Didier Stevens

Tuesday 18 May 2010

Quickpost: More Malformed PDFs

Filed under: Malware,PDF,Quickpost — Didier Stevens @ 12:05

Here’s a heads up for some malicious PDF samples that are deliberately malformed to avoid detection.

The most important case is the missing endobj keyword:

Adobe Reader will happily parse a PDF where the object are not terminated with endobj, but my pdf-parser won’t. I’ll have to update the parser to deal with this case.

The cross-reference table can also be omitted:

This is not an issue for my parser.

And then I also received a sample with a stream object, where the case of the endstream object was wrong: Endstream. First we assumed Adobe Reader was not case-sensitive for the endstream keyword, but I found out it can actually parse a stream object with missing endstream keyword:

This is an issue for my parser.

Tuesday 4 May 2010

Writing WIN32 Shellcode With a C-compiler

Filed under: My Software,Shellcode — Didier Stevens @ 10:17

I wrote an article in Hakin9 magazine how to write shellcode with a C-compiler.

People before me have worked out methods to do this; the advantage of my method is that you can debug your shellcode inside the Visual Studio IDE.

The template can be found here.

Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 451 other followers