peepdf

PEEPDF : A one stop tool for PDF Document forensic analysis

Peepdf is a tool for forensic analysis of pdf documents. Most social engineering attacks use a malicious PDF document embeded with java-scripts & shell-codes. Peepdf can analyse suspicious objects & data streams within a PDF document. With some extensions installed, a security researcher can analyse the java-scripts & shell-codes in detail. Precisely some of the top features of peepdf are :

  1. Analyses a PDF document
  2. Extracts data objects & streams
  3. Extracts metadata
  4. Extracts data from encoded & encrypted files also
  5. XML outputs provided
  6. Interactive Console

A security researcher can use this tool either to check for hidden shell codes or java scripts or even standard vulnerabilities like CVE-2013-2729 etc. Another use is obviously for Cyber Forensics. Peepdf can extract all metadata & data streams inside the document so that a Forensic investigator can use this for pattern matching purposes or to analyse the shell code or simply to extract the metadata & detect the presence of malicious code and use it as evidence.

Homepage: http://eternal-todo.com/tools/peepdf-pdf-analysis-tool

Options

Syntax: peepdf <options> PDF-FILE
-h, --help show this help message and exit
-i, --interactive Sets console mode.
-s SCRIPTFILE, --load-script=SCRIPTFILE  Loads the commands stored in the specified file and execute them.
-f, --force-mode Sets force parsing mode to ignore errors.
-l, --loose-mode Sets loose parsing mode to catch malformed objects.
-u, --update Updates peepdf with the latest files from the repository.
-g, --grinch-mode Avoids colorized output in the interactive console.
-v, --version Shows program's version number.
-x, --xml Shows the document information in XML format.

Lab 1 : Install Spidermonkey & Pylibemu to support peepdf

In this lab, we’ll install 3 additional packages inorder to be able to analyse javascript & shell code. The packages are:

  1. libemu – basic x86 emulation and shellcode detection
  2. Pylibemu – Python Wrapper for the libemu library
  3. Spidermonkey – Javascript Engine

Step 1: Install Libemu

First we have to install required dependencies & python files.

apt-get install autoconf libemu python-dev python-lxml python-pyrex

Clone the package from Git. Make sure to have git-core installed. Kali comes with git pre-installed.

git clone git://git.carnivore.it/libemu.git

Configure & Install libemu from git.

cd libemu/
autoreconf -v -i
./configure --enable-python-bindings --prefix=/opt/libemu
make -j4
make install
ldconf -n /opt/libemu/lib

Step 2:  Install Pylibemu

Agian clone from git

git clone https://github.com/buffer/pylibemu.git

Install pylibemu

echo "/opt/libemu/lib" > /etc/ld.so.conf.d/pylibemu.conf
python setup.py build
python setup.py install

Step 3: Install Spidermonkey

apt-get install python-pyrex
svn checkout http://python-spidermonkey.googlecode.com/svn/trunk/ python-spidermonkey
cd python-spidermonkey
python setup.py build
python setup.py install
ldconfig

Execute peepdf and see if packages are correctly installed. Just try any PDF file agianst peepdf

peepdf evil.pdf <replace with yous>
peepdf
Peepdf basic Usage

If the addons are not properly installed, a message would come up first saying the packages are not installed when peepdf is executed.

In the next labs, we will get deeper into the usage of peepdf.

 

References

Libemu Installation References

Pylibemu Installation References
https://forums.kali.org/archive/index.php/t-2658.html

Spidermonkey Installation References
https://forums.kali.org/archive/index.php/t-2658.html

Facebook Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: