An aggregator for digital forensics blogs
I installed pcapy on a Windows machine, but importing in Python failed due to a missing DLL.
Process Monitor showed me what was missing: wpcap.dll, a WinPcap DLL:
The DLL was missing because I had installed Npcap (an alternative for WinPcap, that provides loopback packet capture).
This problem can be fixed by setting a toggle to install a WinPcap compatible API (e.g. wpcap.dll) during installation:
Quickpost info
Windows executables (PE files) can be signed on Kali using osslsigncode.
osslsigncode needs to be installed:
apt install osslsigncode
Then you need a certificate. For this demo, I’m using a self-signed cert.
The command to sign file demo-x64.exe with the demo certificate using SHA1 and timestamping, is:
osslsigncode sign -certs cert-20180729-110705.crt -key key-20180729-110705.pem -t http://timestamp.globalsign.com/scripts/timestamp.dll -in demo-x64.exe -out demo-x64-signed.exeThe signed file is demo-x64-signed.exe
To dual sign this executable (add SHA256 signature), use this command:
osslsigncode sign -certs cert-20180729-110705.crt -key key-20180729-110705.pem -t http://timestamp.globalsign.com/?signature=sha2 -h sha256 -nest -in demo-x64-signed.exe -out demo-x64-dual-signed.exeThe signed file is demo-x64-dual-signed.exe
Of course, Windows reports the signatures as invalid, because we used a self-signed certificate. For a valid signature, you can add your certificate to the trusted root certificates store, buy a code-signing certificate, …
For single SHA256 signing, use the second osslsigncode command without option -nest.
Quickpost info
To compile a Windows executable with version information and an icon on Kali, we use MinGW again.
The version information and icon (demo.ico) we want to use are defined in a resource file (demo.rc):
#include "winver.h" #define IDI_ICON1 101 ///////////////////////////////////////////////////////////////////////////// // // Version // #define VER_FILEVERSION 0,0,0,1 #define VER_FILEVERSION_STR "0.0.0.1\0" #define VER_PRODUCTVERSION 0,0,0,1 #define VER_PRODUCTVERSION_STR "0.0.0.1\0" #ifndef DEBUG #define VER_DEBUG 0 #else #define VER_DEBUG VS_FF_DEBUG #endif VS_VERSION_INFO VERSIONINFO FILEVERSION VER_FILEVERSION PRODUCTVERSION VER_PRODUCTVERSION FILEFLAGSMASK VS_FFI_FILEFLAGSMASK FILEFLAGS VER_DEBUG FILEOS VOS__WINDOWS32 FILETYPE VFT_APP FILESUBTYPE VFT2_UNKNOWN BEGIN BLOCK "StringFileInfo" BEGIN BLOCK "040904E4" BEGIN VALUE "CompanyName", "example.com" VALUE "FileDescription", "demo" VALUE "FileVersion", VER_FILEVERSION_STR VALUE "InternalName", "demo.exe" VALUE "LegalCopyright", "Public domain" VALUE "OriginalFilename", "demo.exe" VALUE "ProductName", "demo" VALUE "ProductVersion", VER_PRODUCTVERSION_STR END END BLOCK "VarFileInfo" BEGIN VALUE "Translation", 0x409, 1252 END END ///////////////////////////////////////////////////////////////////////////// // // Icon // // Icon with lowest ID value placed first to ensure application icon // remains consistent on all systems. IDI_ICON1 ICON "demo.ico" /////////////////////////////////////////////////////////////////////////////More info on the VERSIONINFO resource can be found here.
We use the resource compiler windres, and then the gcc compiler.
Compile for 64-bit:
x86_64-w64-mingw32-windres demo.rc demo-resource-x64.o x86_64-w64-mingw32-gcc -o demo-x64.exe demo-resource-x64.o demo.cCompile for 32-bit:
i686-w64-mingw32-windres demo.rc demo-resource-x86.o i686-w64-mingw32-gcc -o demo-x86.exe demo-resource-x86.o demo.c
DemoResource_V_0_0_0_1.zip (https)
MD5: 9104DDC70264A9C2397258F292CC8FE4
SHA256: 722B3B52BAE6C675852A4AC728C08DBEEF4EC9C96F81229EF36E30FB54DC49DE
Quickpost info