The history and utilities of information security specialist Didier Stevens

The article examines his most famous utilities, their practical applications and features of work. It also raises the issue of the importance of open source solutions in cybersecurity and their impact on the professional community. The text will help to better understand how modern analysis tools work, what problems they solve and why Stevens’s work remains relevant.

Hacking Utilities by Didier Stevens

Didier Stevens is a Belgian information security specialist and developer, known for his tools for analyzing and testing vulnerabilities. He specializes in researching Windows passwords, analyzing PDF documents and their modification capabilities using malicious files. He is also the author of the open-source Didier Stevens Suite, which includes 140 programs for working with files, processes, the registry and other system components. Among his developments is even the Windows Task Manager, implemented in Excel/VBA.

Career

Didier Stevens, according to his LinkedIn profile, started programming over 40 years ago and has no intention of stopping. Since the 80s, he has been fascinated by reverse engineering malware and continues to explore this area to this day. In addition, if anyone has an interesting sample to analyze, he is open to receiving such files by e-mail.

His official career began in 1991 at the Belgian provider Belgacom, later he worked at Euroclear and IP Globalnet. From 2000 to 2016 he was a security consultant at Microsoft, first on a freelance basis, and later received the status of Microsoft MVP in the field of user protection.

In 2012, he founded the company Didier Stevens Labs, which is still operating today. It is likely through this legal entity that he provides consulting services, receiving a much higher salary than a regular contractor. Experienced programmers often register their own companies to streamline their operations.

He is currently self-employed while also serving as a senior analyst at NVISO, a cybersecurity and cyberattack prevention company. He is also a senior processor at the Internet Storm Center (ISC) at the SANS Institute of Technology, which studies modern cyberthreats.

Projects

Information security specialists may have come across mention of open source utilities Didier Stevens Suite , containing 140 small programs.

Here are some:

• Ariad : a tool (driver) for blocking code execution after inserting a USB flash drive into a port,

• base64dump : extract base64 strings from a file,

• BinaryTools : simple tools for binary operations: reverse(invert file) and middle(extract sequence),

• bpmtk : a set of tools for manipulating basic processes,

• BruteForceEnigma : a program for brute-forcing Enigma ciphers ,

• cipher-tool : encoding and decoding texts with simple ciphers,

• cmd-dll : convert cmd.exe(ReactOS) to dll,

• CounterHeapSpray : Process security tool: monitors application memory usage to protect against heap spraying,

• CreateCertGUI : Generate your own OpenSSL certificate (GUI for Windows)

• decode-vbe : Decoding VBE files,

• decompress_rtf : a tool to decompress compressed RTF,

• disitool : a tool for working with digital signatures of Windows executable files,

• emldump : MIME file parsing,

• extractscripts : extract each script from an HTML file into a separate file,

• file-magic : file wrapper (libmagic),

• file2vbscript : embed executable code in vbscript script,

• FileScanner : scan files for specific patterns,

• find-file-in-file : check for nested files inside a file,

• HeapLocker : a process security tool similar to EMET but open source (against heap spraying attacks),

• InstalledPrograms : A spreadsheet listing installed programs fromHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

• InteractiveSieve : GUI tool for analyzing files with tabular output, useful when you don’t know exactly what you’re looking for

• jpegdump : a tool for analyzing JPEG files,

• js-unicode-escape and js-unicode-unescape : scripts for the 010 Editor to convert bytes to Unicode string for JavaScript and back,

• keihash : SSH Key Exchange Init (KEI) hash calculation,

• ListModules : analyzes the digital signature of all executable files in processes,

• LockIfNotHot : Automatically lock your Windows computer when you walk away from it, based on infrared temperature sensor data

• lookup-tools : tools for resolving hosts and IP addresses

• make-pdf : A set of Python programs for generating all kinds of PDF files, part of the PDF Tools suite

• msoffcrypto-crack : crack MS Office password,

• my-shellcode : a collection of shellcode written by hand in nasm assembler (mostly), examples here .

• NAFT : Network Appliance Forensic Toolkit

• NetworkMashup : Network utilities (ping, DNS) written in Excel/VBA

• oledump : OLE file parsing

• pdf-parser : PDF parsing program

• psurveil: using a Nokia N800 phone as a surveillance camera (taking photos at a set time interval); although no one uses such phones, the idea of ​​using an old unnecessary smartphone as a surveillance camera or video nanny is interesting, so as not to throw away equipment that can still be useful in the household

• rtfdump : RTF file analysis,

• RTStego : Rainbow Table Steganography,

• SendtoCLI : GUI for console commands,

• shellcode2vba and shellcode2vbscript : convert shellcode to VBA and VBScript,

• ShellCodeMemoryModule : generates shellcode that is loaded into DLL memory,

• simple-shellcode-generator : Python program for generating 32-bit shellcode (assembler code),

• TaskManager : Windows Task Manager in Excel/VBA

• translate : a python script for performing bitwise operations on files (such as XOR, ROL/ROR, etc.),

• ultraedit_scripts : a collection of scripts for the UltraEdit editor,

• UndeletableSafebootKey : a tool to generate an undeletable Safeboot (secure boot) key in the registry,

• virtualwill : HTML program (page) for storing your will, with AES encryption

• virustotal-submit : Submit files for scanning to VirusTotal,

• vs : Python program for using IP cameras as surveillance cameras: taking photos at specified intervals and automatically launching a specified program (for example, to compare a new frame with the previous one for significant differences),

• what-is-new : utility for identifying new items in a list:

• wsrradial : A WiFi radial signal plotting tool based on Wi-Spy (now called Chanalyzer ) data, which helps identify interference and over-density in the 2.4 and 5 GHz spectrum

• XORSearch and XORStrings : search for a given string in files that have been processed using XOR, ROL, ROT, SHIFT, etc.

• ZIPEncryptFTP : backup program: archives specified folders, encrypts the archive and copies it via FTP to the specified location,

PDF parsing and cracking

Didier Stevens is a recognized expert in the field of PDF, especially in the study of its vulnerabilities and hidden functions. It is to this topic that he devoted his only scientific article, “Explaining Malicious PDF Documents”, published in the journal IEEE Security & Privacy (2011, Volume: 9, Issue: 1, DOI: 10.1109/MSP.2011.14).

Among his many developments, the most popular is the PDF Tools suite, which includes the console tool pdf-parser.py, designed for detailed analysis of PDF files, including encrypted ones.

For example, in one of the webinars for beginners, Didier demonstrated how to hide a DOCX in a PDF document, which loads an RTF, which in turn launches a malicious file. Thus, a multi-level viral document with a hidden threat is created.

In his blog, he examined in detail various techniques for manipulating PDF files: methods for hiding traces of embedded objects, the possibility of their automatic launch, and also described in detail the process of cracking password-protected documents. His materials cover the topics of password recovery, key recovery, and decryption of PDF files using his own developments.

In one of his posts, Didier Stevens described in detail how to intentionally damage a PDF file, making it completely unreadable in any editor. As it turned out, there were even “businessmen” on the Internet who sold such damaged documents to students and office workers as a way to justify not completing work on time. However, thanks to Stevens’ methods, anyone can do it for free, simply by changing a few bytes in the file.

His story proves that the career of a successful cybersecurity specialist often begins with experiments and hacking research. Over time, with the accumulation of experience and a serious approach to the matter, such specialists become leading experts who are invited to consult large corporations and speak at international conferences.