Didier Stevens

Tuesday 18 May 2010

Quickpost: More Malformed PDFs

Filed under: Malware,PDF,Quickpost — Didier Stevens @ 12:05

Here’s a heads up for some malicious PDF samples that are deliberately malformed to avoid detection.

The most important case is the missing endobj keyword:

Adobe Reader will happily parse a PDF where the object are not terminated with endobj, but my pdf-parser won’t. I’ll have to update the parser to deal with this case.

The cross-reference table can also be omitted:

This is not an issue for my parser.

And then I also received a sample with a stream object, where the case of the endstream object was wrong: Endstream. First we assumed Adobe Reader was not case-sensitive for the endstream keyword, but I found out it can actually parse a stream object with missing endstream keyword:

This is an issue for my parser.

Tuesday 4 May 2010

Writing WIN32 Shellcode With a C-compiler

Filed under: My Software,Shellcode — Didier Stevens @ 10:17

I wrote an article in Hakin9 magazine how to write shellcode with a C-compiler.

People before me have worked out methods to do this; the advantage of my method is that you can debug your shellcode inside the Visual Studio IDE.

The template can be found here.

Blog at WordPress.com.