Digital Forensics Archives | Page 3 of 435

July 25, 2020 by Didier Stevens

Update: oledump.py 0.0.52

This new version of oledump.py brings support for AES encrypted ZIP files via Python module pyzipper (Python 3 only). If module pyzipper is not installed, oledump will fall back to builtin module zipfile.

And plugin plugin_vbaproject.py does now a small dictionary attack on the extracted hash to try to recover the password.

I use the same dictionary as in zipdump.py, a dictionary that is the public domain, default wordlist used by John the Ripper, extended with a couple of passwords: infected, P@ssw0rd and VelvetSweatshop.

oledump_V0_0_52.zip (https)
MD5: 2528824D8A7CD2BE98615B1B1AE8C61A
SHA256: C47A9CC658571FF23E70264B4DD4F8F47D244708E7110EA0A28128F175CF80F5

July 24, 2020 by Didier Stevens

ndisasm 2.15 stdin Bug Fix

I like to pipe commands together, especially when doing malware analysis.

ndisasm is the disassembler of NASM. I like to use it, because it’s a single executable (for major operating systems) and accepts input from stdin.

But there was an issue with Windows versions: stdin was opened in text mode, and not in binary mode. This can result in disassembly errors, like in the following example. I send 7 bytes to ndisasm via stdin, and the 4th byte is 0x1A (CTRL-Z): this is the end-of-file marker for Windows text files:

As can be seen, only the first 3 bytes are disassembled, and all bytes from 0x1A on are ignored.

I filled a bug fix with code the fix the issue, and this was integrated in version 2.15:

July 19, 2020 by Didier Stevens

Cracking VBA Project Passwords

VBA projects can be protected with a password. The password is not used to encrypt the content of the VBA project, it is just used as protection by the VBA IDE: when the password is set, you will be prompted for the password.

Tools like oledump.py are not hindered by a VBA password, they can extract VBA code without problem, as it is not encrypted.

The VBA password is stored as the DPB value of the PROJECT stream:

You can remove password protection by replacing the values of ID, CMG, DPB and GC with the values of an unprotected VBA Project.

Thus a VBA password is no hindrance for staticanalysis.

However, we might still want to recover the password, just for the fun of it. How do we proceed?

The password itself is not stored inside the PROJECT stream. In stead, a hash is stored: the SHA1 hash of the password (MBCS representation) + 4 byte salt.

Then, this hash is encrypted (data encryption as described in MS-OVBA 2.4.3.2) and the hexadecimal representation of this encrypted hash is the value of DPB.

This data encryption is done according to an algorithm that does not use a secret key. I wrote an oledump.py plugin (plugin_vbaproject.py) to decrypt the hash and display it in a format suitable for John the Ripper and Hashcat:

The SHA1 of a password + salt is a dynamic format in John the Ripper: dynamic_24.

For Hashcat, it is mode 110 and you also need to use option –hex-salt.

Remark that the password passed as argument to the SHA1 function is represented in Multi Byte Character Set format. This means that ASCII characters are represented as bytes, but that non-ASCII characters might be represented with more than one byte, depending on the VBA project’s code page.