SlideShare a Scribd company logo
Obfuscation and (non-)detection of
       malicious PDF files
           Jose Miguel Esparza
Agenda
•   Introduction to the PDF format
•   Obfuscation and evasion techniques
•   Obfuscation vs. Antivirus
•   Obfuscation vs. Analysis tools
•   peepdf
•   Conclusions
Header




       Body




Cross reference table


       Trailer
Introduction to the PDF format
• Sequence of objects
• Object types
  – Boolean: true false
  – Numbers: 123 -98 4. -.002 123.6
  – Strings: (hola) <686f6c61>
  – Names: /Type /Filters
  – Dictionaries: <</Type /Catalog /Root 1 0 R>>
  – Arrays: [1.0 (test) <</Length 273>>]
  – Streams
Introduction to the PDF format
Introduction to the PDF format
• Object types
  – Indirect objects
     • Reference: “object_id generation_number R”
Introduction to the PDF format
• Object types
  – Indirect objects
     • Reference: “object_id generation_number R”
Introduction to the PDF format
• Updatable documents
  – Older versions stay in the document
             Header

              Body

       Cross reference table   Original

              Trailer

              Body

       Cross reference table   Update

              Trailer
Introduction to the PDF format
• Logical structure
  – Tree structure
  – Root node: /Catalog
  – If an element isn’t in the downward path from the
    /Catalog DOES NOT EXIST
Introduction to the PDF format
Introduction to the PDF format
• Actions
  –   /Launch
  –   /Javascript
  –   /GoToE (go to embedded)
  –   /URI
  –   /SubmitForm
  –   …
• Triggers
  – /OpenAction: global
  – /AA: pages, annotations
Introduction to the PDF format
Introduction to the PDF format
Introduction to the PDF format
Introduction to the PDF format
Obfuscation and evasion techniques

• Practical example
  – pdf.pdf (2009)
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Automatic execution
  – Avoid /OpenAction
  – Use of /Catalog elements
     • /Names
     • /AcroForm
  – /AA: applied to pages, annotations…
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Strings to avoid/hide
  – /Javascript /JS
  – More than two “unescape” in Javascript code
  – Characteristic metadata
  – /pdftk_PageNum
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Suspicious objects?
   – Strings (21/43) vs. Streams (27/43)
• Filters
   – Avoid known filters: /FlateDecode /ASCIIHexDecode
   – Parameters (included default ones)
   – Multiple filters
      [ /FlateDecode /LZWDecode /RunLengthDecode ]
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Strings/names encoding
  – Names
     • Hexadecimal codification
        /Fl#61#74#65De#63#6f#64e (/FlateDecode)
  – Strings
     • Hexadecimal
        <7368656c6c636f6465>
     • Octal values
        163150145154154
Obfuscation and evasion techniques
• Strings/names encoding
  – Names
     • Hexadecimal codification
                NO!
        /Fl#61#74#65De#63#6f#64e (/FlateDecode)
  – Strings
     • Hexadecimal
        <7368656c6c636f6465>
     • Octal values
        163150145154154
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Hiding Javascript code
  – Functions to obtain parts of the document
     • getAnnots()
     • getPageNumWords()/getPageNthWord()
     •…
• Splitting up Javascript code
  – Several objects in /Names
     /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R]
Obfuscation and evasion techniques
• Duplicated objects
• Updated objects
• Malformed documents
  – Garbage bytes in the header
  – Bad version number (%PDF-1.0)
  – No xref table
  – No ending tags: endobj or endstream
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Duplicated objects
• Updated objects
• Malformed documents
  – Garbage bytes in the header
  – Bad version number (%PDF-1.0)
  – No xref table
  – No ending tags: endobj or endstream
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Compressed objects (object streams)
   – Incompatible with malformed documents
• Encryption
   – /Encrypt (streams and strings)
   – RC4 o AES (40-128bits)
   – Default password
      • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+
        “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A”
      • password = password + padding[:32-(len(password))]
      • password = ‘’         password = padding
• Nested PDFs
   – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Compressed objects (object streams)
   – Incompatible with malformed documents
• Encryption
   – /Encrypt (streams and strings)
   – RC4 o AES (40-128bits)
   – Default password
      • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+
        “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A”
      • password = password + padding[:32-(len(password))]
      • password = ‘’         password = padding
• Nested PDFs
   – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Compressed objects (object streams)
   – Incompatible with malformed documents
• Encryption
   – /Encrypt (streams and strings)
   – RC4 o AES (40-128bits)
   – Default password
      • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+
        “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A”
      • password = password + padding[:32-(len(password))]
      • password = ‘’         password = padding
• Nested PDFs
   – /EmbeddedFiles
Obfuscation and evasion techniques
Obfuscation and evasion techniques
• Mixing techniques
• Summary:
  – Remove characteristic strings
  – Split up Javascript code (/Names)
  – If the code is in:
       • String     octal encoding (143172)
       • Stream     filters (not usuals, parameters)
  –   Compress (object streams)
  –   Encrypt (default password)
  –   Malform (endobj, header)
  –   Nest PDFs
Obfuscation and evasion techniques
Obfuscation vs. Antivirus
• Better results
  – JS in string + octal + no characteristic strings
     • object stream
             – malformed + nested + filters with parameters (0/43)
             http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739

