Didier Stevens

Monday 24 June 2013


Filed under: Hacking,My Software,Shellcode — Didier Stevens @ 4:00

This update adds x64 shellcode support to my shellcode2vbs.py script.

shellcode2vba_v0_3.zip (https)
MD5: 44AF2685975346F9DE09E48E7FB855CE
SHA256: 04C42FA26717CCC7BC17A7BEDA02C746CA1A8BC8C6CE184670CD686796B5FF10

Monday 10 June 2013

PDFiD: False Positives

Filed under: My Software,PDF — Didier Stevens @ 8:48

I’m giving a 2-day training on PDF at Brucon 2013. Early-bird price applies til June 15th.

Sometimes PDFiD will give you false positives for /JS and /AA. This happens with files of a couple of MBs or bigger, because it’s statistically very likely that /AA or /JS (only three bytes long) appear inside a stream. And since PDFiD, contrary to pdf-parser, has no notion of pdf objects and streams, it can produce false positives, like this:

PDFiD 0.1.2 CCNPSecurityFIREWALL642617OfficialCertGuide.pdf
 PDF Header: %PDF-1.6
 obj                 6018
 endobj              6017
 stream              1897
 endstream           1897
 xref                   1
 trailer                1
 startxref              1
 /Page                773
 /Encrypt               1
 /ObjStm                0
 /JS                    3
 /JavaScript            0
 /AA                    1
 /OpenAction            0
 /AcroForm              0
 /JBIG2Decode           0
 /RichMedia             0
 /Launch                0
 /EmbeddedFile          0
 /XFA                   0
 /Colors > 2^24         0

And when you search for /AA or /JS with pdf-parser, you will not find objects that have /AA or /JS in their dictionary:

pdf-parser.py -s /AA CCNPSecurityFIREWALL642617OfficialCertGuide.pdf

Up til now, I advised users suspecting false positives, to search the PDF document with a hex editor and see if they found /AA or /JS inside a stream. But now, with the latest version of pdf-parser supporting searching inside a stream, you can do it like this:

pdf-parser.py --searchstream /AA --unfiltered CCNPSecurityFIREWALL642617OfficialCertGuide.pdf
obj 1848 0
 Type: /XObject
 Referencing: 38 0 R
 Contains stream

     /Length 121194
     /Filter /DCTDecode
     /Width 800
     /Height 600
     /BitsPerComponent 8
     /ColorSpace 38 0 R
     /Intent /RelativeColorimetric
     /Type /XObject
     /Subtype /Image

Blog at WordPress.com.