE2C4331B3105BAE62B220CD4F44 http://www.secuobs.com/revue/news/590743.shtmlhttp://www.secuobs.com/revue/news/590743.shtml Secuobs.com : 2015-11-18 01:13:29 - Didier Stevens - Xavier has an interesting SANS ISC Diary entry on a malicious Word document we analyzed The VBA macro code contains a function func_FormatDocument for which Xavier has no clear explanation This function pulls of a social engineering trick It decodes the document by giving the text with a white font color thus invisible a black http://www.secuobs.com/revue/news/590354.shtmlhttp://www.secuobs.com/revue/news/590354.shtml Secuobs.com : 2015-11-15 01:09:41 - Didier Stevens - A very small change to find-file-in-file find-file-in-filepy contained containing 0x00000000 0x00000014 50pourcents End of containing file Remaining 20 50pourcents When the tool reaches the end of the containing file, a message is printed to signal this End of containing file And I also added option -r regular to handle a ZIP file as a regular http://www.secuobs.com/revue/news/590084.shtmlhttp://www.secuobs.com/revue/news/590084.shtml Secuobs.com : 2015-11-14 10:14:13 - Didier Stevens - A small change in this new version the second term of the cut-expression can also be a negative number now A negative number allows you to cut bytes from the end of the file Example cut-expression -5 select the whole file except the last 5 bytes cut-bytes_V0_0_2zip https MD5 B70F851CE74859B38AC3ABA9688593EB SHA256 1A0BD64334DA90B21888020B383004A18C3BAEE211D24AA91FF12719F8581AE9 http://www.secuobs.com/revue/news/590057.shtmlhttp://www.secuobs.com/revue/news/590057.shtml Secuobs.com : 2015-11-13 01:24:28 - Didier Stevens - I m adding the new -E option to my dump tools, this time it s emldump s turn As announced with version 0020 of oledump, option -E extra allows the user to specify which extra info needs to be displayed I ve also made a video for oledump the -E option is the same across my dump tools emldump_V0_0_4zip http://www.secuobs.com/revue/news/589951.shtmlhttp://www.secuobs.com/revue/news/589951.shtml Secuobs.com : 2015-11-10 01:28:52 - Didier Stevens - Option -c calculates extra data per stream This data is displayed per stream Only the MD5 hash of the content of the stream is calculated Example C Demooledumppy -c Book1xls 1 4096 x05DocumentSummaryInformation ff1773dce227027d410b09f8f3224a56 2 4096 x05SummaryInformation b46068f38a3294ca9163442cb8271028 3 4096 Workbook d6a5bebba74fb1adf84c4ee66b2bf8dd In stead of adding more calculations to option -c, I added option -E extra http://www.secuobs.com/revue/news/589592.shtmlhttp://www.secuobs.com/revue/news/589592.shtml Secuobs.com : 2015-11-09 01:10:12 - Didier Stevens - I have a new tool that calculates byte statistics for files, like entropy I used it recently to help me recover images from a ransomware infection, as described in these SANS ISC Diary entries Ransomware Entropy Ransomware Entropy Your Turn Ransomware Entropy Your Turn - Solution Usage byte-statspy options files http://www.secuobs.com/revue/news/589441.shtmlhttp://www.secuobs.com/revue/news/589441.shtml Secuobs.com : 2015-11-08 01:10:48 - Didier Stevens - Translate is a Python tool to translate files you give it a Python expression that converts the input file byte per byte to the output file In this update, I added option -f fullread to process files in one go, and not byte per byte It works just like the byte per byte process, but http://www.secuobs.com/revue/news/589402.shtmlhttp://www.secuobs.com/revue/news/589402.shtml Secuobs.com : 2015-11-07 01:05:27 - Didier Stevens - After a quick and dirty analysis and a slow and clean analysis of a malicious document, we can integrate the Python decoder function into a plugin the plugin_dridexpy First we add function IpkfHKQ2Sd to the plugin The function uses the array module, so we need to import it line 30 Then we can add the http://www.secuobs.com/revue/news/589355.shtmlhttp://www.secuobs.com/revue/news/589355.shtml Secuobs.com : 2015-11-06 01:28:29 - Didier Stevens - In my previous post we used VBA and Excel to decode the URL and the PE file In this post we will use Python I translated the VBA decoding function IpkfHKQ2Sd to Python Now we can decode the URL using Python And also decode the downloaded file with my translate program and the IpkfHKQ2Sd function http://www.secuobs.com/revue/news/589233.shtmlhttp://www.secuobs.com/revue/news/589233.shtml Secuobs.com : 2015-11-05 01:15:54 - Didier Stevens - The malicious office document we re analyzing is a downloader 0e73d64fbdf6c87935c0cff9e65fa3be oledump reveals VBA macros in the document, but the plugins are not able to extract a URL Let s use a new plugin that I wrote plugin_vba_dco This plugin searches for Declare statements and CreateObject calls In the first half of the output 1 we see http://www.secuobs.com/revue/news/589107.shtmlhttp://www.secuobs.com/revue/news/589107.shtml Secuobs.com : 2015-11-04 16:31:42 - Didier Stevens - Here is an overview of content I published in October Blog posts Update base64dumppy Version 003 Release emldumppy Version 003 cut-bytespy New workshop videos Malicious Office Documents Part 1 Videoblog posts Cut Cut Cut Wireshark Hex Import SANS ISC Diary entries Ransomware Entropy Ransomware Entropy Your Turn http://www.secuobs.com/revue/news/589048.shtmlhttp://www.secuobs.com/revue/news/589048.shtml Secuobs.com : 2015-10-19 08:18:20 - Didier Stevens - This week I will teach my Malicious Office Documents workshop at hacklu, explaining how to use my oledump tool If you can not attend and are interested, I sell videos for this new workshop And I also do a promo if you buy my bundle of 3 workshops, you get the new Malicious Office Documents Part http://www.secuobs.com/revue/news/587139.shtmlhttp://www.secuobs.com/revue/news/587139.shtml Secuobs.com : 2015-10-14 02:20:03 - Didier Stevens - cut-bytespy is a stand-alone program that implements the cut option found in my dump programs cut-bytes_V0_0_1zip https MD5 48CEBD6748E152CBF619EF10B58E8DFF SHA256 E99BC09DA0F1310085ED1520D52FB188D06456D030BD05A941FCE2B5FE21A661 http://www.secuobs.com/revue/news/586634.shtmlhttp://www.secuobs.com/revue/news/586634.shtml Secuobs.com : 2015-10-13 02:15:57 - Didier Stevens - This new version of emldump comes with the new cut option And with support for YARA Take a look at the man page emldumppy man Usage emldumppy options mimefile EML dump utility Options --version show program's version number and exit -h, --help show this help message and exit -m, --man Print manual -d, --dump perform http://www.secuobs.com/revue/news/586489.shtmlhttp://www.secuobs.com/revue/news/586489.shtml Secuobs.com : 2015-10-12 02:02:44 - Didier Stevens - This new version of base64dump comes with the new cut option base64dump_V0_0_3zip https MD5 CF214FDFE9B83E39DC8484C137050569 SHA256 4F1B2764CCD40E0276FFC3F81E3C0B55E4C844D469C4E313A99FB13F0B5621C0 http://www.secuobs.com/revue/news/586373.shtmlhttp://www.secuobs.com/revue/news/586373.shtml Secuobs.com : 2015-09-29 02:09:10 - Didier Stevens - I added a new option to my different dump tools oledump, emldump, base64dump, zipdump and the new rtfdump the cut option And I will also release a standalone cut tool This option allows you to cut out a part of a data stream For example to extract a PE file hidden in a byte stream http://www.secuobs.com/revue/news/584960.shtmlhttp://www.secuobs.com/revue/news/584960.shtml Secuobs.com : 2015-09-21 13:04:55 - Didier Stevens - I produced videos showing how I created my Test File PDF With Embedded DOC Dropping EICAR and how to change the settings in Adobe Reader to mitigate this http://www.secuobs.com/revue/news/584123.shtmlhttp://www.secuobs.com/revue/news/584123.shtml Secuobs.com : 2015-09-07 02:01:58 - Didier Stevens - I teach a 2 day training Wireshark Wifi and Lua Training at Brucon More details here http://www.secuobs.com/revue/news/582564.shtmlhttp://www.secuobs.com/revue/news/582564.shtml Secuobs.com : 2015-09-01 02:20:48 - Didier Stevens - When I scan executables on a Windows machine looking for malware or suspicious files, I often use the Reference Data Set of the National Software Reference Library to filter out known benign files nsrlpy is the program I wrote to do this nsrlpy can read the Reference Data Set directly from the ZIP file provided http://www.secuobs.com/revue/news/581969.shtmlhttp://www.secuobs.com/revue/news/581969.shtml Secuobs.com : 2015-08-28 12:03:09 - Didier Stevens - Over at the SANS ISC diary I wrote a diary entry on the analysis of a PDF file that contains a malicious DOC file For testing purposes, I created a PDF file that contains a DOC file that drops the EICAR test file The PDF file contains JavaScript that extracts and opens the DOC file http://www.secuobs.com/revue/news/581704.shtmlhttp://www.secuobs.com/revue/news/581704.shtml Secuobs.com : 2015-08-21 12:11:31 - Didier Stevens - A small update to my base64dumppy program with option -n, you can specify the minimum length of the decoded base64 stream I use this when I have too many short strings detected as base64 base64dump_V0_0_2zip https MD5 EE032FAB256D44B2907EAA716AD812C5 SHA256 1E5801DD71C0FFA9CA90D2803B46275662E222D874E409FF31F83B21E6DEC080 