             – filters with parameters + malformed (0/43)
             http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940


     • malformed: endobj, bad header (2/43)
     http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405


     • encrypted (5/43)
     http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113



• Exploit working
Obfuscation vs. Antivirus
Antivirus     Puntos débiles
AntiVir       JS in string, without JS strings
Avast         Embedded, no endobj, Flate params
AVG           Embedded, Flate params, characteristic strings, without JS strings
BitDefender Characteristic strings, octal strings
ClamAV        Flate params, octal strings, bytes header
DrWeb         Characteristic strings, octal strings
F-Secure      Splitted up JS code, octal strings, bytes header, object streams
Fortinet      Flate params, splitted up JS code, bytes header, metadata
GData         No endobj, Flate params
Kaspersky     Flate params, characteristic strings, splitted up JS code, object streams
McAfee        Execution with /Names, embedded, characteristic strings, hexadecimal
              names, octal strings, without JS strings
Obfuscation vs. Antivirus
Antivirus     Puntos débiles
McAfee-GW Flate params, characteristic strings, octal strings
Microsoft     Splitted up JS code, octal strings, bytes header, object streams
NOD32         Embedded, characteristic strings, bad header (%PDF-1.0)
Panda         JS in string, without JS strings
Prevx         No detection
Sophos        Without JS strings, object stream + malformed endobj, encrypted
Symantec      Original detection as Downloader, JS in string, without JS strings
TrendMicro    No detection
VBA32         Characteristic strings
VirusBuster   No detection
Obfuscation vs. Analysis tools
Herramientas          Comentarios
Wepawet               No encryption support
PDFDissector          Comercial, not tested
PDFStreamDumper Windows, errors with encryption, FlateDecode parameters
pdf-parser (Didier)   Search in streams not supported, 3 filters, object streams and
                      encryption not supported
OPAF                  Framework, not tested, encryption not supported
Origami               Good framework (filters, object streams, encryption), it’s
                      necessary to code your own tool (Ruby)
PDFExaminer           Does not analyse Javascript code and does not look for exploits
                      in object streams and encrypted objects
malpdfobj             Based on PDFTools (Didier Stevens)
Obfuscation vs. Analysis tools
peepdf
• Characteristics
  – Python
  – Command line
  – Interactive console
  – Command file option
  – Last developing phase

            http://peepdf.eternal-todo.com
peepdf




http://peepdf.eternal-todo.com
peepdf
• Analysis
   –   Decoding: hexadecimal, octal, names
   –   Most used filters (5)
   –   References in objects and to objects
   –   Strings search (including streams)
   –   Physical structure (offsets)
   –   Tree structure (logical)
   –   Metadata
   –   Changes between versions (changelog)
   –   Compressed objects
   –   Malformed documents support
   –   Javascript analysis and modification (Spidermonkey)
        • unescape, replace, join
   – Shellcode analysis (sctest, Libemu)
   – Variables to improve analysis (set command)
   – Extraction of different versions
peepdf
• Creation/Modification
  – Basic PDF creation
  – Creation of PDF with Javascript execution
  – Object compression (object streams)
  – Nested PDFs creation
  – Malformed PDFs
  – Strings and names codification
  – Filters modification
  – Object modification
peepdf
• TODO
  – Encryption
  – Nested PDFs analysis
  – Missing filters
  – Improve automatic Javascript analysis
  – GUI
Conclusions
• Very low detection when:
  – Nested PDFs
  – Compressed objects
  – New filters or filters with parameters
  – Encryption
• Avoid detection by strings
• Improve parsers
Thanks
• People working with PDF stuff:
  – Julia Wolf
  – Didier Stevens
  – Felipe Manzano (feliam)
  – Origami team
  – Brandon Dixon
  –…
???
Thanks!!

Jose Miguel Esparza
jesparza eternal-todo.com
jesparza s21sec.com
http://eternal-todo.com
@eternaltodo

More Related Content

What's hot

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and Administration
Krasimir Berov (Красимир Беров)
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamav
thc2cat
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
UTD Computer Security Group
 
Perl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlPerl Programming - 01 Basic Perl
Perl Programming - 01 Basic Perl
Danairat Thanabodithammachari
 
Network programming
Network programmingNetwork programming
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
Christian Martorella
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
Alexandre Moneger
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton
 
Debugging linux
Debugging linuxDebugging linux
Debugging linux
Andrea Righi
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
guesta762e4
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introduction
satyajit_t
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
idsecconf
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSD
webuploader
 
Footprinting tools for security auditors
Footprinting tools for security auditorsFootprinting tools for security auditors
Footprinting tools for security auditors
Jose Manuel Ortega Candel
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at Ning
ZendCon
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
Positive Hack Days
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 

What's hot (20)

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and Administration
 
Webinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamavWebinar alain-2009-03-04-clamav
Webinar alain-2009-03-04-clamav
 
Fuzzing - Part 1
Fuzzing - Part 1Fuzzing - Part 1
Fuzzing - Part 1
 
Perl Programming - 01 Basic Perl
Perl Programming - 01 Basic PerlPerl Programming - 01 Basic Perl
Perl Programming - 01 Basic Perl
 
Network programming
Network programmingNetwork programming
Network programming
 
Python for Penetration testers
Python for Penetration testersPython for Penetration testers
Python for Penetration testers
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Debugging linux
Debugging linuxDebugging linux
Debugging linux
 
Pycon Sec
Pycon SecPycon Sec
Pycon Sec
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introduction
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
securing_syslog_onFreeBSD
securing_syslog_onFreeBSDsecuring_syslog_onFreeBSD
securing_syslog_onFreeBSD
 
Footprinting tools for security auditors
Footprinting tools for security auditorsFootprinting tools for security auditors
Footprinting tools for security auditors
 
Static and Dynamic Analysis at Ning
Static and Dynamic Analysis at NingStatic and Dynamic Analysis at Ning
Static and Dynamic Analysis at Ning
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 

Viewers also liked

Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysis
S21Sec
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
Source Conference
 
Seguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenSeguridad Lógica y Cibercrimen
Seguridad Lógica y Cibercrimen
BBVAtech
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = Fun
David Barroso
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
Source Conference
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Source Conference
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
RootedCON
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
Source Conference
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
Source Conference
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud Evolution
Source Conference
 
Informe sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaInforme sobre Redes Sociales en España
Informe sobre Redes Sociales en España
IAB Spain
 

Viewers also liked (11)

Open source malware analysis
Open source malware analysisOpen source malware analysis
Open source malware analysis
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
Seguridad Lógica y Cibercrimen
Seguridad Lógica y CibercrimenSeguridad Lógica y Cibercrimen
Seguridad Lógica y Cibercrimen
 
iPhone + Botnets = Fun
iPhone + Botnets = FuniPhone + Botnets = Fun
iPhone + Botnets = Fun
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual MachineForensic Memory Analysis of Android's Dalvik Virtual Machine
Forensic Memory Analysis of Android's Dalvik Virtual Machine
 
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...Jaime Blasco & Pablo Rincón -  Lost in translation: WTF is happening inside m...
Jaime Blasco & Pablo Rincón - Lost in translation: WTF is happening inside m...
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Threat Modeling: Best Practices
Threat Modeling: Best PracticesThreat Modeling: Best Practices
Threat Modeling: Best Practices
 
