Didier Stevens, Author at Forensic Blogs

Here is an overview of content I published in 2019:

Blog posts:

Update: msoffcrypto-crack.py Version 0.0.2 Update: msoffcrypto-crack.py Version 0.0.3 Update: cut-bytes.py Version 0.0.9 Update: oledump.py Version 0.0.41 Update: translate.py Version 2.5.5 Update: pdf-parser.py Version 0.7.0 Update: pdf-parser.py Version 0.7.1 Analyzing a Phishing PDF with /ObjStm Update: re-search.py Version 0.0.13 Update: oledump.py Version 0.0.42 Maldoc: Excel 4.0 Macro Quickpost: PDF Tools Download Feature Update: pecheck.py Version 0.7.6 list-interfaces.xlsm Quickpost: Browsers & Content-Disposition Extracting “Stack Strings” from Shellcode Update: translate.py Version 2.5.6 Update: python-per-line.py Version 0.0.6 Update: format-bytes.py Version 0.0.8 Update: jpegdump.py Version 0.0.7 Quickpost: Retrieving an SSL Certificate with nmap WebDAV, NTLM & Responder DSSuite: A Docker Container With My Tools Update: zipdump Version 0.0.15 Update: hex-to-bin.py Version 0.0.2 Update: sets.py Version 0.0.3 Quickpost: C Random Functions in Other Languages Update: virustotal-search.py Version 0.1.5 New Tool: amsiscan.py Quickpost: nslookup Types Update: format-bytes.py Version 0.0.9 Quickpost: tcp-honeypot.py & Browser Tests Update: pdf-parser.py Version 0.7.2 Downloading Executables Over DNS: Capture Files Update: msoffcrypto-crack.py Version 0.0.4 Update: hash.py Version 0.0.7 Update: pecheck.py Version 0.7.7 Update: hex-to-bin.py Version 0.0.3 Update: strings.py Version 0.0.4 Update Of My PDF Tools Shark Jack Capture File PowerShell, Add-Type & csc.exe New Tool: simple_tcp_stats.py Quickpost: ExifTool, OLE Files and FlashPix Files Update: pecheck.py Version 0.7.8 Quickpost: Compiling Service DLLs with MinGW on Kali Quickpost: Running a Service DLL Update: cut-bytes.py Version 0.0.10 Update: numbers-to-string.py Version 0.0.10 Update: format-bytes.py Version 0.0.10 Steganography and Malware Update: tcp-honeypot.py Version 0.0.7 Update: numbers-to-string.py Version 0.0.9 Update: oledump.py Version 0.0.43 Analyzing .DWG Files With Embedded VBA Macros Update: oledump.py Version 0.0.44 zoneidentifier.exe Update: zipdump.py Version 0.0.16 Update: pdf-parser.py Version 0.7.4 and pdfid.py Version 0.2.7 YARA “Ad Hoc Rules”

YouTube videos:

msoffcrypto-crack Analyzing a Simple HTML Phishing Attachment Maldoc Analysis of the Weekend Finding Property Values in Office Documents PDF: Stream Objects (/ObjStm) Analyzing a Phishing PDF with /ObjStm Maldoc: Excel 4.0 Macro Maldoc Analysis: Excel 4.0 Macro Analysis of PDFs Created with OpenOffice/LibreOffice nmap Service Detection Customization Analyzing Compressed PowerShell Scripts Analyzing DAA Files Encrypted Sextortion PDFs Analyzing .DWG Files With Embedded VBA Macros AutoCAD & VBA

Videoblog posts:

SANS ISC Diary entries:

