Peepdf is a tool for the forensic analysis of pdf documents. Most social engineering attacks use a malicious PDF document embedded with java scripts & shell-codes.
It can analyze suspicious objects & data streams within a PDF document. With some extensions installed, a security researcher can analyze the java-scripts & shell-codes in detail. Precisely some of the top features of peepdf are :
A security researcher can use this tool either to check for hidden shell codes or java scripts or even standard vulnerabilities like CVE-2013-2729 etc. Another use is obviously for Cyber Forensics.
It can extract all metadata & data streams inside the document so that a Forensic investigator can use this for pattern matching purposes or to analyze the shellcode or simply to extract the metadata & detect the presence of malicious code and use it as evidence.
Syntax: peepdf <options> PDF-FILE
-h, --help show this help message and exit -i, --interactive Sets console mode. -s SCRIPTFILE, --load-script=SCRIPTFILE Loads the commands stored in the specified file and execute them. -f, --force-mode Sets force parsing mode to ignore errors. -l, --loose-mode Sets loose parsing mode to catch malformed objects. -u, --update Updates peepdf with the latest files from the repository. -g, --grinch-mode Avoids colorized output in the interactive console. -v, --version Shows program's version number. -x, --xml Shows the document information in XML format.
In this lab, we’ll install 3 additional packages in order to be able to analyze javascript & shellcode. The packages are:
Step 1: Install Libemu
First, we have to install required dependencies & python files.
apt-get install autoconf libemu python-dev python-lxml python-pyrex
Clone the package from Git. Make sure to have git-core installed. Kali comes with git pre-installed.
git clone git://git.carnivore.it/libemu.git
Configure & Install libemu from git.
cd libemu/ autoreconf -v -i ./configure --enable-python-bindings --prefix=/opt/libemu make -j4 make install ldconf -n /opt/libemu/lib
Step 2: Install Pylibemu
Again clone from git
git clone https://github.com/buffer/pylibemu.git
Install pylibemu
echo "/opt/libemu/lib" > /etc/ld.so.conf.d/pylibemu.conf python setup.py build python setup.py install
Step 3: Install Spidermonkey
apt-get install python-pyrex svn checkout http://python-spidermonkey.googlecode.com/svn/trunk/ python-spidermonkey cd python-spidermonkey python setup.py build python setup.py install ldconfig
Execute peepdf and see if packages are correctly installed. Just try any PDF file against it.
peepdf evil.pdf <replace with yous>
If the add-ons are not properly installed, a message would come up first saying the packages are not installed when peepdf is executed.
In the next labs, we will get deeper into the usage of peepdf.
References
Libemu Installation References
http://blog.xanda.org/2012/05/16/installation-of-libemu-and-pylibemu-on-ubuntu/
http://www.makethenmakeinstall.com/2013/03/install-thug-on-kali-linux/
Pylibemu Installation References
https://forums.kali.org/archive/index.php/t-2658.html
Spidermonkey Installation References
https://forums.kali.org/archive/index.php/t-2658.html
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…
Cybersecurity tools play a critical role in safeguarding digital assets, systems, and networks from malicious…