An aggregator for digital forensics blogs
Here I compile EICARgen on Kali Linux to a 32-bit, statically linked Linux executable.
gcc’s option -m32 creates a 32-bit executable on 64-bit Linux.
If you get this error:
then one way to solve it is by installing libc6-dev-i386 (apt install libc6-dev-i386):
Then option -m32 can be used to create a 32-bit executable:
This executable will not run on 64-bit system that don’t have the libraries we just installed. A work-around is to statically link the ELF file with option -static:
Quickpost info
I installed pcapy on a Windows machine, but importing in Python failed due to a missing DLL.
Process Monitor showed me what was missing: wpcap.dll, a WinPcap DLL:
The DLL was missing because I had installed Npcap (an alternative for WinPcap, that provides loopback packet capture).
This problem can be fixed by setting a toggle to install a WinPcap compatible API (e.g. wpcap.dll) during installation:
Quickpost info
Windows executables (PE files) can be signed on Kali using osslsigncode.
osslsigncode needs to be installed:
apt install osslsigncode
Then you need a certificate. For this demo, I’m using a self-signed cert.
The command to sign file demo-x64.exe with the demo certificate using SHA1 and timestamping, is:
osslsigncode sign -certs cert-20180729-110705.crt -key key-20180729-110705.pem -t http://timestamp.globalsign.com/scripts/timestamp.dll -in demo-x64.exe -out demo-x64-signed.exeThe signed file is demo-x64-signed.exe
To dual sign this executable (add SHA256 signature), use this command:
osslsigncode sign -certs cert-20180729-110705.crt -key key-20180729-110705.pem -t http://timestamp.globalsign.com/?signature=sha2 -h sha256 -nest -in demo-x64-signed.exe -out demo-x64-dual-signed.exeThe signed file is demo-x64-dual-signed.exe
Of course, Windows reports the signatures as invalid, because we used a self-signed certificate. For a valid signature, you can add your certificate to the trusted root certificates store, buy a code-signing certificate, …
For single SHA256 signing, use the second osslsigncode command without option -nest.
Quickpost info