Tampering With Digitally Signed VBA Projects

As I explained in blog post VBA Purging, VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode). If you alter the compiled code (PerformanceCache) properly and leave the source code (CompressedSourceCode) of a signed VBA project untouched, you can change the behavior of a signed...

2d

Update: base64dump.py Version 0.0.12

This new version of base64dump.py adds the following new features: encoding zxc (0x4D,0x5A,0x90,…) update for YARA rules update for –cut option option -A: run-length encoded HEX/ASCII dump warning when no encoding was selected environment variable to set hash algorithm (DSS_DEFAULT_HASH_ALGORITHMS) option –jsonoutput option -T: headtail option...

6d

Overview of Content Published in June

Here is an overview of content I published in June: Blog posts: add-admin: Tiny EXE To Add Administrative Account Update: translate.py Version 2.5.8 FalsePositive GitHub Repository VBA Purging YouTube videos: YARA’s BASE64 Strings Videoblog posts: Maldoc Analysis With xlm-deobfuscator SANS@MIC – Maldocs: a bit of blue, a bit of red...

2w

VBA Purging

VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode). VBA stomping consist in altering or suppressing CompressedSourceCode and leaving the PerformanceCache unchanged: As you can imagine, it must also be possible to change the PerformanceCache and leaving CompressedSourceCode...

3w

FalsePositive GitHub Repository

As I’m fed up with Google’s false positives on some of my tools on DidierStevens.com, I’m moving them to a new GitHub repository: FalsePositives. FYI, here is their User Agent String: Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)

4w

Update: translate.py Version 2.5.8

This is a small Python 3 bugfix version. translate_v2_5_8.zip (https) MD5: 677BD5D6007F264A05D23A9A01B3DD13 SHA256: 977D7A87F771F5E86A6B57D2B565D7C789A7AC7696599E8B7412E9051D66DCFF

Jun 2020

add-admin: Tiny EXE To Add Administrative Account

I wrote a tiny EXE program (1,5 KB) that creates an account and adds it to the local administrators group. It’s written in 32-bit assembly code (it’s not shellcode), and needs to be assembled with nasm and then linked to a PE file. The first 3 %define statements define the account name, password and local group. ; Assembly code to add a new local...

Jun 2020

Overview of Content Published in May

Here is an overview of content I published in May: Blog posts: Quickpost: Empty ZIP File Quickpost: Go: Building For Multiple Operating Systems Update: XORSelection.1sc Version 5.0 Quickpost: curl And SSPI Proxy Authentication Update: oledump.py Version 0.0.50 AdHoc GitHub Repository New Tool: simple_ip_stats.py YouTube videos: EICAR...

Jun 2020

New Tool: simple_ip_stats.py

Some time ago, I created a tool to calculate the entropy of TCP data for a colleague. And a bit later, he asked me for a tool for UDP. I have now merged these 2 tools, and added support for other protocols transported by IPv4 and IPv6. And I will no longer maintain simple_tcp_stats.py and simple_udp_stats.py. This new tool simple_ip_stats.py is a...

May 2020

AdHoc GitHub Repository

Next to GitHub repositories DidierStevensSuite and Beta to share my tools, I have now repository AdHoc. AdHoc is a repository for adhoc scripts: scripts that serve a very specific purpose, and that will most likely not be maintained, maybe just a few cycles. For example, it contains script excel_brute_force_formula_fill.py, a script that I wrote to...

May 2020