PDF안에 악의적인 코드가 있는지 분석하는 툴입니다.
자세한 내용은 아래와 같습니다. :D
-----------------------------------------------------------------
This is a free tool for the analysis of malicious PDF documents. It also has some features that can make it useful for pdf vulnerability development.
Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.
Javascript tools include integration with JS Beautifier for code formatting, the ability to run portions of the script live for live deobsfuscation, toolbox classes to handle extra canned functionality, as well as a pretty stable refactoring engine that will parse a script and replace all the screwy random function and variable names with logical sanitized versions for readability.
Tool also supports unescaping/formatting manipulated pdf headers, as well as being able to decode filter chains (multiple filters applied to the same stream object.)
Download: PDF Stream Dumper Setup 0.9.259 (includes full vb6 source)
Note: I have removed the sample shellcodes because they were giving people AV warnings.
Training videos for PDFStreamDumper:
If you are looking for malicious pdf samples to analyze make sure to check out the
Contagio and
jsunpack sites.
International users: This new build should now work on systems with extended character set languages set as their default language. If you encounter errors please let me know.
Full feature list
- supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode
- Integrated shellcode tools:
- sclog gui (Shellcode Analysis tool I wrote at iDefense)
- scdbg libemu based Shellcode analysis tool
- Shellcode_2_Exe functionality
- Export unescaped bytes to file
- supports filter chaining (ie multiple filters applied to same stream)
- supports unescaping encoded pdf headers
- scriptable interface to process multiple files and generate reports
- view all pdf objects
- view deflated streams
- view stream details such as file offsets, header, etc
- save raw and deflated data
- search streams for strings
- scan for functions which contain pdf exploits (dumb scan)
- format javascript using js beautifier (see credits in readme)
- view streams as hex dumps
- zlib compress/decompress arbitrary files
- replace/update pdf streams with your own data
- basic javascript interface so you can run parts of embedded scripts
- PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0
- Basic Javascript de-obsfuscator
- can hide: header only streams, duplicate streams, selected streams
- js ui also has access to a toolbox class to
- simplify fragmented strings
- read/write files
- do hexdumps
- do unicode safe unescapes
- disassembler engine
- replicate some common Adobe API (new)
Current Automation scripts include:
- csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory
- pdfbox_extract.vbs - use pdfbox to extract all images and text from current file
- string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter
- unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters
- filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream.
- obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers
- pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files
Current Plugins include:
- Build_DB.dll - Search and sort data inside multiple samples, move and organize files
- obj_browser.dll - view layout and data inside pdf in text form
[출처] http://sandsprite.com/blogs/index.php?uid=7&pid=57
jjencode - Encode any JavaScript program using only symbols.zip
PDFStreamDumper_Setup.exe
