HomeDownloadsMembers ListLinksNewsfeedsHTCIA InfoCalendarContact Us

Newsfeeds
Didier Stevens
  • PDFTemplate
    I’m starting a series of posts with new PDF tools and new versions of my PDF tools as preparation to my Brucon workshop. Here is a PDF template for the 010 Editor. It’s particularly useful for malformed PDF files, like this example with PDFUnknown structures:

  • Quickpost: Ariad & DLL Preloading
    I’m writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL preloading issue. The .LNK vulnerability mitigation examples I gave with Ariad (no file execute) and SRP prevent loading of DLLs from untrusted locations (USB [...]

  • Quickpost: .LNK Template Update
    I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell GUIDs: Quickpost info

  • Quickpost: 2 .LNK Tools
    Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568). I’m releasing two small tools I developed to help me investigate this vulnerability. First one is a 010 Editor template file for the .LNK binary file format. Second one is a ClamAV signature file to find all .LNK shortcuts that load a [...]

  • Mitigating .LNK Exploitation With SRP
    As I’ve used Software Restriction Policies (SRP) on several occasions in my blogposts, and several people have suggested using SRP to protect against .LNK exploitation as an alternative to Ariad, I’ll describe how to configure SRP for the first time on a workstation that is not a member of a domain. For domain members, you [...]

  • Mitigating .LNK Exploitation With Ariad
    Today I tested @Ivanlef0u ‘s .LNK PoC with my latest Ariad tool. I adapted the PoC to work on a CD-ROM for drive D. When you load the CD-ROM with the PoC (I use an ISO file inside a VM) and take a look at DbgView’s output, you’ll notice that payload gets executed: With Ariad [...]

  • The Hex Factor RE Challenge
    Last year for Brucon, I produced some reverse engineering challenges (and I’m producing new ones for this year’s edition). The Hex Factor blog posted the solution for level 300. The source code for the challenge can be downloaded here. It’s completely written in assembler, even the I/O routines. Here’s a trick I used to create [...]

  • Quickpost: Preventing the /Launch Action “cmd.exe” Bypass
    Adobe has released a new Adobe Reader version that contains functionality to block my /Launch action PoC, but Bkis found a bypass: just put double quotes around cmd.exe, like this:  “cmd.exe”. I did some research and discovered that Adobe implemented a blacklist of extensions for the launch action, but that the blacklisting functionality identifies the [...]

  • Quickpost: No Escape From PDF
    Adobe has released a new Adobe Reader version with a fix for my /Launch action PoC PDF. Before version 9.3.3: Since version 9.3.3: Not only is the dialog box fixed, but the /Launch action is also disabled by default. Quickpost info

  • Solving the Win7 Puzzle
    The Win7 puzzle is actually a “PDF bomb”, something I’ve hinted at long ago but I hadn’t published a sample. The PDF contains a doubly compressed object stream, which is around 100 MB large when uncompressed. Some of you might have experienced problems opening this PDF file in your favorite PDF reader, this is because [...]

| Date published: Fri, 03 Sep 2010 10:38:22 +0000
Back to newsfeed list