SANS Internet Storm Center, InfoCON: green

Syndicate content SANS Internet Storm Center, InfoCON: green
SANS Internet Storm Center - Cooperative Cyber Security Monitor
Updated: 44 sec ago

ISC Stormcast For Monday, September 26th 2016 https://isc.sans.edu/podcastdetail.html?id=5181, (Mon, Sep 26th)

8 hours 52 min ago
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts

VBA and P-code, (Mon, Sep 26th)

10 hours 15 min ago
I want to draw your attention to some great work Dr. Bontchev did. pcodedmp.py is a VBA P-code disassembler. Microsoft Office documents contain VBA macros in several forms. They contain the source code, but also compiled P-code. Dr. Bontchev created a proof-of-concept document that executes P-code and does not contain the corresponding source code. Here is the output from his pcodedmp.py tool for his PoC document: python pcodedmp.py -d poc2b.docProcessing file: poc2b.doc===============================================================================Module streams:Macros/VBA/ThisDocument - 1949 bytesLine #0: FuncDefn (Sub / Property Set) func_00000078Line #1: LitStr 0x001D This could have been a virus! Ld vbInformation Ld vbOKOnly Add LitStr 0x0006 Virus! ArgsCall MsgBox 0x0003Line #2: LitStr 0x0008 calc.exe Paren ArgsCall Shell 0x0001Line #3: EndSub Dr. Bontchev also coded a plugin for oledump. Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categories: Security Posts