Command “PDFiD -d document.pdf ” will analyze the PDF document and generate a new version called document.disarmed.pdf.
This substitution trick will not work if the actions and scripts are hidden in object streams (/ObjStm) and could render a document unreadable if encryption is used.
Black Hat Europe 2009 is over for more than a week now, and my laptop has undergone yet another lobotomy.
My training by Saumil Shah was excellent! Highly recommended if you want to learn exploit development without reversing.
I didn’t attend a lot of briefings, the subjects were less interesting to me than past years. But I did a lot of networking, I met many interesting people. I had lunch with Moxie Marlinspike, the author of SSLStrip. He has interesting viewpoints: did you know he started to develop SSLStrip in 2002? It’s only because he was done experimenting with it that he decided to disclose! And we share a common interest in CRASS.
Thanks to everybody I met at BH, the networking was excellent! I estimate I distributed 50 of my PDF stickers ;-) . You gave me a lot of ideas that will require even more time to develop. Like past years, I got a new stego idea but this time, I’m reserving it for Brucon‘s hacker challenge. You’ll have to wait for October for the disclosure.
This was the last Black Hat Europe in Amsterdam, next edition will be in Barcelona (Ero’s town). Did you know that regular security bloggers can get press access?
This year was also the first time I had a 2D-barcode on my badge:
The above picture doesn’t actually show my real barcode, but one I made for this post. My real barcode contains my business coordinates. A hint if you want to find out what’s on this one: it’s a PDF417 barcode (this PDF stands for Portable Data File, not Portable Document Format).
I know my posts here are rather emotionless, and that’s how I prefer them for this blog.
But this time, I’m very proud and I’m not hiding it: my PDFiD tool is now running on VirusTotal!
Thanks for your work Julio!
PDFiD will give you statistics of some very basic elements of the PDF language. This helps you decide if a PDF could be malicious or not.
Miles Wolbe was looking for some strings in a Dell BIOS update; it took him some time to figure out they are ROT-1 encoded.
I updated my XORSearch tool to support ROT encoding.