Didier Stevens

Sunday 12 February 2023

Update: pdf-parser.py Version 0.7.8

Filed under: My Software,Update — Didier Stevens @ 12:15

A small feature update for pdf-parser.py Statistics include unreferenced objects now:

pdf-parser_V0_7_8.zip (http)
MD5: 7BBEA9497666397CBBB88B012A710210
SHA256: FE393865861E00B48124B99CD5AEBBB5A632F1FBD883F4E4044DF8C8FA75BE9D

Thursday 10 November 2022

Update: pdf-parser.py Version 0.7.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This is a small update: you can now select which hash algorithm to use for option -H by setting environment variable DSS_DEFAULT_HASH_ALGORITHMS.

And the statistics options (-a) also display a list of objects with streams.

pdf-parser_V0_7_7.zip (http)
MD5: BCAE193F171184F979603DFB1380FF43
SHA256: 576C429FA88CF0A7A110DAB25851D90670C88EC4CD7728329E754E06D8D26A70

Monday 27 June 2022

Quickpost: Cracking PDF Owner Passwords

Filed under: Encryption,PDF — Didier Stevens @ 0:00

I added code to John the Ripper to crack PDF owner passwords (JtR cracks PDF user passwords only).

Source code can be found here.

Compiled Windows (Cygwin) and Linux (Ubuntu) executables can be found here.

This change introduces a new format: $pdfo$.

There is no tool for the moment to create this format. Just use pdf2john.pl to create a $pdf$ hash, and then change it into a $pdfo$ hash. To crack the owner password, one needs to recover the user password first.

This is the illustrated process:

There will be a PR for this change.

Cracking PDF owner passwords is just an academic exercise (writing this code was also just an exercise), as tools like QPDF can decrypt PDFs encrypted with a PDF owner password only without requiring the cleartext PDF owner password as argument.

Quickpost info

Thursday 26 May 2022

Update: pdf-parser.py Version 0.7.6

Filed under: My Software,Update — Didier Stevens @ 9:56

This new version of pdf-parser fixes a couple of bug and has a work around for non compliant PDFs.

pdf-parser_V0_7_6.zip (http)
MD5: 3B6F837AF147422B1256596BCA69D737
SHA256: 34379A9987B2286706AF4C43AC72C93611AE3E9C0C571DD729EBB09C7A707A0D

Friday 20 August 2021

Update: pdf-parser.py Version 0.7.5

Filed under: My Software,PDF,Uncategorized,Update — Didier Stevens @ 0:00

This is a bug fix version.

pdf-parser_V0_7_5.zip (https)
MD5: D39E98981E6FEA48BF61CA2F78ED0B09
SHA256: 5D970AFAC501A71D4FDDEECBD63060062226BF1D587A6A74702DDA79B5C2D3FB

Update: pdfid.py Version 0.2.8

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bug fix version

pdfid_v0_2_8.zip (https)
MD5: 9DDE1D9010D860303B03F3317DAF07B4
SHA256: 0D0AA12592FA29BC5E7A9C3CFA0AAEBB711CEF373A0AE0AD523723C64C9D02B4

Sunday 31 January 2021

New Tool: pdftool.py

Filed under: My Software,PDF — Didier Stevens @ 0:00

pdftool.py is a new tool I developed. This version has only one command: iu (incremental updates).

With this command, one can check if a PDF has incremental updates, and then select different versions of this PDF with incremental updates.

A PDF with incremental updates, is a PDF that has been modified by appending changes to the document at the end of the PDF file, without modifying the original content.

Here is a video explaining incremental updates and the use of my tool.

I reference 2 blog posts in the video: “Solving a Little PDF Puzzle” and “Shoulder Surfing a Malicious PDF Author“.

pdftool_V0_0_1.zip (https)
MD5: ED2BBE886008C737CC06E22F4F0FE8A1
SHA256: 401E88FBFAEC4382A50FE59430D04FE6111F9911958AB09BA7530C26043FDA87

Sunday 29 December 2019

Update: pdf-parser.py Version 0.7.4 and pdfid.py Version 0.2.7

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bug fix version.

pdf-parser_V0_7_4.zip (https)
MD5: 51C6925243B91931E7FCC1E39A7209CF
SHA256: FC318841952190D51EB70DAFB0666D7D19652C8839829CC0C3871BBF7E155B6A

pdfid_v0_2_7.zip (https)
MD5: F1852F238386681C2DC40752669B455B
SHA256: FE2B59FE458ECBC1F91A40095FB1536E036BDD4B7B480907AC4E387D9ADB6E60

Monday 30 September 2019

Update Of My PDF Tools

Filed under: maldoc,Malware,My Software,PDF,Update — Didier Stevens @ 19:16

This is an update of my PDF tools.

There are a couple of bug fixes for pdf-parser and pdfid.

And 2 new features in pdf-parser, inspired by a private training on maldoc analysis I gave last week. I often get good ideas from my students, and sometimes, even I get a good idea in class 🙂 .

Option -o can now be used to select multiple objects: separate the indices by a comma.

There’s a new environment variable, PDFPARSER_OPTIONS, that can be used to provide extra options you want to include with each execution of pdf-parser.py. This is useful for option -O, an option to parse stream objects.

It’s actually best to always parse stream objects, i.e. always use option -O. But I decided not to make this an option that is on by default, so that the behavior of pdf-parser would remain unchanged. I consider this important for the many people that rely on a predictable behavior of pdf-parser, like teachers and students of infosec trainings where my tools are used/mentioned.

However, always including option -O is tedious and error prone. So now you can have best of both worlds, by defining an environment variable with name PDFPARSER_OPTIONS and value -O.

And finally, I started to add a man page (option -m), like I do with many of my other tools. This is a work in progress: for the moment, it points to my free PDF analysis e-book that explains the use of pdfid and pdf-parser.

pdf-parser_V0_7_3.zip (https)
MD5: 7EB1713631D255B36BC698CD2422C7EB
SHA256: D4D5AC9C26A9D8FEF65CE58A769D3F64A737860DC26606068CCDD3F04FDEA0D7

pdfid_v0_2_6.zip (https)
MD5: 9CCE332914A6C76410F04B7C35DA3155
SHA256: 95F7C91EEFB561F3F3BE9809ED339D85E7109BAA7E128EF056651EE018DBDBA0

Tuesday 6 August 2019

Update: pdf-parser.py Version 0.7.2

Filed under: My Software,PDF,Update — Didier Stevens @ 0:00

This is a bugfix version.

pdf-parser_V0_7_2.zip (https)
MD5: 7D417F2313FF505AC96B80D80495BB78
SHA256: 3CDB98A57DAABC98382BFA361390AE3637F96852F6F078D03A7922766AE14B57

Next Page »

Blog at WordPress.com.