![]() PDFiD is the first tool we will use, and is a very simple script that searches for suspicious keywords. For this particular malware, we’ll be using Stevens’ tools along with some other tools used to de-obfuscate and debug code. Stevens’ tools are all written in Python and are very well documented. I find the PDF tools by Didier Stevens to be some of the best out there. The first thing we need is analysis tools. For reference purposes, the md5 hash of our target file is 9ba98b495d186a4452108446c7faa1ac. We’re going to observe a PDF that exploits CVE-2010-0188, a very common exploit found in the wild. Knowing that, let’s look at some PDF malware. Indirect objects are usually what we’re paying attention to when analyzing PDF malware, and can be referenced by other objects in a PDF file. The objects can either be direct or indirect, and there are eight different types of objects.ĭirect objects are inline values in the PDF (/FlatDecode, /Length, etc) while indirect objects have a unique ID and generation number (obj 20 0, obj 7 0, etc). Some PDF files don’t have a header or trailer, but that is rare. Once exploitation succeeds, a malware payload can infect a PC using elevated privileges.įor these reasons, it’s good to know how to analyze PDF files, but analysts first need a basic understanding of a PDF before they deem it malicious: here is the information you’ll need to know.Ī PDF file is essentially just a header, some objects in-between, and then a trailer. However, Adobe Reader has a history of vulnerabilities and gets exploited quite a bit. Adobe Reader-formerly Acrobat Reader-remains the number one program used to handle PDF files, despite competition from others. JPDFSecure is platform independent and can be used in any environment that supports Java, including Windows, Mac OSX and Linux.Chances are you've probably used Adobe Reader before to read Portable Document Format (PDF) files. After changing security settings, jPDFSecure can save the document to a file, a java.io.OutputStream or a when running in a Java EE application server to output the file directly to a browser. JPDFSecure has a simple interface to load PDF documents from files, network drives,URLs and even input streams, which can be generated runtime or come directly from a database. jPDFSecure is optimized for performance and is built on top of Qoppa's proprietary PDF technology so there is no need for any third party software or drivers. With jPDFSecure, your application or java applet can encrypt PDF documents, set permissions and passwords, and create and apply digital signatures. If you're working on a project for pay, you might want to consider jPDFSecure, a commercial Java library built for developers to digitally sign PDF documents and change security settings on PDF Documents. VERSION 2 - Use existing certificates to sign a pdf document require 'openssl' #sigannot = Annotation::Widget::Signature.new VERSION 1 - Generate certificate and key file, and insert them directly into the document require 'openssl' I'm using Adobe Reader X, for the record. From origami documentation, i found the get_page method, which solved my last problem on this. To develop version 2, i also spent some time wondering how to add an annotation - so the signature becomes visible in Adobe reader - without adding a new page to the document. I've opened a new question where you can find some details on a difficulty i had with OpenSSL and DER encoded certificates. ![]() Now I just need to figure out how to use this with an external generated certificate (check version 2 below, where i solved it). After some research, recurring to the OpenSSL documentation and exploring the Origami solution, i built the code below, and managed to insert a locally generated signature/certificate into a pdf document. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |