Didier Stevens

Wednesday 13 January 2010

Quickpost: New Versions of PDFiD and pdf-parser

Filed under: My Software,PDF,Quickpost — Didier Stevens @ 21:54

A new version of PDFiD (V0.0.10): to deal with PDF samples trying to evade detection by preceding the header with some random bytes, I use less stringent conditions to identify a PDF file. If PDFiD finds keyword %PDF in the first 1024 bytes of a file, it assumes it’s a PDF file and starts analyzing it.

A new version of pdf-parser (v0.3.7):

  • added support for filters /LZWDecode and /RunLengthDecode
  • added a –dump option to extract the unfiltered data of a stream object (useful when the data is not actually compressed, but a payload)
  • testing the Python version before execution

Both can be downloaded on the PDF Tools page.

Quickpost info

1 Comment »

  1. […] 1024 bytes of the document). As this trick is likely to be taken over by malware authors, I updated PDFiD to support […]

    Pingback by Quickpost: PDF Header !PS-Adobe-N.n PDF-M.m « Didier Stevens — Thursday 21 January 2010 @ 11:21

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.