http://www.secuobs.com/revue/news/580928.shtmlhttp://www.secuobs.com/revue/news/580928.shtml Secuobs.com : 2015-08-13 02:06:37 - Didier Stevens - In this new version of pdf-parser, option -H will now also calculate the MD5 hashes of the unfiltered and filtered stream of selected objects, and also dump the first 16 bytes I needed this to analyze a malicious PDF that embeds a docm file As you can see in this screenshot, the embedded file is http://www.secuobs.com/revue/news/580035.shtmlhttp://www.secuobs.com/revue/news/580035.shtml Secuobs.com : 2015-08-03 02:11:25 - Didier Stevens - Jump List files are actually OLE files These files introduced with Windows 7 give access to recently accessed applications and files They have forensic value You can find them in C Users pourcentsUSERNAMEpourcents AppData Roaming Microsoft Windows Recent AutomaticDestinations and C Users pourcentsUSERNAMEpourcents AppData Roaming Microsoft Windows Recent CustomDestinations The AutomaticDestinations files are the OLE files, so you can analyze them with oledump There are a couple of tools that can http://www.secuobs.com/revue/news/579159.shtmlhttp://www.secuobs.com/revue/news/579159.shtml Secuobs.com : 2015-07-22 02:13:27 - Didier Stevens - I m teaching a 2-day class Analysing Malicious Documents at 44CON London Here is my promo video http://www.secuobs.com/revue/news/577910.shtmlhttp://www.secuobs.com/revue/news/577910.shtml Secuobs.com : 2015-07-20 02:28:14 - Didier Stevens - If you get an error running one of my tools, first make sure you have the latest version Many tools have a dedicated page, but even more tools have no dedicated page but a few blogposts Check My Software list for the latest versions Most of my tools are written in Python or C Almost http://www.secuobs.com/revue/news/577613.shtmlhttp://www.secuobs.com/revue/news/577613.shtml Secuobs.com : 2015-07-13 02:12:49 - Didier Stevens - There are a couple of scripts and programs available on the Internet to extract the configuration of the Dyre banking malware from a memory dump What I m showing here is a method using a generic regular expression tool I developed re-search Here is the Dyre configuration extracted from the strings found inside the memory dump http://www.secuobs.com/revue/news/576837.shtmlhttp://www.secuobs.com/revue/news/576837.shtml Secuobs.com : 2015-07-05 17:04:00 - Didier Stevens - A new tool, a new video base64dump_V0_0_1zip https MD5 350C12F677E08030E0DD95339AC3604D SHA256 1F8156B43C8B52B7E5620B7A8CD19CFB48F42972E8625994603DDA47E07C9B35 http://www.secuobs.com/revue/news/576207.shtmlhttp://www.secuobs.com/revue/news/576207.shtml Secuobs.com : 2015-06-26 11:45:57 - Didier Stevens - Here is a new version of oledump with a couple of bugfixes and a new feature ExitCode The ExitCode of the Python program running oledumppy is 0, except if the analyzed file contains macros, then it is 1 You can t use options if you want the ExitCode Thanks Philippe for the idea oledump_V0_0_17zip https MD5 http://www.secuobs.com/revue/news/575537.shtmlhttp://www.secuobs.com/revue/news/575537.shtml Secuobs.com : 2015-06-17 00:23:01 - Didier Stevens - Emerging Threats and Snort released my Snort rule to detect Metasploit Meterpreter Reverse HTTPS traffic More details about the rule in an upcoming blogpost http://www.secuobs.com/revue/news/574307.shtmlhttp://www.secuobs.com/revue/news/574307.shtml Secuobs.com : 2015-06-09 02:33:57 - Didier Stevens - pcap-renamepy is a program to rename pcap files with a timestamp of the first packet in the pcap file The first argument is a template of the new filename Use pourcentspourcents as a placeholder for the timestamp Don t forget the pcap extension The next arguments are the pcap files to be renamed You can provide http://www.secuobs.com/revue/news/573400.shtmlhttp://www.secuobs.com/revue/news/573400.shtml Secuobs.com : 2015-06-04 22:04:42 - Didier Stevens - Many flavors of regular expressions support comments now You can make your regular expression a bit more readable by adding comments Like in programming languages, where a comment does not change the behavior of the program, a regular expression comment does not change the behavior of the regular expression A regular expression comment is written http://www.secuobs.com/revue/news/573031.shtmlhttp://www.secuobs.com/revue/news/573031.shtml Secuobs.com : 2015-05-18 02:37:38 - Didier Stevens - I teach a Wireshark class at Brucon 2015 If you want to use my Wireshark dissectors like TCP Flag dissector, but don t know how to install a Wireshark dissector, then watch this video howto http://www.secuobs.com/revue/news/571012.shtmlhttp://www.secuobs.com/revue/news/571012.shtml Secuobs.com : 2015-05-11 08:06:23 - Didier Stevens - I teach a Wireshark class at Brucon 2015 I took a closer look at Metasploit s Meterpreter network traffic when reverse http mode is used The Meterpreter client will make regular HTTP requests to the Metasploit server to check if it has commands ready to be executed This is how a request looks like The client http://www.secuobs.com/revue/news/570292.shtmlhttp://www.secuobs.com/revue/news/570292.shtml Secuobs.com : 2015-05-06 16:14:20 - Didier Stevens - This update to NAFT adds support for YARA YARA rules can be used to search through the heap, like this naft-icdpy -y IOS_canaryyara decoders decoder_xor1 heap r870-core Address Bytes Prev Next Ref PrevF NextF Alloc PC what 83AB9498 0000004100 83AB9444 83ABA4CC 001 -------- -------- 80B5CC7C 8253709C YARA rule IOS_canary Rule IOS_canaryyara searches for a canary http://www.secuobs.com/revue/news/569901.shtmlhttp://www.secuobs.com/revue/news/569901.shtml Secuobs.com : 2015-04-29 02:20:50 - Didier Stevens - I provide 2 days of Hacking PDF training at HITB Amsterdam This is one of the methods I teach Maarten Van Horenbeeck posted a diary entry July 2008 explaining how scripts and data are stored in PDF documents using streams , and demonstrated a Perl script to decompress streams A couple of months before, I had http://www.secuobs.com/revue/news/569095.shtmlhttp://www.secuobs.com/revue/news/569095.shtml Secuobs.com : 2015-04-27 02:23:33 - Didier Stevens - This new version op virustotal-search adds a bunch of options to manage the local database, and 2 features I want to highlight here 1 If you exceed your daily quota, virustotal-search will now do a clean stop You can use option -w waitquota to instruct virustotal-search to wait until your daily quota is reset, and http://www.secuobs.com/revue/news/568841.shtmlhttp://www.secuobs.com/revue/news/568841.shtml Secuobs.com : 2015-04-23 21:38:34 - Didier Stevens - Since I like to hack with Excel, I made a PoC for MS15-034 in VBA Excel PS If you want to see my videos as soon as they are published, subscribe to my video blog videosDidierStevenscom or YouTube Channel Here s the video http://www.secuobs.com/revue/news/568585.shtmlhttp://www.secuobs.com/revue/news/568585.shtml Secuobs.com : 2015-04-19 03:52:59 - Didier Stevens - Several detection rules SNORT, F5, are being published these days to detect exploitation of vulnerability MS15-034 If you are making or modifying such detection rules, I want to share some observations with you MS15-034 can be exploited with a GET request with a specially crafted Range header Here is the example we ll use Range http://www.secuobs.com/revue/news/567664.shtmlhttp://www.secuobs.com/revue/news/567664.shtml Secuobs.com : 2015-04-16 02:12:45 - Didier Stevens - I provide 2 days of Hacking PDF training at HITB Amsterdam This is one of the methods I teach Sometimes when I analyze PDF documents benign or malicious , I want to reduce the PDF to its essential objects But when one removes objects in a PDF, indexes need to be updated and references updated removed To http://www.secuobs.com/revue/news/567554.shtmlhttp://www.secuobs.com/revue/news/567554.shtml Secuobs.com : 2015-04-15 02:25:19 - Didier Stevens - I have a video showing how to use oclHashcat to crack PDF passwords, but I was also asked how to do this with John The Ripper on Windows It s not difficult Download the latest jumbo edition john-the-ripper-v180-jumbo-1-win-327z from the custom builds page Decompress this version Download the previous jumbo edition John the Ripper 179-jumbo-5 Windows http://www.secuobs.com/revue/news/567372.shtmlhttp://www.secuobs.com/revue/news/567372.shtml Secuobs.com : 2015-04-13 02:03:21 - Didier Stevens - A new version of oledump small bugfix and updated plugins oledump_V0_0_14zip https MD5 5ECD8BC3BD1F6C59F57E7C74DACCF017 SHA256 7EEF509D84F7185C299A17882D3BD71481B7B1E41654F463F58492455FBDBD11 http://www.secuobs.com/revue/news/567015.shtmlhttp://www.secuobs.com/revue/news/567015.shtml Secuobs.com : 2015-04-08 22:32:05 - Didier Stevens - Since a day or two I m seeing yet another trick used by malware authors in their VBA macros The sample I m looking at is 26B857A0A57B89166584CBB7167CAA19 The VBA macro downloads base64 encoded scripts from Pastebin The scripts are delimited by HTML-like tags like Tags that start with stext are scripts for Windows XP systems, and http://www.secuobs.com/revue/news/566586.shtmlhttp://www.secuobs.com/revue/news/566586.shtml Secuobs.com : 2015-04-01 00:06:51 - Didier Stevens - I m teaching a PDF class at HITB Amsterdam in May This is one of the many subjects covered in the class For about half a year now, I ve been adding YARA support to several of my analysis tools Like pdf-parser I ll write some blogposts covering each tool with YARA support I ll start with a video http://www.secuobs.com/revue/news/565549.shtmlhttp://www.secuobs.com/revue/news/565549.shtml Secuobs.com : 2015-03-30 02:12:26 - Didier Stevens - Some people following my Howto Make Your Own Cert With OpenSSL do this on Windows and some of them encounter problems So this post shows the procedure on Windows For your info I also have a video showing this howto First of all, on Windows you will need to install OpenSLL from binaries I got http://www.secuobs.com/revue/news/565246.shtmlhttp://www.secuobs.com/revue/news/565246.shtml Secuobs.com : 2015-03-27 01:24:26 - Didier Stevens - I updated oledump to handle a new type of malicious document an XML file, not with VBA macros, but with an embedded OLE object that is a VBS file And the man page is finished Run oledumppy -m to view the man page The sample I m using here is 078409755doc B28EF236D901A96CFEFF9A70562C9155 The extension is doc, http://www.secuobs.com/revue/news/565002.shtmlhttp://www.secuobs.com/revue/news/565002.shtml Secuobs.com : 2015-03-23 01:19:38 - Didier Stevens - Split is a Python program to split text files into several parts Usage splitpy options file Split a text file into X number of files 2 by default Options version show program s version number and exit -h, help show this help message and exit -m, man Print manual -p PARTS, parts PARTS Number of parts to http://www.secuobs.com/revue/news/564435.shtmlhttp://www.secuobs.com/revue/news/564435.shtml Secuobs.com : 2015-03-18 01:04:33 - Didier Stevens - Just some small changes peid-userdb-to-yara-rules_V0_0_2zip https MD5 BE287BE1CB4EAFC360B1105C47F81819 SHA256 DC673DC90420F880EBDC8A0298410B3B8D90AFBCCE868A3E075DB5AAF898A188 http://www.secuobs.com/revue/news/563859.shtmlhttp://www.secuobs.com/revue/news/563859.shtml Secuobs.com : 2015-03-17 01:08:42 - Didier Stevens - This update adds support for metadata and fixes an XML parsing bug oledump_V0_0_12zip https MD5 0AB5F77A9C0F1FF3E8BE4F675440A875 SHA256 6F87E65729B5A921079B9E5400F63BE6721673B7AC075D809B643074B47FB8D3 http://www.secuobs.com/revue/news/563668.shtmlhttp://www.secuobs.com/revue/news/563668.shtml Secuobs.com : 2015-03-16 01:30:14 - Didier Stevens - I searched through the Metasploit source code for User Agent Strings starting with Mozilla This is what I found Mozilla 40 compatible MSIE 60 Windows NT 51 Mozilla 40 compatible MSIE 60 Windows NT 51 Mozilla 40 compatible MSIE 61 Windows NT Mozilla 40 compatible MSIE 70 Windows NT 60 Mozilla 40 compatible MSIE 70 Windows NT 60 Trident 40 SIMBAR 7DB0F6DE-8DE7-4841-9084-28FA914B0F2E http://www.secuobs.com/revue/news/563524.shtmlhttp://www.secuobs.com/revue/news/563524.shtml Secuobs.com : 2015-03-11 21:43:44 - Didier Stevens - Today I got an interesting maldoc sample 77f3949c2130b268bb18061bcb483d16 it will not activate if it runs in a sandboxed or virtualized environment The following statements are executed right before the malicious actions begin If IsSandBoxiePresent 1 True Then End If IsAnubisPresent 1 True Then End If IsVirtualPCPresent True Then End The presence of SandBoxie can http://www.secuobs.com/revue/news/563069.shtmlhttp://www.secuobs.com/revue/news/563069.shtml Secuobs.com : 2015-03-09 10:41:06 - Didier Stevens - Since last week we see XML documents being spammed they are actually Microsoft Word documents with VBA Macros I wrote an ISC Diary entry I m a SANS ISC Handler now detailing the internals of these XML files oledump is updated to parse these XML documents oledump_V0_0_11zip https MD5 02AEF764545213E1B1A5895AD0706F78 SHA256 162EE94B1A4533956EE2CE0CB13ECDF2FF6C18A0597685E690B8524526FD694E http://www.secuobs.com/revue/news/562619.shtmlhttp://www.secuobs.com/revue/news/562619.shtml Secuobs.com : 2015-02-27 01:12:11 - Didier Stevens - This version handles corrupt VBA macro streams without crashing Corrupt VBA macro streams are marked with an E indicator error And an update to the plugin_http_heuristics and plugin_dridex plugins oledump_V0_0_10zip https MD5 450C28232254F8FF3AF5E289F58D2DAB SHA256 139671E5E69200CECCE0EF730365C1BF1B7B8904B90E3B1E08E55AB040464C73 http://www.secuobs.com/revue/news/561384.shtmlhttp://www.secuobs.com/revue/news/561384.shtml Secuobs.com : 2015-02-19 23:34:24 - Didier Stevens - The plugin_dridex plugin was updated And oledumppy has a new option quiet only print output from plugins oledump_V0_0_9zip https MD5 849C26F32397D2508381A8472FE40F90 SHA256 74887EA3D4362C46CCBF67B89BB41D7AACE9E405E4CB5B63888FEDCE20FD6A07 http://www.secuobs.com/revue/news/560298.shtmlhttp://www.secuobs.com/revue/news/560298.shtml Secuobs.com : 2015-02-18 01:22:25 - Didier Stevens - Some time ago I had the chance to try out an image forensic method Error Level Analysis on a PDF It was a fraudulent document a form , but with a special characteristic the criminal converted the original form a PDF to JPEG, edited the JPEG with a raster graphics editor, and then inserted the edited http://www.secuobs.com/revue/news/559952.shtmlhttp://www.secuobs.com/revue/news/559952.shtml Secuobs.com : 2015-02-17 01:09:27 - Didier Stevens - This new version brings support for multiple YARA rule files The plugin_http_heuristics plugin was updated, and there is a new plugin plugin_dridex oledump_V0_0_8zip https MD5 29EBF73F5512B0BC250CD0A0977A2C72 SHA256 09C451116FCDE7763173E1538C687734D92267A0D192499AFD118D8D923165B9 http://www.secuobs.com/revue/news/559792.shtmlhttp://www.secuobs.com/revue/news/559792.shtml Secuobs.com : 2015-02-16 01:10:02 - Didier Stevens - Version 21 of EICARgen can create an Excel spreadsheet xls with the EICAR test file embedded with OLE http://www.secuobs.com/revue/news/559656.shtmlhttp://www.secuobs.com/revue/news/559656.shtml Secuobs.com : 2015-02-15 12:50:35 - Didier Stevens - Now that YARA version 330 supports word boundaries in regular expressions, I ve updated my YARA Rule for Detecting JPEG Exif With eval yara-rules-V005zip https MD5 298EB636B3A3CB6A073815A83A6D1BA6 SHA256 EA00D044A3A0FE29265817407E382034593E0DAAD9887416E7FC128DA24B8830 http://www.secuobs.com/revue/news/559627.shtmlhttp://www.secuobs.com/revue/news/559627.shtml Secuobs.com : 2015-02-10 01:28:45 - Didier Stevens - This new version adds support for the new office file format docx, xlsx, stored inside a ZIP file so a ZIP inside a ZIP and an option to print YARA strings And the HTTP heuristics plugin has some extra heuristics oledump_V0_0_7zip https MD5 7A953BAFFA1E5285651699996FA2DF84 SHA256 F5DC5F650F005E530A7D0CF510C33E3A4EF29AD85B1DA2618B237F53A46B86B5 http://www.secuobs.com/revue/news/558765.shtmlhttp://www.secuobs.com/revue/news/558765.shtml Secuobs.com : 2015-02-02 01:03:43 - Didier Stevens - I m teaching a Wireshark WiFi and Lua 2-day class at Brucon Spring Training 2015 You get an AirPcap packet capture adapter when you attend this class I made a modification to my Python program to do channel hopping with the AirPcap adapter Now you can specify a sequence of channels with option -c apc-channel_v0_2zip https http://www.secuobs.com/revue/news/557531.shtmlhttp://www.secuobs.com/revue/news/557531.shtml Secuobs.com : 2015-01-22 02:06:32 - Didier Stevens - I converted Jim Clausing s PEiD rules to YARA rules so that I can use them to detect executable code in suspect Microsoft Office Documents with my oledump tool Of course, I wrote a program to do this automatically peid-userdb-to-yara-rulespy This program converts PEiD signatures to YARA rules These signatures are typically found in file userdbtxt http://www.secuobs.com/revue/news/555818.shtmlhttp://www.secuobs.com/revue/news/555818.shtml Secuobs.com : 2015-01-20 22:11:59 - Didier Stevens - My first release of 2015 was a new YARA rule to detect JPEG images with an eval function inside their Exif data Such images are not new, but I needed an example to develop a complex YARA rule Here is an example of such an image The YARA rule has 3 conditions that must be http://www.secuobs.com/revue/news/555584.shtmlhttp://www.secuobs.com/revue/news/555584.shtml Secuobs.com : 2015-01-16 17:28:52 - Didier Stevens - My last software release for 2014 was oledumppy V006 with support for the ZIP XML Microsoft Office fileformat and YARA In this post I will highlight support for the new Microsoft Office fileformat docx, docm, xlsx, xlsm, , which is mainly composed of XML files stored inside a ZIP container Except macros which are still stored http://www.secuobs.com/revue/news/555033.shtmlhttp://www.secuobs.com/revue/news/555033.shtml Secuobs.com : 2015-01-08 21:39:04 - Didier Stevens - I bundled most of my software in a ZIP file In all modesty, I call it Didier Stevens Suite http://www.secuobs.com/revue/news/553692.shtmlhttp://www.secuobs.com/revue/news/553692.shtml Secuobs.com : 2014-12-26 11:35:43 - Didier Stevens - I produced 21 technical videos this year You can find them on YouTube and my video blog sometimes I also post beta versions of my new tools along with the video on my video blog I decided to run a promo for my Didier Stevens Labs videos If you buy one of my products, you http://www.secuobs.com/revue/news/551972.shtmlhttp://www.secuobs.com/revue/news/551972.shtml Secuobs.com : 2014-12-24 19:34:30 - Didier Stevens - A quick bugfix and a new feature oledump will now correctly handle OLE files with an empty storage Here is an example with a malicious sample that blog readers reported to me And when the OLE file contains a stream with VBA code, but this code is just a set of Attribute statements and nothing http://www.secuobs.com/revue/news/551780.shtmlhttp://www.secuobs.com/revue/news/551780.shtml Secuobs.com : 2014-12-23 01:34:51 - Didier Stevens - RECHNUNG_vom_18122014doc 6a574342b3e4e44ae624f7606bd60efa is a malicious Word document with VBA macros that extract and launch an embedded EXE This is nothing new, but I want to show you how you can analyze this document with oledumppy I also have a video on my video blog First we have a look at the streams I put the http://www.secuobs.com/revue/news/551516.shtmlhttp://www.secuobs.com/revue/news/551516.shtml Secuobs.com : 2014-12-17 01:11:45 - Didier Stevens - If you follow my video blog, you ve seen my oledump videos and downloaded the preview version Here is the official release oledumppy is a program to analyze OLE files Compound File Binary Format These files contain streams of data oledump allows you to analyze these streams Many applications use this file format, the best known http://www.secuobs.com/revue/news/550533.shtmlhttp://www.secuobs.com/revue/news/550533.shtml Secuobs.com : 2014-12-16 01:25:46 - Didier Stevens - Here are some YARA rules I developed contains_pe_file will find embedded PE files maldoc is a set of rules derived from Frank Boldewin s OfficeMalScanner signatures, that I also use in my XORSearch program Their goal is to find shellcode embedded in documents yara-rules-V001zip https MD5 4D869BD838E662E050BBFCB0B89732E4 SHA256 0CA778EAD97FF43CF7961E3C17A88B77E8782D082CE170FC779543D67B58FC72 http://www.secuobs.com/revue/news/550311.shtmlhttp://www.secuobs.com/revue/news/550311.shtml Secuobs.com : 2014-12-15 11:26:55 - Didier Stevens - Together with Xavier Mertens I proposed a Brucon 5 5 project Our project was accepted, and we bought 23 Cisco routers to teach memory forensics on network devices 21 routers are used for workshops, and 2 routers are online If you want to practice memory forensics with real Cisco IOS devices, go to http router-forensicsnet http://www.secuobs.com/revue/news/550156.shtmlhttp://www.secuobs.com/revue/news/550156.shtml Secuobs.com : 2014-12-12 17:44:49 - Didier Stevens - This is an update to my XORSelection 010 Editor script You can select a sequence of bytes in 010 Editor or the whole file and then run this script to encode the sequence with the XOR key you provide The XOR key can be a string or a hexadecimal value Prefix the hexadecimal value with http://www.secuobs.com/revue/news/549939.shtmlhttp://www.secuobs.com/revue/news/549939.shtml Secuobs.com : 2014-11-25 23:15:47 - Didier Stevens - Here is the version I talked about in my Bitcoin virus posts It also has an embedded man page use option man find-file-in-file_v0_0_4zip https MD5 CD381616158BD233D94B368554B824C6 SHA256 FD5C4E3EC99371754E58B93D3D96CBA7A86C230C47FC9C27C9B871ED8BFB9149 Man page Usage find-file-in-filepy options file-contained file-containing Find if a file is present in another file Arguments file-containing can be a single file, several files, and or http://www.secuobs.com/revue/news/547272.shtmlhttp://www.secuobs.com/revue/news/547272.shtml Secuobs.com : 2014-11-18 22:51:16 - Didier Stevens - pecheckpy is a wrapper for pefile, ant this update has a couple of new features accept input from stdin for pipes load PeID userdbtxt by default from same directory as pecheckpy extra entry point info pecheck-v0_4_0zip https MD5 27041C56B80B097436076B7366A6F3B2 SHA256 F9C73ED054AE4D5E9F495916D1B028FD8D6E9B2800DCE1993E568E2A2BFD9A71 http://www.secuobs.com/revue/news/546122.shtmlhttp://www.secuobs.com/revue/news/546122.shtml Secuobs.com : 2014-11-05 23:27:39 - Didier Stevens - Sometimes I want to check a malware sample with XORSearch, but I can t because my AV will delete it My solution is to work with a hexdump of the file Option -x allows XORSearch to work with a hexdump XORSearch_V1_11_1zip https MD5 D5EA1E30B2C2C7FEBE7AE7AD6E826BF5 SHA256 15E9AAE87E7F25CF7966CDF0F8DFCB2648099585D08EAD522737E72C5FACA50A http://www.secuobs.com/revue/news/543981.shtmlhttp://www.secuobs.com/revue/news/543981.shtml Secuobs.com : 2014-10-27 10:01:23 - Didier Stevens - The second feature in this new version of PDFiD is selection With this, you can select PDFs using criteria you provide Example pdfidpy -S pdfjavascriptcount 0 pdf This command will select all files with extension pdf in the current directory that are PDFs and have a JavaScript count larger than zero The selection expression http://www.secuobs.com/revue/news/542705.shtmlhttp://www.secuobs.com/revue/news/542705.shtml Secuobs.com : 2014-10-20 11:12:57 - Didier Stevens - Almost from the beginning when I released PDFiD, people asked me for anti-virus like feature that PDFiD would tell you if a PDF was malicious or not Some people even patched PDFiD with a scoring feature But I didn t want to develop an anti-virus for PDFs PDFiD is a triage tool Now you can develop http://www.secuobs.com/revue/news/541413.shtmlhttp://www.secuobs.com/revue/news/541413.shtml Secuobs.com : 2014-10-01 00:07:26 - Didier Stevens - I have a new version of PDFiD One with plugins and selections Here s a preview http://www.secuobs.com/revue/news/537755.shtmlhttp://www.secuobs.com/revue/news/537755.shtml Secuobs.com : 2014-09-29 02:15:15 - Didier Stevens - XORSearch allows you to search for strings and embedded PE-files brute-forcing different encodings Now I added shellcode detection This new version of XORSearch integrates Frank Boldewin s shellcode detector In his Hacklu 2009 presentation, Frank explains how he detects shellcode in Microsoft Office documents by searching for byte sequences often used in shellcode I integrated Frank s http://www.secuobs.com/revue/news/537256.shtmlhttp://www.secuobs.com/revue/news/537256.shtml Secuobs.com : 2014-09-23 22:34:33 - Didier Stevens - Have you subscribed to my new video blog videosdidierstevenscom If not, you missed my new video where I show my public tools to create PDFs http://www.secuobs.com/revue/news/536450.shtmlhttp://www.secuobs.com/revue/news/536450.shtml Secuobs.com : 2014-09-18 02:00:55 - Didier Stevens - Please read part 1, part 2 and part 3 for more info A few remarks for people having issues running my program Folder Release contains a 32-bit executable that requires the Visual C Redistributable Packages for Visual Studio 2013 Folder Release CRT contains a 32-bit executable with embedded C runtime, it does not require the http://www.secuobs.com/revue/news/535410.shtmlhttp://www.secuobs.com/revue/news/535410.shtml Secuobs.com : 2014-09-17 02:26:02 - Didier Stevens - FileScannerexe is a new Windows tool I developed Read part 1 and part 2 for more info To let you choose the files filescanner will scan, you can provide the following arguments filename, filename, folder and f Filename and folder are self-descriptive When you pass argument filename, filename is a textfile that contains filenames to http://www.secuobs.com/revue/news/535238.shtmlhttp://www.secuobs.com/revue/news/535238.shtml Secuobs.com : 2014-09-16 02:07:07 - Didier Stevens - My new FileScanner tool allows you to use rules to scan files Here is how you define rules Rule syntax If you provide rules to FileScanner, it will only report files that match one rule or several rules unless you instruct it to report all scanned files A rule has a name, a type and http://www.secuobs.com/revue/news/535015.shtmlhttp://www.secuobs.com/revue/news/535015.shtml Secuobs.com : 2014-09-14 17:33:15 - Didier Stevens - During my PDF training at 44CON I got the idea for a simple modification now with documentwrite , a third file is created The file is writebinlog and contains the pure UNICODE data, eg without 0xFFFE header To extract shellcode now, you no longer need to edit writeuclog to remove the 0xFFFE header I also included http://www.secuobs.com/revue/news/534831.shtmlhttp://www.secuobs.com/revue/news/534831.shtml Secuobs.com : 2014-09-03 02:38:14 - Didier Stevens - Filescanner is a tool I started to develop almost 2 years ago Back then, I needed a stand-alone, single executable tool that would allow me to search for files based on their content Filescanner is a Windows tool Without any options, the tool will report some properties of the scanned file Remark that the first http://www.secuobs.com/revue/news/532708.shtmlhttp://www.secuobs.com/revue/news/532708.shtml Secuobs.com : 2014-09-01 22:39:51 - Didier Stevens - I think there s more interest for my program to calculate the SSH fingerprint for Cisco IOS since Snowden started with his revelations I fixed a bug with 2048 bit and more keys cisco-calculate-ssh-fingerprint_V0_0_2zip https MD5 C304299624F12341F9935263304F725B SHA256 2F2BF65E6903BE3D9ED99D06F0F38B599079CCE920222D55CC5C3D7350BD20FB http://www.secuobs.com/revue/news/532499.shtmlhttp://www.secuobs.com/revue/news/532499.shtml Secuobs.com : 2014-08-21 21:51:06 - Didier Stevens - It s been some time that I posted a puzzle So here is a new little puzzle What is special about this file http://www.secuobs.com/revue/news/530946.shtmlhttp://www.secuobs.com/revue/news/530946.shtml Secuobs.com : 2014-08-11 02:11:47 - Didier Stevens - If you subscribed to my videos, you saw this video and had early access to my new version of EICARgen Version 10 of EICARgen is detected by too many AV as a dropper So I rewrote the code If you launch the new EICARgen version 20 without any arguments, it does nothing You have to http://www.secuobs.com/revue/news/529186.shtmlhttp://www.secuobs.com/revue/news/529186.shtml Secuobs.com : 2014-07-31 11:11:21 - Didier Stevens - I plan to produce short videos more frequently I will not post them all here on my blog, I ve created another blog for all my videos videosdidierstevenscom The RSS is http videosdidierstevenscom feed And from time to time, I ll repost an old video on that feed http://www.secuobs.com/revue/news/527741.shtmlhttp://www.secuobs.com/revue/news/527741.shtml Secuobs.com : 2014-07-24 02:23:35 - Didier Stevens - The most interesting thing about Stoned Bitcoin for me, was to work out a method to find these Bitcoin transactions When this was mentioned on Twitter, I did a string search through the Bitcoin blockchain for string STONED no hits Some time later I used my find-file-in-file tool I got a copy of the Stoned http://www.secuobs.com/revue/news/526645.shtmlhttp://www.secuobs.com/revue/news/526645.shtml Secuobs.com : 2014-07-16 21:38:13 - Didier Stevens - Some time ago, Chris John Riley reminded me of a program I had written, published and forgotten translatepy Apparently, it is used in SANS classes Looking at this program from 2007, I though my Python coding style has changed since then, I need to rewrite this So here is the new version It s backward http://www.secuobs.com/revue/news/525498.shtmlhttp://www.secuobs.com/revue/news/525498.shtml Secuobs.com : 2014-06-30 02:47:10 - Didier Stevens - kurt wismer pointed me to this post on pastebin after he read my Stoned Bitcoin blogpost The author of this pastebin post works out a method to spam the Bitcoin blockchain to cause anti-virus false positives I scanned through all the Bitcoin transactions until 24 06 2014 for the addresses listed in this pastebin post the addresses http://www.secuobs.com/revue/news/522752.shtmlhttp://www.secuobs.com/revue/news/522752.shtml Secuobs.com : 2014-06-23 22:44:01 - Didier Stevens - There are reports of anti-virus false positive detections of Bitcoin files More precisely for the old Stoned computer virus I found the smoking gun These reports should not be dismissed as hoaxes I ve identified 2 Bitcoin transactions that contain byte sequences found in the Stoned computer virus Here they are f09904aaa4fa4a8ec7da06f5e3d318a9b6a218e1a215f9307416fbbadf5a1c8e fcf5cf9893a142897598edfc753bd6162e3638e138fc2feaf4a3477c0cfb65eb Both transactions appear http://www.secuobs.com/revue/news/520322.shtmlhttp://www.secuobs.com/revue/news/520322.shtml Secuobs.com : 2014-06-16 02:52:33 - Didier Stevens - Here is the 010 Editor script I developed to generate Wireshark hex dumps Watch how to use it in my previous blogpost Packet Class Wireshark Import Hex Dump wireshark-export_v0_0_1zip https MD5 B339EFD0898B6506CBEAAFCBCE08B3A6 SHA256 557B39246FAC3BD91CE24EAD3DF07F8B68100778241393A26C67A566756C404B http://www.secuobs.com/revue/news/518981.shtmlhttp://www.secuobs.com/revue/news/518981.shtml Secuobs.com : 2014-06-10 23:19:26 - Didier Stevens - During my Packet Class Wireshark training, we do an exercise on importing a hex dump in Wireshark I recently created a 010 Editor script to help with the creation of hex dumps for Wireshark This video shows its usage http://www.secuobs.com/revue/news/518116.shtmlhttp://www.secuobs.com/revue/news/518116.shtml Secuobs.com : 2014-06-03 15:01:23 - Didier Stevens - Remember my WhoAmI Firefox add-on I developed it because I use different profiles it displays the name of the current profile on the status bar But with Firefox 29, the status bar has disappeared once again You can restore the status bar with add-on status-4-evar http://www.secuobs.com/revue/news/516859.shtmlhttp://www.secuobs.com/revue/news/516859.shtml Secuobs.com : 2014-05-12 23:48:07 - Didier Stevens - In this video, I m trying to give you an idea of what you can expect in my Packet Class Wireshark training when we will cover protocol dissectors written in Lua http://www.secuobs.com/revue/news/513140.shtmlhttp://www.secuobs.com/revue/news/513140.shtml Secuobs.com : 2014-04-28 22:07:02 - Didier Stevens - This is a topic I m teaching in my Packet Class Wireshark training in Amsterdam next month You can configure Wireshark to display TCP flags like Snort does One way to do this, is to create a post-dissector and then add a column with its output like in the screenshot above I developed a Wireshark Lua http://www.secuobs.com/revue/news/510755.shtmlhttp://www.secuobs.com/revue/news/510755.shtml Secuobs.com : 2014-04-24 10:20:08 - Didier Stevens - YAHP Yet Another Heartbleed Post I ve read that some people are surprised by Nmap s ssl-heartbleednse script behavior that it will not test all ports The script is designed to test only ports with ssl This is encoded in the portrule function portrule function host, port return shortportssl host, port or sslcertisPortSupported port end It s explained here that http://www.secuobs.com/revue/news/510003.shtmlhttp://www.secuobs.com/revue/news/510003.shtml Secuobs.com : 2014-04-18 11:32:11 - Didier Stevens - I wanted to know if I could exploit Heartbleed CVE-2014-0160 from a Cisco IOS router So I wrote a Tcl script based on Jared Stafford s Python program ssltestpy Turns out I can router tclsh ssltesttcl Opening connection Translating cloudflarechallengecom domain server 195238221 OK Sending handshake Received TLS record Type 0x16 Version 0x0301 First data byte 0x02 Length http://www.secuobs.com/revue/news/509080.shtmlhttp://www.secuobs.com/revue/news/509080.shtml Secuobs.com : 2014-04-16 02:22:27 - Didier Stevens - Peter was looking for a way to make nmap s heartbleed script output grepable He ended up hacking the script I propose a method without modification of the NSE heartbleed script Some time ago I recommended to include xml output with your nmap scans Script output is included with each port element I quickly adapted an http://www.secuobs.com/revue/news/508474.shtmlhttp://www.secuobs.com/revue/news/508474.shtml Secuobs.com : 2014-04-11 01:13:12 - Didier Stevens - Yesterday I posted my heartbleed packet capture with an unencrypted heartbeat record Now I post a capture with full TLS session setup, hence here the heartbeat records are encrypted I use heartbleedc by HackerFantastic heartbleed_packet_capture_tlszip https MD5 7D19146C2ACC28AFAD6E1FD217E908BB SHA256 7FDECDD05269731EDD57FFEE24323C672D620A533CD412089F055D6266C76164 http://www.secuobs.com/revue/news/507648.shtmlhttp://www.secuobs.com/revue/news/507648.shtml Secuobs.com : 2014-04-10 00:36:16 - Didier Stevens - I could call this a cardiogram, but let s not get carried away I took a packet capture of the heartbleed bug CVE-2014-0160 in action I have OpenSSL 101 14 March 2012 running on Apache2 Ubuntu, VMware and executed Jared Stafford s ssltestpy script One small modification to the script I removed line 132 the script transmits http://www.secuobs.com/revue/news/507386.shtmlhttp://www.secuobs.com/revue/news/507386.shtml Secuobs.com : 2014-04-09 03:07:35 - Didier Stevens - Looks I hadn t blogged this video http://www.secuobs.com/revue/news/507145.shtmlhttp://www.secuobs.com/revue/news/507145.shtml Secuobs.com : 2014-04-04 12:32:43 - Didier Stevens - To promote my Hack In The Box Wireshark training, I ll start to publish some Lua dissectors Here is a screenshot of my TCP Flags dissector It was generated and adapted with my Wireshark Lua dissector generator It displays TCP flags like Snort does You can clearly see the SYN SYN ACK ACK phase of http://www.secuobs.com/revue/news/506494.shtmlhttp://www.secuobs.com/revue/news/506494.shtml Secuobs.com : 2014-03-27 01:43:14 - Didier Stevens - I recorded my Network Device Forensics talk Supporting media ISSA Journal article NAFT software http://www.secuobs.com/revue/news/505051.shtmlhttp://www.secuobs.com/revue/news/505051.shtml Secuobs.com : 2014-03-26 12:31:22 - Didier Stevens - I m talking at infosecuritybe today Network Device Forensics Supporting media ISSA Journal article NAFT video NAFT software http://www.secuobs.com/revue/news/504920.shtmlhttp://www.secuobs.com/revue/news/504920.shtml Secuobs.com : 2014-03-20 12:43:42 - Didier Stevens - Someone mentioned on a forum that he found a picture with an embedded, XORed executable You can easily identify such embedded executables by xorsearching for the string This program must be run under Win32 But if the author or compiler modifies this DOS-stub string, you will not find it That s how I got the idea