Comments on: PDF Stream Objects

By: Pino

Pino — Mon, 15 Nov 2010 14:50:20 +0000

Comment by Eric — Monday 12 April 2010 @ 18:47

Hello Eric. It is a stack based language, so the parameters are in front of the function,

Tf specifies the font-face and the font-size. /F12 1 Tf is font 12 and size 1.

Tj outputs a string. (03)Tj outputs the ascii code 03

TJ outputs multiple strings, which can be positioned. [(abc)110(xyz)1000(bbb)]TJ -> abc xyz bbb

Tm set the text matrix.

There are a dozen operators, which sometimes do the same as a combination of other operators.

As you see it is not so easy to extract information from a pdf. You need the pdf reference.

I don’t think this will be a problem in most pdf-readers. Most of them have maximum sizes set on decoded streams.

By: Rubin

Rubin — Sat, 21 Aug 2010 14:06:37 +0000

i’m new about PDF and i’ve some problem with FlateDecode on PHP. I take the bytes of the stream, between “stream” and “endstream” escaping initial and final Carriage Return and Line Feed. Then i use the gzinflate function but it doesn’t work every time.

It works only in one case: i note that every stream begin with two characters, then i eliminate them from the stream and so it works. i think it’s not normal!

Thanks for your help

By: Malware Diaries » Blog Archive » Malicious PDF stream objects will be the norm

Wed, 30 Jun 2010 17:28:56 +0000

[...] Stevens defines a PDF stream object as a sequence of bytes (link here). Stream objects can contain data (for example an image) or [...]

By: Didier Stevens

Didier Stevens — Mon, 07 Jun 2010 07:59:15 +0000

@shivan The stream is the sequence of bytes between the stream and enstream keywords.

By: shivan

shivan — Mon, 07 Jun 2010 05:23:38 +0000

how to count the length of a stream or how to rip the bytes of a stream please.

By: Eric

Eric — Mon, 12 Apr 2010 18:47:48 +0000

Sorry , re-type content again.
BT
/F0 27 Tf.
1 0 0 1 60 585.602 Tm.
(＼0003)Tj.　　　　　　　　　　　　　　　　
1 0 0 1 78.171 585.602 Tm.
(＼000W＼000C＼000T)Tj.
1 0 0 1 114.891 585.602 Tm.
(＼000V＼000＼＼)Tj.
1 0 0 1 141.486 585.602 Tm.
(＼000＼024＼000&)Tj.

By: Eric

Eric — Mon, 12 Apr 2010 18:43:28 +0000

Hi, Thanks for your introduction about the pdf text object.
I am trying to decode a pdf file but have a little question about the decoding method, could you give me some instruction to decode these word?

The result I got from pdf file is:

BT
/F0 27 Tf.
1 0 0 1 60 585.602 Tm.
(003)Tj.
1 0 0 1 78.171 585.602 Tm.
(00W00C00T)Tj.
1 0 0 1 114.891 585.602 Tm.
(00V00\\)Tj.
1 0 0 1 141.486 585.602 Tm.
(002400&)Tj.

—————————————
the decode method is FlateDecode
According to the document, these word should be “Quartz 2D”.
But I don’t know how to translate something like (00W00C00T) to the final result.
Could you give me some instruction about how to translate these code?

Thank you~~

By: PDF Bomb | 4x PDF Blog

PDF Bomb | 4x PDF Blog — Mon, 01 Mar 2010 23:44:54 +0000

[...] security professional Didier Stevens has highlighted a potential exploit in PDF Stream Objects which could be used to cause a PDF file to balloon in size, prompting Computerworld to label it the [...]

By: Didier Stevens

Didier Stevens — Thu, 05 Nov 2009 16:53:29 +0000

Take a look at the PDF Reference document http://www.adobe.com/devnet/pdf/pdf_reference.html
And for flatedecode, research zlib compression.

By: khushi

khushi — Thu, 05 Nov 2009 08:05:05 +0000

what is the way to understand the text encoded…can v write the text in its normal form…?bt i want to u’stand flatedecode filter in depth…how to canvert the characters in normal form…?and how are the offsets managed…i want to understand the internal structure of a pdf document in depth..any sites..??