Origami 1.0 released!

Tue 24 May 2011 by guillaume

I am pleased to announce the first stable release of Origami, the PDF manipulation framework! A lot of new cool features has been added since the last beta and I consider the framework has become stable enough now. This release introduces the support for AES256 encryption/decryption, partial support for ...

read more

Sniffing USB traffic with VMWare

Wed 06 April 2011 by jj

VMWare offers the possibility to dump any usb traffic at the lowest level to a dump file.We'll describe here how to activate this feature, and additionally publish a script to convert the dump file to the PCAP format, suitable for use with wireshark.

Enable USB logging

VMWare can ...

read more

x64 spoon

Wed 16 February 2011 by ivan

While coding and debugging some low-level stuff I sometime need to write a little piece of assembly code to see if i'm right. Until now, I was writing code into a process debugged with OllyDbg, and steping it. Pretty ugly, but it works when you want to know what ...

read more

Splitting a mercurial repository : HgSplit

Wed 09 February 2011 by jj

Here at the R&D lab we use mercurial for our code versionning.

One of the problems we faced was that sometimes we would commit big files like pdfs or raw data into a repository.This is fine, as long as the repository remains for internal eyes only.Then at ...

read more

IIS Backdoor

Wed 02 February 2011 by julien

In this article I will explain how I designed a rootkit for Microsoft Internet Information Services (IIS).The question is: why a backdoor in a web server?

First obvious but useless answer: because we can.

Ok, let us give a more clever answer. The purpose of backdooring a web sever ...

read more

Metasm recipes: working with a process image

Tue 18 January 2011 by jj

Today we'll discuss how metasm can be used to work with a process memory dump, and also how to search for gadgets suitable for a short ROP sequence.

While working on a vulnerability on a windows server, we had the following premises:

  • Non-executable heap
  • Randomised address space (except for ...
read more

An approach to PDF shielding

Wed 01 September 2010 by guillaume

In a previous article we showed how one could delve into a document's internals to look for suspicious elements (like JavaScript scripts registered to run at the document opening). This method can give a good heuristic about whether a document is malicious or not.

However while many antivirus vendors ...

read more

Hack in the Box - Amsterdam 2010

Tue 25 May 2010 by jj

Sogeti est sponsor platinum de la conférence HITB Amsterdam.

Nous y tiendrons le dojo Metasm, et donnerons une présentation sur une attaque physique ciblant Windows 7 64bits.

N'hésitez pas à passer nous faire un petit coucou !

Sogeti is a Platinum sponsor for the HITB amsterdam ITsec conference.

We'll ...

read more

Is this PDF malicious?

Mon 06 July 2009 by alex

Scanning a PDF to check whether it is malicious or not is not that easy. We have previously seen surprising results (new tests will come later). Today, we would like to focus on analyzing a PDF, based on 2 scripts we added in latest origami.

Scanning PDF: what for?

Every ...

read more

(At least) 4 ways to die opening a PDF

Fri 26 June 2009 by fred

There are several way to trigger events when a PDF is viewed: pushing a button, resizing the document, closing it, reaching a page, when mouse pass on a zone, when an annotation is displayed/hidden, ... but the most interesting from an offensive point of view is when the document is ...

read more