http://www.secuobs.com/revue/news/503960.shtmlhttp://www.secuobs.com/revue/news/503960.shtml Secuobs.com : 2014-03-14 12:28:43 - Didier Stevens - Last time I opened a McAfee quarantine file bup with a hex editor, I saw something I didn t notice before D0 CF 11 E0 The fileformat used for McAfee quarantine files is the Compound File Binary Format also used for doc, xls, msi, With this new info and Google s help I found herrcore s punbup http://www.secuobs.com/revue/news/502927.shtmlhttp://www.secuobs.com/revue/news/502927.shtml Secuobs.com : 2014-03-03 01:16:10 - Didier Stevens - I found this executable A0000623sys with 6 detections on VirusTotal Are these false positives or true positives The file was found in the _restore system folder It looks like it is a Windows system file tcpsys , but maybe it is infected It has no digital signature With the help of Google, I was able to http://www.secuobs.com/revue/news/500701.shtmlhttp://www.secuobs.com/revue/news/500701.shtml Secuobs.com : 2014-02-26 22:37:52 - Didier Stevens - I finally compiled a list of the software I published You can find it under My Software First comes an overview, and then for each software, all the versions you can download with links to the blogposts where they are mentioned http://www.secuobs.com/revue/news/500057.shtmlhttp://www.secuobs.com/revue/news/500057.shtml Secuobs.com : 2014-02-21 01:28:47 - Didier Stevens - I m taking SANS SEC503 Intrusion Detection In-Depth class here in Brussels One of the exercises consisted of extracting the passwords from a capture file of a FTP password dictionary attack I was at an advantage for this exercise I have a Lua script for Wireshark that extracts credentials HTTP and FTP in this release Notice http://www.secuobs.com/revue/news/499036.shtmlhttp://www.secuobs.com/revue/news/499036.shtml Secuobs.com : 2014-01-06 05:34:48 - Didier Stevens - I produced a new video a simple howto for users who don t know how to use Windows explorer s properties dialog to check a digital signature Later in the video, it gets a bit more technical by using tools AnalyzePESig and sigcheck to check signatures http://www.secuobs.com/revue/news/489855.shtmlhttp://www.secuobs.com/revue/news/489855.shtml Secuobs.com : 2013-12-30 22:05:16 - Didier Stevens - UltraEdit is my text editor on Windows I developed a couple of simple scripts that I m going to release The first one is SubstituteEachLinejs I run this script when I need to transform each line into another form Take this example where I want to create a Python dictionary with these words I start my http://www.secuobs.com/revue/news/488953.shtmlhttp://www.secuobs.com/revue/news/488953.shtml Secuobs.com : 2013-12-23 23:08:22 - Didier Stevens - This update to my Prefetch File 010 Template adds Sections A through D PFTemplate_V0_0_2zip https MD5 56A98A78BD4E8D1AED88385AF1DD8446 SHA256 E15D721E46FFB8158C6D14C9A38DE4E3DD5DCD0972896441DF17590C540DBCC3 http://www.secuobs.com/revue/news/488124.shtmlhttp://www.secuobs.com/revue/news/488124.shtml Secuobs.com : 2013-12-14 23:44:20 - Didier Stevens - There is extra error handling in this new version virustotal-search and virustotal-submit have their own page now VirusTotal Tools virustotal-submit_V0_0_3zip https MD5 3F9F5421F711E2930AB6F80D87DF9E2B SHA256 37CCE3E8469DE097912CB23BAC6B909C9C7F5A5CEE09C9279D32BDB9D6E23BCC http://www.secuobs.com/revue/news/486367.shtmlhttp://www.secuobs.com/revue/news/486367.shtml Secuobs.com : 2013-12-12 00:59:40 - Didier Stevens - In 2009 I added a command to my Disitool to inject data into an Authenticode signature without invalidating it This year I reported on some installer programs using this padding trick With MS13-098, Microsoft releases a patch to prevent this signature padding trick This change in behavior will become active June 10th 2014 But you http://www.secuobs.com/revue/news/485787.shtmlhttp://www.secuobs.com/revue/news/485787.shtml Secuobs.com : 2013-12-02 01:36:42 - Didier Stevens - This is an important update to virustotal-searchpy Rereading the VT API, I noticed I missed the fact that the search query accepts up to 4 search terms This new version submits 4 hashes at a time, making it up to 4 times faster than previous versions virustotal-search_V0_1_0zip https MD5 9891B11C7133FD482EA837D363135737 SHA256 923CCE2136FE038FA05C708752612915B3303B6C68BF1362159B3A6EC5FDEB1C http://www.secuobs.com/revue/news/483752.shtmlhttp://www.secuobs.com/revue/news/483752.shtml Secuobs.com : 2013-11-25 21:51:04 - Didier Stevens - A quick tip since more than a year now I ve been including xml output with each nmap scan I perform I discovered that the xml output contains more explicit data than the other forms of output Example nmap -oG testcsv -oX testxml scanmenmaporg Starting Nmap 551 http nmaporg at 2013-11-23 05 05 EST Nmap scan http://www.secuobs.com/revue/news/482979.shtmlhttp://www.secuobs.com/revue/news/482979.shtml Secuobs.com : 2013-11-15 13:58:22 - Didier Stevens - shinnai made an interesting comment when I released my tool to find contained files he wanted to know if I could add a batch mode I guess this batch mode is interesting when you want to check if a large set of files contains a particular file So I added this features and release it http://www.secuobs.com/revue/news/481211.shtmlhttp://www.secuobs.com/revue/news/481211.shtml Secuobs.com : 2013-11-04 21:57:30 - Didier Stevens - This new version of the generic frame extraction tool naft-gfe can handle files RAM dumps that are too large to fit into memory Use option -b for buffered reads By default, the file will be read and analyzed in blocks of 101MB 100MB buffer 1MB overlap buffer Since the file is not read completely http://www.secuobs.com/revue/news/478978.shtmlhttp://www.secuobs.com/revue/news/478978.shtml Secuobs.com : 2013-10-28 20:38:40 - Didier Stevens - I made a video of the Network Appliance Forensic Toolkit demo I gave at my local ISSA chapter http://www.secuobs.com/revue/news/477590.shtmlhttp://www.secuobs.com/revue/news/477590.shtml Secuobs.com : 2013-10-21 13:06:48 - Didier Stevens - Suspender is a DLL that suspends all threads of a process This new version adds an option to suspend a process when it exits Rename the dll to suspenderxdll to activate this option x stands for eXit When DllMain is called with DLL_PROCESS_DETACH and the reserved argument is not NULL, the process is exiting So http://www.secuobs.com/revue/news/476002.shtmlhttp://www.secuobs.com/revue/news/476002.shtml Secuobs.com : 2013-10-14 07:19:29 - Didier Stevens - I ve been asked many times to support 32-bit keys with my XORSearch tool But the problem is that a 32-bit bruteforce attack would take too much time Now I found a solution that doesn t take months or years a 32-bit dictionary attack I assume that the 32-bit XOR key is inside the file as a http://www.secuobs.com/revue/news/474401.shtmlhttp://www.secuobs.com/revue/news/474401.shtml Secuobs.com : 2013-10-07 02:06:08 - Didier Stevens - Some time ago I had to figure out if a file was embedded inside another file It s not a file carving problem I had both files I just needed to be sure that file A was contained inside file B With a hex editor I could find parts of file A inside file B, but http://www.secuobs.com/revue/news/472917.shtmlhttp://www.secuobs.com/revue/news/472917.shtml Secuobs.com : 2013-09-30 15:19:56 - Didier Stevens - This is a bugfix for my virustotal-submitpy program I fixed a bug in the error handling code for unreadable ZIP files virustotal-submit_V0_0_2zip https MD5 1152A8507FE7A668DCDF5C44DEAD11DF SHA256 D5A4E5C3E80F98D4A82A128D8C9DBA395C2B9CDFE9F37E2B0882904D47673CE5 http://www.secuobs.com/revue/news/471573.shtmlhttp://www.secuobs.com/revue/news/471573.shtml Secuobs.com : 2013-09-18 22:22:18 - Didier Stevens - There s still time to register for my Hacking PDF training at Brucon next week I introduced a bug in pdf-parser version 038 that changed the behavior of the -w option raw This new version is a fix for this bug pdf-parser_V0_4_3zip https MD5 2220FFE37AEA36FC593AE33440385E76 SHA256 1416624938359FDD375108D922350D1B7B0E41B3A40A48F778D6D72D8A405DE6 http://www.secuobs.com/revue/news/469482.shtmlhttp://www.secuobs.com/revue/news/469482.shtml Secuobs.com : 2013-08-30 11:50:38 - Didier Stevens - When you register before September 7th with discount code MC201305 you will get 5pourcents discount What do you want from training I want to gain knowledge I designed my Hacking PDF training with this goal in mind Hacking PDF is a 2-day training focusing on the PDF language, not on reversing PDF readers By attending http://www.secuobs.com/revue/news/465843.shtmlhttp://www.secuobs.com/revue/news/465843.shtml Secuobs.com : 2013-08-24 13:56:23 - Didier Stevens - Cookies set bij network proxies can be identified by their name BlueCoat proxy cookies start with BCSI-CS- Cisco IronPort proxy cookies start with iptac- The string after iptac is the serial number of the device Google for these and you ll find some examples More info later Quickpost info http://www.secuobs.com/revue/news/464773.shtmlhttp://www.secuobs.com/revue/news/464773.shtml Secuobs.com : 2013-08-13 21:16:05 - Didier Stevens - Soon I ll release new