Didier Stevens

Monday 20 October 2014

Update: PDFiD With Plugins Part 1

Filed under: My Software,PDF,Update — Didier Stevens @ 8:51

Almost from the beginning when I released PDFiD, people asked me for anti-virus like feature: that PDFiD would tell you if a PDF was malicious or not. Some people even patched PDFiD with a scoring feature.

But I didn’t want to develop an “anti-virus” for PDFs; PDFiD is a triage tool.

Now you can develop your own scoring system with plugins.

Plugins are loaded with option -p, like this:

20141020-102902

I provide 3 plugins: plugin_triage.py, plugin_nameobfuscation.py and plugin_embeddedfile.py. You can run more than one plugin by separating their names with a comma: pdfid.py -p plugin_triage,plugin_embeddedfile js.pdf

Or you can use an @-file: a text file with the names of the plugins you want to run.

To output the result as CSV file, use option -c, and to write the output to a file, use option -o. With option -m, you can provide a minimum score the plugin has to produce for its output to be displayed.

Plugins are Python classes, I’ll explain how to make your own in a later post.

plugin_triage.py produces a score of 1.0 when the PDF requires further analysis, and 0.0 if not.

plugin_nameobfuscation.py produces a score of 1.0 when name obfuscation is used in the PDF.

plugin_embeddedfile.py produces a score of 0.9 when an embedded file is present, and 1.0 when name obfuscation is also used.
pdfid_v0_2_1.zip (https)
MD5: 7463412536678B321276F8720F52DE81
SHA256: F1B4728DD2CE455B863B930E12C6DEC952CB95C0BB3D6924136A6E49ACA877C2

2 Comments »

  1. It seams, that multiple plugins at the same time arn’t working.

    Error instantiating plugin: EmbeddedFile plugin
    Traceback (most recent call last):
    File “S:\PDF_Forensic_Tools\pdfid_v0_2_6\pdfid.py”, line 1064, in
    Main()
    File “S:\PDF_Forensic_Tools\pdfid_v0_2_6\pdfid.py”, line 1061, in Main
    PDFiDMain(filenames, options)
    File “S:\PDF_Forensic_Tools\pdfid_v0_2_6\pdfid.py”, line 1012, in PDFiDMain
    ProcessFile(filename, options, plugins)
    File “S:\PDF_Forensic_Tools\pdfid_v0_2_6\pdfid.py”, line 771, in ProcessFile
    raise e
    TypeError: __init__() takes exactly 2 arguments (3 given)

    Comment by Anonymous — Friday 20 December 2019 @ 16:57

  2. Can you provide the exact command?

    Comment by Didier Stevens — Friday 20 December 2019 @ 17:05


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.