Peepdf is a tool for the forensic analysis of pdf documents. Most social engineering attacks use a malicious PDF document embedded with java scripts & shell-codes.
It can analyze suspicious objects & data streams within a PDF document. With some extensions installed, a security researcher can analyze the java-scripts & shell-codes in detail. Precisely some of the top features of peepdf are :
- Analyses a PDF document
- Extracts data objects & streams
- Extracts metadata
- Extracts data from encoded & encrypted files also
- XML outputs provided
- Interactive Console
A security researcher can use this tool either to check for hidden shell codes or java scripts or even standard vulnerabilities like CVE-2013-2729 etc. Another use is obviously for Cyber Forensics.
It can extract all metadata & data streams inside the document so that a Forensic investigator can use this for pattern matching purposes or to analyze the shellcode or simply to extract the metadata & detect the presence of malicious code and use it as evidence.
Options – Peepdf
Syntax: peepdf <options> PDF-FILE
-h, --help show this help message and exit -i, --interactive Sets console mode. -s SCRIPTFILE, --load-script=SCRIPTFILE Loads the commands stored in the specified file and execute them. -f, --force-mode Sets force parsing mode to ignore errors. -l, --loose-mode Sets loose parsing mode to catch malformed objects. -u, --update Updates peepdf with the latest files from the repository. -g, --grinch-mode Avoids colorized output in the interactive console. -v, --version Shows program's version number. -x, --xml Shows the document information in XML format.
Lab 1: Install Spidermonkey & Pylibemu
In this lab, we’ll install 3 additional packages in order to be able to analyze javascript & shellcode. The packages are:
- libemu – basic x86 emulation and shellcode detection
- Pylibemu – Python Wrapper for the libemu library
- Spidermonkey – Javascript Engine
Step 1: Install Libemu
First, we have to install required dependencies & python files.
apt-get install autoconf libemu python-dev python-lxml python-pyrex
Clone the package from Git. Make sure to have git-core installed. Kali comes with git pre-installed.
git clone git://git.carnivore.it/libemu.git
Configure & Install libemu from git.
cd libemu/ autoreconf -v -i ./configure --enable-python-bindings --prefix=/opt/libemu make -j4 make install ldconf -n /opt/libemu/lib
Step 2: Install Pylibemu
Again clone from git
git clone https://github.com/buffer/pylibemu.git
Install pylibemu
echo "/opt/libemu/lib" > /etc/ld.so.conf.d/pylibemu.conf python setup.py build python setup.py install
Step 3: Install Spidermonkey
apt-get install python-pyrex svn checkout http://python-spidermonkey.googlecode.com/svn/trunk/ python-spidermonkey cd python-spidermonkey python setup.py build python setup.py install ldconfig
Execute peepdf and see if packages are correctly installed. Just try any PDF file against it.
peepdf evil.pdf <replace with yous>
If the add-ons are not properly installed, a message would come up first saying the packages are not installed when peepdf is executed.
In the next labs, we will get deeper into the usage of peepdf.
References
Libemu Installation References
http://blog.xanda.org/2012/05/16/installation-of-libemu-and-pylibemu-on-ubuntu/
http://www.makethenmakeinstall.com/2013/03/install-thug-on-kali-linux/
Pylibemu Installation References
https://forums.kali.org/archive/index.php/t-2658.html
Spidermonkey Installation References
https://forums.kali.org/archive/index.php/t-2658.html