versions of my Authenticode Tools Detecting extra data in the signature field is one of the new features For example, it will analyze the size specified in the optional header data directory for security, the size specified in the WIN_CERTIFICATE structure and the size specified in the PKCS7 signature itself These http://www.secuobs.com/revue/news/462702.shtmlhttp://www.secuobs.com/revue/news/462702.shtml Secuobs.com : 2013-08-04 23:05:26 - Didier Stevens - Microsoft s Malware Protection Center has a blogpost on a version of Rovnix that uses its own TCP IP stack I used Wireshark to capture the network traffic generated by this sample when it is executed in a VMware guest I ran the sample on a XP SP3 guest machine in VMware The hostname is XPPROSP3 this http://www.secuobs.com/revue/news/461071.shtmlhttp://www.secuobs.com/revue/news/461071.shtml Secuobs.com : 2013-07-29 02:28:04 - Didier Stevens - I m attending OHM2013 To mark the occasion of this outdoor hacker conference taking place every 2 years, I m doing a 20pourcents promo on my workshop videos In case you missed it, I posted this during the weekend MSI The Case Of The Invalid Signature http://www.secuobs.com/revue/news/459707.shtmlhttp://www.secuobs.com/revue/news/459707.shtml Secuobs.com : 2013-07-27 00:47:30 - Didier Stevens - I found a suspicious file on a Windows XP machine I was able to trace its origin back to a Windows Installer package msi This package in c windows installer had an invalid digital signature Like this Very suspicious A bit later I found another msi package containing the same suspicious file But this time, the package http://www.secuobs.com/revue/news/459523.shtmlhttp://www.secuobs.com/revue/news/459523.shtml Secuobs.com : 2013-07-25 22:37:29 - Didier Stevens - It looks like I didn t release this update to my lookup tools lookup-hostspy has a new argument -R This does a reverse lookup of the IP addresses thus after it resolved the hostname And now you can also use letters as a counter test- a-z com lookup-tools_V0_0_2zip https MD5 310904722F900FA34C567FC38634124E SHA256 85626574A99BF4D2AB786D8C2FF5B8F6649F1FC7410F1786A24EF0201AAF64AA http://www.secuobs.com/revue/news/459206.shtmlhttp://www.secuobs.com/revue/news/459206.shtml Secuobs.com : 2013-07-18 20:47:53 - Didier Stevens - Because I had to use a workaround in my js-unicode-unescape1sc script to copy an array of bytes to the clipboard, I asked the 010 Editor developers if they could add a function that does exactly this They included this new function, CopyBytesToClipboard, in their new version 50 Here is a new version that uses this http://www.secuobs.com/revue/news/457850.shtmlhttp://www.secuobs.com/revue/news/457850.shtml Secuobs.com : 2013-07-10 23:22:36 - Didier Stevens - I had something of a puzzle to solve A friend asked me to look at a set of files, all of the same size, but with some differences After some analysis, it dawned on me that these files were the result of a simple fuzzer applied to a single file So I quickly wrote a http://www.secuobs.com/revue/news/456238.shtmlhttp://www.secuobs.com/revue/news/456238.shtml Secuobs.com : 2013-07-03 22:41:14 - Didier Stevens - Mark Woan reported an issue with virustotal-searchpy sometimes VirusTotal returns a JSON object that the json parser can t parse That s something I didn t expect I ve added error handling for this case virustotal-search_V0_0_9zip https MD5 FECD02796889CDFE9FA67287F2DE567C SHA256 0CE06CBAFC6341835EB8A62377F5C4EB067747EE28E7ED8BB25FD69A4B99FA97 http://www.secuobs.com/revue/news/455342.shtmlhttp://www.secuobs.com/revue/news/455342.shtml Secuobs.com : 2013-06-24 06:42:50 - Didier Stevens - This update adds x64 shellcode support to my shellcode2vbspy script shellcode2vba_v0_3zip https MD5 44AF2685975346F9DE09E48E7FB855CE SHA256 04C42FA26717CCC7BC17A7BEDA02C746CA1A8BC8C6CE184670CD686796B5FF10 http://www.secuobs.com/revue/news/453167.shtmlhttp://www.secuobs.com/revue/news/453167.shtml Secuobs.com : 2013-06-10 10:57:33 - Didier Stevens - I m giving a 2-day training on PDF at Brucon 2013 Early-bird price applies til June 15th Sometimes PDFiD will give you false positives for JS and AA This happens with files of a couple of MBs or bigger, because it s statistically very likely that AA or JS only three bytes long appear inside a stream And http://www.secuobs.com/revue/news/450421.shtmlhttp://www.secuobs.com/revue/news/450421.shtml Secuobs.com : 2013-05-30 14:47:08 - Didier Stevens - I m giving a 2-day training on PDF at Brucon 2013 Early-bird price applies til June 15th This new version of pdf-parser comes with options to search inside streams For example, you can select all objects with the word Linux inside a stream with this command pdf-parserpy --searchstream Linux manualpdf The search is not case sensitive To http://www.secuobs.com/revue/news/448539.shtmlhttp://www.secuobs.com/revue/news/448539.shtml Secuobs.com : 2013-05-15 16:34:42 - Didier Stevens - A signed PDF file is just like all signed files with embedded signatures the signature itself is excluded from the hash calculation Open a signed PDF document in a hex editor and search for string ByteRange You ll find something like this 36 0 obj ByteRange 0 227012 248956 23362 Contents308226e106092a864886f7 This indicates which byte sequences are http://www.secuobs.com/revue/news/445564.shtmlhttp://www.secuobs.com/revue/news/445564.shtml Secuobs.com : 2013-05-13 20:49:33 - Didier Stevens - There s something that I wanted to test out for quite some time, but kept postponing until recently Adobe Reader will ask confirmation before it retrieves a URL when a PDF document contains an action to do so But what about the Certificate Revocation List in a signed PDF document When you open a signed PDF http://www.secuobs.com/revue/news/445134.shtmlhttp://www.secuobs.com/revue/news/445134.shtml Secuobs.com : 2013-05-08 13:21:53 - Didier Stevens - Here is a variant to my Howto Make Your Own Cert With OpenSSL method This time, I needed a signing cert with a Certificate Revocation List CRL extension and an empty CRL I used instructions from this post Adding a CRL extension to a certificate is not difficult, you just need to include a configuration http://www.secuobs.com/revue/news/444170.shtmlhttp://www.secuobs.com/revue/news/444170.shtml Secuobs.com : 2013-05-03 11:28:12 - Didier Stevens - This is an update for virustotal-searchpy and a release of a new tool virustotal-submitpy I created this new tool because I needed to submit a sample stored in a password protected ZIP-file not the ZIP-file , without extracting the sample to disk To submit a file to VirusTotal, you just run virustotal-submitpy sampleexe If you submit http://www.secuobs.com/revue/news/443332.shtmlhttp://www.secuobs.com/revue/news/443332.shtml Secuobs.com : 2013-04-26 15:28:57 - Didier Stevens - This is an update to my post Howto Add a Digital Signature to a PDF File, but this time I found free software Again we use our certificate which we install open the p12 file Install the free JSignPdf software Select the PDF file to sign and select an output file if you don t want http://www.secuobs.com/revue/news/442063.shtmlhttp://www.secuobs.com/revue/news/442063.shtml Secuobs.com : 2013-04-21 02:03:33 - Didier Stevens - As a thank you to those who nominated me for the European Security Bloggers Awards, I m going to release some new scripts this week Here s the sixth one This script does the opposite of js-unicode-escape1sc a Unicode escape encode string is decode to bytes js-unicode-unescape_v0_0_1zip https MD5 E4FF29FB631142AC995636EED4CFB2AB SHA256 C5659BCED1C6A7F92C2F7F9058DAA5807D2907283041E4F9DD1E4B6F318F2BBD http://www.secuobs.com/revue/news/440826.shtmlhttp://www.secuobs.com/revue/news/440826.shtml Secuobs.com : 2013-04-20 02:11:06 - Didier Stevens - As a thank you to those who nominated me for the European Security Bloggers Awards, I m going to release some new scripts this week Here s the fifth one 010 Editor has a different functions to copy bytes from a file As raw bytes, as hex, as base64, This script copies the selected bytes to http://www.secuobs.com/revue/news/440734.shtmlhttp://www.secuobs.com/revue/news/440734.shtml Secuobs.com : 2013-04-19 02:26:03 - Didier Stevens - As a thank you to those who nominated me for the European Security Bloggers Awards, I m going to release some new scripts this week Here s the fourth one pecheckpy is a wrapper for pefile, but this version has a new feature check a PE file stored in a password protected ZIP file password infected pecheck_v0_3_0zip http://www.secuobs.com/revue/news/440529.shtmlhttp://www.secuobs.com/revue/news/440529.shtml Secuobs.com : 2013-04-18 02:33:03 - Didier Stevens - As a thank you to those who nominated me for the European Security Bloggers Awards, I m going to release some new scripts this week Here s the third one 010 Editor has a search feature with wildcards like FC 01 10 CF , but no search and replace with wildcards like FC 01 10 CF http://www.secuobs.com/revue/news/440289.shtmlhttp://www.secuobs.com/revue/news/440289.shtml Secuobs.com : 2013-04-17 02:18:03 - Didier Stevens - As a thank you to those who nominated me for the European Security