[Reverse] PDF Stream Dumper

This is a free tool for the analysis of malicious PDF documents. It also has some features that can make it useful for pdf vulnerability development.

Has specialized tools for dealing with obsfuscated javascript, low level pdf headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.

Javascript tools include integration with JS Beautifier for code formatting, the ability to run portions of the script live for live deobsfuscation, toolbox classes to handle extra canned functionality, as well as a pretty stable refactoring engine that will parse a script and replace all the screwy random function and variable names with logical sanitized versions for readability.

Tool also supports unescaping/formatting manipulated pdf headers, as well as being able to decode filter chains (multiple filters applied to the same stream object.)

Download: PDF Stream Dumper Setup 0.9.148 (includes full vb6 source)

Training videos for PDFStreamDumper:

• Feature Overview (17mb / 40min)
• Analysis of a complex sample using page Data
  • part 1 getPageNthWord (4mb / 10min)
  • part 2 URL Decoder & this.info object (3mb / 8min)
• Analysis of a complex sample using getAnnots (4mb / 10min)
• Demo of the new Sample Database Search Plugin (4.5mb / 11min)
• Video for plugin developers and script writers (7mb / 17min)
• shows some new js_ui features on an arguments.callee encrypted script
  • Sample 1 (6mb / 14min)
  • Sample 2 (4mb / 10min)

If you are looking for malicious pdf samples to analyze make sure to check out the Contagio and jsunpack sites.

International users: This new build should now work on systems with extended character set languages set as their default language. If you encounter errors please let me know.

Full feature list

• supported filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, ASCII85Decode, LZWDecode
• Integrated shellcode tools:
  • sclog gui (Shellcode Analysis tool I wrote at iDefense)
  • scTest gui libemu based Shellcode analysis tool
  • Shellcode_2_Exe functionality
  • Export unescaped bytes to file
• supports filter chaining (ie multiple filters applied to same stream)
• supports unescaping encoded pdf headers
• scriptable interface to process multiple files and generate reports
• view all pdf objects
• view deflated streams
• view stream details such as file offsets, header, etc
• save raw and deflated data
• search streams for strings
• scan for functions which contain pdf exploits (dumb scan)
• format javascript using js beautifier (see credits in readme)
• view streams as hex dumps
• zlib compress/decompress arbitrary files
• replace/update pdf streams with your own data
• basic javascript interface so you can run parts of embedded scripts
• PdfDecryptor w/source - uses iTextSharp and requires .Net Framework 2.0
• Basic Javascript de-obsfuscator
• can hide: header only streams, duplicate streams, selected streams
• js ui also has access to a toolbox class to
  • simplify fragmented strings
  • read/write files
  • do hexdumps
  • do unicode safe unescapes
  • disassembler engine

Current Automation scripts include:

• csv_stats.vbs - Builds csv file with results from lower status bar for all files in a directory
• pdfbox_extract.vbs - use pdfbox to extract all images and text from current file
• string_scan.vbs - scan all decompressed streams in all files in a directory for a string you enter
• unsupported_filters.vbs - scan a directory and build list of all pdfs which have unsupported filters
• filter_chains.vbs - recursivly scans parent dir for pdfs that use multiple encoding filters on a stream.
• obsfuscated_headers.vbs - recursivly scans parent dir for pdfs that have obsfuscated object headers
• pdfbox_extract_text_page_by_page.vbs - uses pdfbox to extract page data into individual files
  
  

Current Plugins include:

• Build_DB.dll
• obj_browser.dll

Credits: --------------------------- stream parser was written by VBboy136 - 12/9/2008 http://www.codeproject.com/KB/DLL/PDF2TXTVB.aspx  JS Beautify by Einar Lielmanis, _ conversion to Javascript code by Vital,  http://jsbeautifier.org/  zlib.dll by Jean-loup Gailly and Mark Adler http://www.zlib.net/  CRC32 code by Steve McMahon http://www.vbaccelerator.com/home/vb/code/libraries/CRC32/article.asp  iTextSharp code by Bruno Lowagie and Paulo Soares http://itextpdf.com/terms-of-use/index.php  olly.dll GPL code Copyright (C) 2001 Oleh Yuschuk. http://home.t-online.de/home/Ollydbg/  libemu and sctest.exe written by Paul Baecher and Markus Koetter 2007.  http://libemu.carnivore.it/about.html   sclog is a tool i wrote back at iDefense source here   http://labs.idefense.com/software/download/?downloadID=8   Interface by dzzie@yahoo.com  http://sandsprite.com  Other thanks to Didier Stevens for the info on his blog on tags and encodings. http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways  

RefLink: http://sandsprite.com/blogs/index.php?uid=7&pid=57