Published on August 7th, 2012 | by NJ Ouchn0
Blackhat Arsenal 2012 Releases: Peepdf (Blackhat Release) v0.2
peepdf is a Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks. It’s included in BackTrack and REMnux.
Some of the peepdf features:
- It shows all the objects in the document, highlighting the suspicious elements and potential vulnerabilities.
- It supports all the most used filters and encodings.
- It can parse different versions of a file, object streams and encrypted documents.
- It’s able to create new PDF files and modify existent ones using obfuscation techniques.
- It’s able to extract all the information easily thanks to its interactive console.
The New Release At Vegas
- Added support for AES in the decryption process: Until now peepdf supported RC4 as a decryption algorithm but AES was a must. Now here it is, so no more worries for decrypted documents. I will be ready for new changes in the decryption process, someone in Vegas told me that the next AES modification for PDF files is coming…
- Added decrypt command: The normal way of sending malicious encrypted PDF files is with no user password, so the victims don’t need to put any password manually, it uses the “default” blank password to decrypt it. However, in some cases the password was written in the emails body, for instance. For these cases we can use the decrypt command. In a preliminary analysis we see an error that tell us that the password is not correct. But we can use this new command to perform another analysis giving the password used to encrypt the file. This way we can see all the encrypted objects without problems.
- Shellcode emulation with pylibemu: The shellcode emulation with peepdf was performed with the sctest binary directly. It wasn’t that smart so I had in the TODO list taking a look at the alternatives. Thanks to Angelo Dell’Aera, pylibemu author, I’ve finally included an smarter way to do it, adding pylibemu to the project. The result is very similar but now you won’t need the sctest binary but installing pylibemu. Besides this, if the shellcode uses the URLDownloadToFile function, pylibemu will try to download the binary to disk. Also, other of the good things of this change is that I can work with Angelo closely to solve any potential issues 🙂 I recommend using the git repository to update the libemu files and then install the latest version of pylibemu.
- Added support for CCITTFaxDecode filter: One more for the collection of supported filters. Thanks to Binjo this decoding filter is included now, due to the fact that we have seen some malicious files including this type of encoding this year.
Next ToolsTube with Jose Miguel Esparza discussing many new improvements