Bloggers Awards, I m going to release some new scripts this week Here s the second one fuzzer1sc is a 010 Editor script that implements a simple fuzzer It overwrites bytes in a file or selection A selection is particularly useful combined with a http://www.secuobs.com/revue/news/439885.shtmlhttp://www.secuobs.com/revue/news/439885.shtml Secuobs.com : 2013-04-16 02:14:47 - Didier Stevens - As a thank you to those who nominated me for the European Security Bloggers Awards, I m going to release some new scripts this week Here s the first one shift1sc is a 010 Editor script that allows you to shift bytes in a file or selection shift_v0_0_1zip https MD5 0E98DD182D12839FD86A30E696414E0A SHA256 07D849E9E898AFA705E57474FADFF001C9CAF9DB1D51AD8C9EB7E9A2A765D714 http://www.secuobs.com/revue/news/439638.shtmlhttp://www.secuobs.com/revue/news/439638.shtml Secuobs.com : 2013-04-15 02:09:36 - Didier Stevens - XORStrings is best described as the combination of my XORSearch tool and the well-known strings command XORStrings will search for strings in the binary file you provide it, using the same encodings as XORSearch XOR, ROL, ROT and SHIFT For every encoding key, XORStrings will search for strings and report the number of strings found, the http://www.secuobs.com/revue/news/439420.shtmlhttp://www.secuobs.com/revue/news/439420.shtml Secuobs.com : 2013-03-28 00:06:07 - Didier Stevens - I will give a talk on network forensics at my local ISSA chapter I m preparing it with a couple of PoCs First PoC is how changing the canary value 0xFD0110DF to another value can provide defense against exploits like FX explained in this paper I changed the appropriate instructions so that IOS uses canary value http://www.secuobs.com/revue/news/436228.shtmlhttp://www.secuobs.com/revue/news/436228.shtml Secuobs.com : 2013-03-21 10:49:28 - Didier Stevens - This new version is a bugfix version for Python 3 plus I added a new name in the default report XFA pdfid_v0_1_2zip https MD5 60FC17757201F014A6ADA0744B74A740 SHA256 1CF36C50427A2206275C322A8C098CD96A844CAF6077B105ADE9B1974789856F http://www.secuobs.com/revue/news/434968.shtmlhttp://www.secuobs.com/revue/news/434968.shtml Secuobs.com : 2013-03-13 22:59:02 - Didier Stevens - From version 041 on, you can also pass a URL or a ZIP file as argument to pdf-parser pdf-parserpy http examplecom docpdf pdf-parserpy maldoczip When you pass a URL as argument, pdf-parser will download the PDF document and analyze it The PDF document will not be written to disk Supported protocols are http and https Passing a http://www.secuobs.com/revue/news/433365.shtmlhttp://www.secuobs.com/revue/news/433365.shtml Secuobs.com : 2013-03-07 06:39:06 - Didier Stevens - A month before my PDF training at HITB, it s time to release new versions of my pdf tools I start with PDFiD From version 010 on, you can also pass a URL or a ZIP file as argument to PDFiD pdfidpy http examplecom docpdf pdfidpy maldoczip When you pass a URL as argument, PDFiD will download the http://www.secuobs.com/revue/news/431996.shtmlhttp://www.secuobs.com/revue/news/431996.shtml Secuobs.com : 2013-02-25 20:53:25 - Didier Stevens - One last thing regarding my TeamViewer research I had to resolve a bunch of hostnames and IP addresses, so I quickly wrote a Python program that did just that Later I took the time to make some generic and versatile programs lookup-hostspy and lookup-ipspy lookup-hostspy takes hostnames or files with hostnames via arguments or stdin, http://www.secuobs.com/revue/news/429921.shtmlhttp://www.secuobs.com/revue/news/429921.shtml Secuobs.com : 2013-02-20 23:15:23 - Didier Stevens - This new version of XORSearch comes with a new operation shifting left It comes in handy to reverse engineer protocols like TeamViewer s remote access protocol Here s an example When you run TeamViewer, your machine gets an ID We capture some TeamViewer traffic with Wireshark, and then we use XORSearch to search for TeamViewer ID 441055893 http://www.secuobs.com/revue/news/428952.shtmlhttp://www.secuobs.com/revue/news/428952.shtml Secuobs.com : 2013-02-15 00:21:11 - Didier Stevens - Sorry for the lack of recent posts, I ve been ill and had to catch up with a lot of work Braden Thomas wrote an interesting series of posts on reversing the TeamViewer protocol I want to add my own observation when TeamViewer is forced to communicate over an HTTP proxy, it will issue GET statements http://www.secuobs.com/revue/news/427888.shtmlhttp://www.secuobs.com/revue/news/427888.shtml Secuobs.com : 2013-01-16 10:02:05 - Didier Stevens - The ISSA Journal featured my article on Network Device Forensics, making it available to everyone And I m giving a 2-day training on PDF at Hack In The Box Amsterdam 2013 http://www.secuobs.com/revue/news/422009.shtmlhttp://www.secuobs.com/revue/news/422009.shtml Secuobs.com : 2013-01-01 19:10:02 - Didier Stevens - Today I received my 3th MVP award from Microsoft MVP 2013 Consumer Security To celebrate this, I ve 2 things for you A 20pourcents promo on my videos A new utility datapipexls And like a real New Year present, you ll have to open it to find out what it is More details later datapipe_V0_0_0_1zip https MD5 http://www.secuobs.com/revue/news/419358.shtmlhttp://www.secuobs.com/revue/news/419358.shtml Secuobs.com : 2012-12-28 01:24:58 - Didier Stevens - While reviewing my webserver s logs with InteractiveSieve, I noticed a peculiar User Agent String Mozilla 40 compatible Baiduspider 20 http wwwbaiducom search spiderhtml Googlebot 21 http wwwgooglecom bothtml Why would Baidu and Google share a spider They don t It s a fake User Agent String I ve 12 IP addresses in my logs that use this User Agent String, all from China, but none resolving to a http://www.secuobs.com/revue/news/418946.shtmlhttp://www.secuobs.com/revue/news/418946.shtml Secuobs.com : 2012-12-20 01:19:27 - Didier Stevens - ListModules is a new tool to analyze PE files, like my AnalyzePESig tool In stead of analyzing all files you point it to, it takes a snapshot of all processes, and analyses the modules exe, dll, loaded in these processes The output is very similar to AnalyzePESig s output Sysinternal s tool ListDLLs is a similar http://www.secuobs.com/revue/news/417956.shtmlhttp://www.secuobs.com/revue/news/417956.shtml Secuobs.com : 2012-12-12 17:41:54 - Didier Stevens - Almost six years ago I blogged about submitting ISC ² CPE points for listening to IT security podcasts Last week I submitted CPE points for listening to 6 months of PaulDotCom Security Weekly podcasts This CPE points submission was promptly selected for an audit by ISC ² I received an e-mail that informed me about the audit http://www.secuobs.com/revue/news/416605.shtmlhttp://www.secuobs.com/revue/news/416605.shtml Secuobs.com : 2012-12-04 16:01:59 - Didier Stevens - I ve added a new page to document my Authenticode Tools like AnalyzePESig It has a small explanation for each field found in the output of AnalyzePESig For example, the fields Issuer Unique ID and Subject Unique ID should always be 0 In the case of the Flame certificate, they are not, because the Issuer Unique http://www.secuobs.com/revue/news/414933.shtmlhttp://www.secuobs.com/revue/news/414933.shtml Secuobs.com : 2012-11-30 14:12:39 - Didier Stevens - This new release of Nmap includes the McAfee ePO Agent Script I blogged about http://www.secuobs.com/revue/news/414381.shtmlhttp://www.secuobs.com/revue/news/414381.shtml Secuobs.com : 2012-11-20 22:20:58 - Didier Stevens - I added several new fields to the output produce by my new tool AnalyzePESig countCatalogs catalogFilename signatureTimestamp creationtime lastwritetime lastaccesstime dwFileAttributes uiCharacteristics extensions issuer unique id sections subject unique id notBeforeChain notAfterChain AnalyzePESig_V0_0_0_2zip https MD5 738F97F76921FA2220368B3F4190F534 SHA256 E0D43E04AFD242307E3E6B675A650952D2605F45FE55F0B883ACF5B22BA32A01 http://www.secuobs.com/revue/news/412554.shtmlhttp://www.secuobs.com/revue/news/412554.shtml Secuobs.com : 2012-11-15 16:19:49 - Didier Stevens - Spiders can be anoying when you own a CCTV system Here is a picture of a spiderweb in front of one of my cameras with integrated IR LED illuminator You can see that the reflection of IR light on the spiderweb is so strong that the glare hides all details behind the spiderweb So when http://www.secuobs.com/revue/news/411659.shtmlhttp://www.secuobs.com/revue/news/411659.shtml Secuobs.com : 2012-11-08 23:30:13 - Didier Stevens - I made a very small change to XORSearch s source code dropped malloch so that it compiles on OSX You can find the new version on XORSearch s page http://www.secuobs.com/revue/news/410447.shtmlhttp://www.secuobs.com/revue/news/410447.shtml Secuobs.com : 2012-10-31 20:59:29 - Didier Stevens - I had a very good Samurai WTF training at Brucon by Raul Siles When Raul discussed the fact that clients are not worried about cross-site scripting when you demonstrate it with an alert box, I got the following idea Let s redirect the customer to the competitor s website So instead of alert XSS let s do windowlocation http://www.secuobs.com/revue/news/408865.shtmlhttp://www.secuobs.com/revue/news/408865.shtml