In part 2, we are going to take a closed look at the image in object 3. First we dump the stream and look at the beginning and end: FF D8 is the Start Of Image Marker of a JPEG image. FF D9 is the Eod Of Image Marked of a JPEG image. It's likely that we are indeed dealing with a JPEG image, and not something else. Next I check if I can find strings inside the JPEG image: With my maldoc YARA rules (maldoc.yara found in the oledump.py ZIP package) I can search for shellcode:
The second line will perform the same scan, but with decoders to see if the shellcode is encoded with simple encoding techniques (XOR 1 byte, ADD 1 byte and ROL 1 byte). There is no output from these commands, the YARA rules don't trigger: this means we can't find shellcode inside the image. This does not necessarily mean there is no shellcode, but that we can't find any... In part 3, we'll take a deeper look... Didier Stevens |
DidierStevens 316 Posts ISC Handler |
Reply Subscribe |
Sep 4th 2017 1 year ago |
Sign Up for Free or Log In to start participating in the conversation!