반응형
http://sandsprite.com/blogs/index.php?uid=7&pid=57

This is a free tool for the analysis of malicious PDF documents. It also has some features that can make it useful for pdf vulnerability development.

Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.

Javascript tools include integration with JS Beautifier for code formatting, the ability to run portions of the script live for live deobsfuscation, toolbox classes to handle extra canned functionality, as well as a pretty stable refactoring engine that will parse a script and replace all the screwy random function and variable names with logical sanitized versions for readability.

Tool also supports unescaping/formatting manipulated pdf headers, as well as being able to decode filter chains (multiple filters applied to the same stream object.)

Download: PDF Stream Dumper Setup 0.9.148 (includes full vb6 source)

Training videos for PDFStreamDumper: If you are looking for malicious pdf samples to analyze make sure to check out the Contagio and jsunpack sites.

International users: This new build should now work on systems with extended character set languages set as their default language. If you encounter errors please let me know.

Full feature list
  • supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode
  • Integrated shellcode tools:
    • sclog gui (Shellcode Analysis tool I wrote at iDefense)
    • scTest gui libemu based Shellcode analysis tool
    • Shellcode_2_Exe functionality
    • Export unescaped bytes to file
  • supports filter chaining (ie multiple filters applied to same stream)
  • supports unescaping encoded pdf headers
  • scriptable interface to process multiple files and generate reports
  • view all pdf objects
  • view deflated streams
  • view stream details such as file offsets, header, etc
  • save raw and deflated data
  • search streams for strings
  • scan for functions which contain pdf exploits (dumb scan)
  • format javascript using js beautifier (see credits in readme)
  • view streams as hex dumps
  • zlib compress/decompress arbitrary files
  • replace/update pdf streams with your own data
  • basic javascript interface so you can run parts of embedded scripts
  • PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0
  • Basic Javascript de-obsfuscator
  • can hide: header only streams, duplicate streams, selected streams
  • js ui also has access to a toolbox class to
    • simplify fragmented strings
    • read/write files
    • do hexdumps
    • do unicode safe unescapes
    • disassembler engine
Current Automation scripts include:
  • csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory
  • pdfbox_extract.vbs - use pdfbox to extract all images and text from current file
  • string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter
  • unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters
  • filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream.
  • obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers
  • pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files

Current Plugins include:
  • Build_DB.dll
  • obj_browser.dll


Credits:
---------------------------
stream parser was written by VBboy136 - 12/9/2008
http://www.codeproject.com/KB/DLL/PDF2TXTVB.aspx

JS Beautify by Einar Lielmanis, _
conversion to Javascript code by Vital,
http://jsbeautifier.org/

zlib.dll by Jean-loup Gailly and Mark Adler
http://www.zlib.net/

CRC32 code by Steve McMahon
http://www.vbaccelerator.com/home/vb/code/libraries/CRC32/article.asp

iTextSharp code by Bruno Lowagie and Paulo Soares
http://itextpdf.com/terms-of-use/index.php

olly.dll GPL code Copyright (C) 2001 Oleh Yuschuk.
http://home.t-online.de/home/Ollydbg/

libemu and sctest.exe written by Paul Baecher and Markus Koetter 2007.
http://libemu.carnivore.it/about.html

sclog is a tool i wrote back at iDefense source here
http://labs.idefense.com/software/download/?downloadID=8

Interface by dzzie@yahoo.com
http://sandsprite.com

Other thanks to Didier Stevens for the info on his blog on tags and encodings.
http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways





















RSS Feed
About Me
Home

Posts:
random tip
PDF Video trainers
Exe as DLL
Olly Plugins
Strings on Stack
Debugging Explorer
Attach to hidden process
sclog update
Monster Graph display
JS Refactoring
Asm and Shellcode in CSharp
Fancy Return Address
Mem dump imports
Wingraph32 Replacement
PDF Stream Dumper
SWF Decompilation
IDC Dump Fix Patch
Malcode Call API by Hash
WinDbg Cheat Sheet
new tool - unlocreate
iDefense iDbg Debugger Library
new tool - Alloc/Free Logger
new tool - wininet hooks
GPG Automation
IDA Wingraph


Comments: (6)

On 08.20.10 - 2:16pm Dave wrote:
lotta noise searching for pdf decrypter source..here are some of the more interesting links:

On 08.21.10 - 4:43pm Dave wrote:
Reading the iText source is good info too, but its mammoth. Turns out if only the owner password is set, you can use iText to make a copy of the pages and transfer them into a new pdf so they are not encrypted anymore and then this can parse them again. Also I think the luckysploit pdf exploits use what may be a malformed pdf It is owner password encrypted, but has no password set. I could not create this condition in Acrobat pro 7.x anyway

On 09.13.10 - 6:02am Dave wrote:
Been digging, found source for some other decode filters to add in, waiting until they become required before i add them in though.

Also have some updates to sclog I have slated for development. Since sclog was designed when i was analyzing mostly network shellcode, it didnt have to worry about file format exploit shellcode designs.

Need to add another hook for GetiFileSize() to handle shellcode which scans the parent process for open file handles. They can do this to either locate stage 2 shellcode or extract executables.

Will also have to add a /fileHandle option so you can have sclog open a handle to a target file for this specific purpose. Small mod but just need to find the time/energy to do it.

On 09.18.10 - 1:02pm Dave wrote:
Another small update..I spent another saturday  weekend (of my vacation no less) coding and it now supports a bunch of other filters from iText in an external .NET dll. Also updated the pdf header unescaping, and it now supports filter chaining. phew that sucked!

On 09.25.10 - 4:44am dave wrote:
The Force Decrypt menu item can be used to send the pdf through the iTextSharp parser for standardization even if its not encrypted. I have had this work, and I have had this fail. Sometimes iTextSharp strips out all the exploit parts on the conversion so its a mixed bag..I think I am going to add in a couple more menu items to send the PDF through different C# PDF libs for standardization and to try to compensate for this.

DCTDecode and JPXDecode appear to be do nothing filters. At this point looks like they are talking about the actual image compression (like within the jog or whatever) iTextSharp just returns the raw stream bytes for these two cases anyway. So maybe only have CCTI and JBig2 to go still.

Just integrated in the libemu sctest Shellcode analysis tool, as well as shellcode 2 exe.

Now also supports automation scripts so you can use it to scan a directory of files and do stuff. If you have PDFBox installed, one of the scripts can be used to extract all the images and text (If the library didnt require 16mb I would just link to it directly but its some java .net frakenstein creation):

On 12.05.10 - 6:55am Dave wrote:
0.9.125 is out, bugfix release..had to do some fixups in sclog to clean up output and make sure hooks for UrlDownloadToFile were being installed correctly. Couple small usability additions were added to main exe as well.

New feature: If javascript is broken up across multiple streams, you can control select the streams and hit JS_UI menu item and it will grab them all and put them all into the JS ui together..also did a bunch of small bug fixes. Forcing all FlateDecode through zlib for now..noticable slower on some files, but the iText FlateDecode was causing unexpected crashs on long automation scripts.

반응형

'작업공간 > 기본적인 삽질 & 기록' 카테고리의 다른 글

Python tools for penetration testers  (0) 2011.01.10
Google Hacking  (0) 2010.12.22
Index of /re/unpacking  (0) 2010.12.18
pdf analy  (2) 2010.12.13
내가 쓰는 Firefox Add-On  (0) 2010.12.10

+ Recent posts