Make a Wheel in 2019! Maldoc with Nonfunctional Shellcode A Malicious JPEG? A Malicious JPEG? Second Example Malicious .tar Attachments Analyzing Encrypted Malicious Office Documents Quick Maldoc Analysis Suspicious GET Request: Do You Know What This Is? Video: Analyzing Encrypted Malicious Office Documents Video: Analyzing a Simple HTML Phishing Attachment Maldoc Analysis of the Weekend Video: Maldoc Analysis of the Weekend Have You Seen an Email Virus Recently? Finding Property Values in Office Documents Video: Finding Property Values in Office Documents Know What You Are Logging Identifying Files: Failure Happens Sextortion Email Variant: With QR Code Maldoc Analysis by a Reader Quick and Dirty Malicious HTA Analysis Wireshark 3.0.0 and Npcap Tip: Ghidra & ZIP Files Maldoc: Excel 4.0 Macros Video: Maldoc Analysis: Excel 4.0 Macro Wireshark 3.0.0 and Npcap: Some Remarks “VelvetSweatshop” Maldocs Decoding QR Codes with Python “VelvetSweatshop” Maldocs: Shellcode Analysis “404” is not Malware Maldoc Analysis of the Weekend by a Reader Analysis of PDFs Created with OpenOffice/LibreOffice Analyzing UDF Files with Python .rar Files and ACE Exploit CVE-2018-20250 Malicious VBA Office Document Without Source Code Quick Tip for Dissecting CVE-2017-11882 Exploits VBA Office Document: Which Version? Text and Text Do You Remember the SUBST Command? Video: nmap Service Detection Customization nmap Service Fingerprint Office Document & BASE64? PowerShell! Analyzing First Stage Shellcode Retrieving Second Stage Payload with Ncat Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As Tip: Sysmon Will Log DNS Queries Sysmon Version 10: DNS Logging Maldoc: Payloads in User Forms A “Stream O” Maldoc Machine Code? Malicious XSL Files Machine Code? No! isodump.py and Malicious ISO Files Malicious RTF Analysis CVE-2017-11882 by a Reader Analyzing Compressed PowerShell Scripts A Python TCP proxy Video: Analyzing Compressed PowerShell Scripts Recognizing ZLIB Compression Detecting ZLIB Compression Nmap Defcon Release: 7.80 Malicious .DAA Attachments Analysis of a Spearphishing Maldoc The DAA File Format Video: Analyzing DAA Files Compressed ISO Files (ISZ) Encrypted Sextortion PDFs Wireshark 3.0.5 Release: Potential Windows Crash when Updating Video: Encrypted Sextortion PDFs YARA XOR Strings: an Update Encrypted Maldoc, Wrong Password Maldoc, PowerShell & BITS YARA v3.11.0 released YARA’s XOR Modifier Wireshark 3.0.6 Released Using scdbg to Find Shellcode Tip: Password Managers and 2FA Remark on EML Attachments You Too? “Unusual Activity with Double Base64 Encoding” Wireshark 3.0.7 Released (Lazy) Sunday Maldoc Analysis (Lazy) Sunday Maldoc Analysis: A Bit More … VirusTotal Email Submissions Malicious .DWG Files? Wireshark 3.2.0 Released Extracting VBA Macros From .DWG Files New oledump.py plugin: plugin_version_vba Corrupt Office Documents

NVISO blog posts:

Detecting and Analyzing Microsoft Office Online Video Solving a CTF challenge: Exploiting a Buffer Overflow (video) Malicious SYLK Files with MS Excel 4.0 Macros Extracting Certificates From the Windows Registry Analyzing a Malicious Spreadsheet Dropping a DLL Nessus’ UserAssist Plugin

Several of my tools support YARA rules.

And of those tools, many support what I like to call “Ad Hoc rules” (or Here rules).

An Ad Hoc YARA rule is a rule that isn’t stored in a file, but is passed via the command line, and is generated ad hoc by the tool for you.

Take for example oledump.py.

When you issue the command “oledump.py -y trojan.yara sample.vir”, oledump will load all the rules found inside file trojan.yara, and scan the streams of document sample.vir with these rules.

But if you want to search for a simple string, say “virus.exe”, then you have to create a YARA rule to search for this string, store it inside a file, and pass this file to oledump via option -y.

Ad hoc rules make this process simpler. Ad hoc rules start with #.

To generate an ad hoc rule for a string, use prefix #s#. Like this:

oledump.py -y “#s#virus.exe sample.vir”

This will generate the following YARA rule:

rule string {strings: $a = “virus.exe” ascii wide nocase condition: $a}

You can also use #x# for hexadecimal, oledump.py -y “#x#D0 CF 11 E0” sample.vir:

rule hexadecimal {strings: $a = { D0 CF 11 E0 } condition: $a}

And #r# for regular expressions, oledump.py -y “#r#[a-z]+” sample.vir

rule regex {strings: $a = / [a-z]+ / ascii wide nocase condition: $a}

And you can also pass YARA rules literally (#), hexadecimal encoded (#h#) and base64 encoded (#b#).

And finally, for passing rules literally with double-quotes (“), you can use #q#: this will replace every single quote (‘) with a double quote (“).

Overview of Content Published in 2019

Overview of Content Published in December

YARA “Ad Hoc Rules”