Banking Fraud Evolution
Banking Fraud EvolutionBanking Fraud Evolution
Banking Fraud Evolution
 
Informe sobre Redes Sociales en España
Informe sobre Redes Sociales en EspañaInforme sobre Redes Sociales en España
Informe sobre Redes Sociales en España
 

Similar to José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files [RootedCON 2011]

PDF in Smalltalk
PDF in SmalltalkPDF in Smalltalk
PDF in Smalltalk
ESUG
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
qqlan
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
bartzon
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
tieleman
 
Strata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmapStrata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmap
Julien Le Dem
 
#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and Protocols#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and Protocols
Philippe Back
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
Advanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoAdvanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojo
Fu Cheng
 
How to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analyticsHow to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analytics
Julien Le Dem
 
Strong typing @ php leeds
Strong typing  @ php leedsStrong typing  @ php leeds
Strong typing @ php leeds
Damien Seguy
 
Python & Django TTT
Python & Django TTTPython & Django TTT
Python & Django TTT
kevinvw
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
Damien Seguy
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
Olivera Milenkovic
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb
Leo Zhou
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
DefconRussia
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
Ankur Tyagi
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
The Security of Things Forum
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
Chong-Kuan Chen
 
Drill at the Chicago Hug
Drill at the Chicago HugDrill at the Chicago Hug
Drill at the Chicago Hug
MapR Technologies
 
NSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishNSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - English
Florent Pillet
 

Similar to José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files [RootedCON 2011] (20)

PDF in Smalltalk
PDF in SmalltalkPDF in Smalltalk
PDF in Smalltalk
 
Black Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data RetrievalBlack Hat: XML Out-Of-Band Data Retrieval
Black Hat: XML Out-Of-Band Data Retrieval
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
 
Lessons learned while building Omroep.nl
Lessons learned while building Omroep.nlLessons learned while building Omroep.nl
Lessons learned while building Omroep.nl
 
Strata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmapStrata NY 2017 Parquet Arrow roadmap
Strata NY 2017 Parquet Arrow roadmap
 
#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and Protocols#Pharo Days 2016 Data Formats and Protocols
#Pharo Days 2016 Data Formats and Protocols
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Advanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojoAdvanced guide to develop ajax applications using dojo
Advanced guide to develop ajax applications using dojo
 
How to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analyticsHow to use Parquet as a basis for ETL and analytics
How to use Parquet as a basis for ETL and analytics
 
Strong typing @ php leeds
Strong typing  @ php leedsStrong typing  @ php leeds
Strong typing @ php leeds
 
Python & Django TTT
Python & Django TTTPython & Django TTT
Python & Django TTT
 
Strong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisationStrong typing : adoption, adaptation and organisation
Strong typing : adoption, adaptation and organisation
 
CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019CodeChecker Overview Nov 2019
CodeChecker Overview Nov 2019
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko   ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Flowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection ToolFlowinspect - A Network Inspection Tool
Flowinspect - A Network Inspection Tool
 
SOHOpelessly Broken
SOHOpelessly BrokenSOHOpelessly Broken
SOHOpelessly Broken
 
Automatic tool for static analysis
Automatic tool for static analysisAutomatic tool for static analysis
Automatic tool for static analysis
 
Drill at the Chicago Hug
Drill at the Chicago HugDrill at the Chicago Hug
Drill at the Chicago Hug
 
NSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - EnglishNSLogger - Cocoaheads Paris Presentation - English
NSLogger - Cocoaheads Paris Presentation - English
 

More from RootedCON

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
RootedCON
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
RootedCON
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
RootedCON
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
RootedCON
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
RootedCON
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
RootedCON
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
RootedCON
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
RootedCON
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
RootedCON
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
RootedCON
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
RootedCON
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
RootedCON
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
RootedCON
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
RootedCON
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
RootedCON
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
RootedCON
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
RootedCON
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
RootedCON
 

More from RootedCON (20)

Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro VillaverdeRooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
Rooted2020 A clockwork pentester - Jose Carlos Moral & Alvaro Villaverde
 
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
rooted2020 Sandbox fingerprinting -_evadiendo_entornos_de_analisis_-_victor_c...
 
Rooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amadoRooted2020 hunting malware-using_process_behavior-roberto_amado
Rooted2020 hunting malware-using_process_behavior-roberto_amado
 
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
Rooted2020 compliance as-code_-_guillermo_obispo_-_jose_mariaperez_-_
 
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
Rooted2020 the day i_ruled_the_world_deceiving_software_developers_through_op...
 
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
Rooted2020 si la-empresa_ha_ocultado_el_ciberataque,_como_se_ha_enterado_el_r...
 
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
Rooted2020 wordpress-another_terror_story_-_manuel_garcia_-_jacinto_sergio_ca...
 
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguerRooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
Rooted2020 Atacando comunicaciones-de_voz_cifradas_-_jose_luis_verdeguer
 
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
rooted2020-Rootkit necurs no_es_un_bug,_es_una_feature_-_roberto_santos_-_jav...
 
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemyRooted2020 stefano maccaglia--_the_enemy_of_my_enemy
Rooted2020 stefano maccaglia--_the_enemy_of_my_enemy
 
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
Rooted2020 taller de-reversing_de_binarios_escritos_en_golang_-_mariano_palom...
 
Rooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molinaRooted2020 virtual pwned-network_-_manel_molina
Rooted2020 virtual pwned-network_-_manel_molina
 
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
Rooted2020 van a-mear_sangre_como_hacer_que_los_malos_lo_paguen_muy_caro_-_an...
 
Rooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopezRooted2020 todo a-siem_-_marta_lopez
Rooted2020 todo a-siem_-_marta_lopez
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Rooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jaraRooted2020 live coding--_jesus_jara
Rooted2020 live coding--_jesus_jara
 
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
Rooted2020 legalidad de-la_prueba_tecnologica_indiciaria_cuando_tu_papi_es_un...
 
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
Rooted2020 hackeando el-mundo_exterior_a_traves_de_bluetooth_low-energy_ble_-...
 
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yusteRooted2020 evading deep-learning_malware_detectors_-_javier_yuste
Rooted2020 evading deep-learning_malware_detectors_-_javier_yuste
 
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_moralesRooted2020 encontrando 0days-en_2020_-_antonio_morales
Rooted2020 encontrando 0days-en_2020_-_antonio_morales
 

Recently uploaded

The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
Arpan Buwa
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Networks
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
Safe Software
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
softsuave
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
Steven Carlson
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
Priyanka Aash
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Kunal Gupta
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 

Recently uploaded (20)

The Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and CitiesThe Impact of the Internet of Things (IoT) on Smart Homes and Cities
The Impact of the Internet of Things (IoT) on Smart Homes and Cities
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
IPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite SolutionIPLOOK Remote-Sensing Satellite Solution
IPLOOK Remote-Sensing Satellite Solution
 
Data Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining DataData Integration Basics: Merging & Joining Data
Data Integration Basics: Merging & Joining Data
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Step-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From ScratchStep-By-Step Process to Develop a Mobile App From Scratch
Step-By-Step Process to Develop a Mobile App From Scratch
 
Vulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive OverviewVulnerability Management: A Comprehensive Overview
Vulnerability Management: A Comprehensive Overview
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
(CISOPlatform Summit & SACON 2024) Keynote _ Power Digital Identities With AI...
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptxDublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
Dublin_mulesoft_meetup_Mulesoft_Salesforce_Integration (1).pptx
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 

José Miguel Esparza - Obfuscation and (non-)detection of malicious PDF files [RootedCON 2011]

  • 1. Obfuscation and (non-)detection of malicious PDF files Jose Miguel Esparza
  • 2. Agenda • Introduction to the PDF format • Obfuscation and evasion techniques • Obfuscation vs. Antivirus • Obfuscation vs. Analysis tools • peepdf • Conclusions
  • 3. Header Body Cross reference table Trailer
  • 4. Introduction to the PDF format • Sequence of objects • Object types – Boolean: true false – Numbers: 123 -98 4. -.002 123.6 – Strings: (hola) <686f6c61> – Names: /Type /Filters – Dictionaries: <</Type /Catalog /Root 1 0 R>> – Arrays: [1.0 (test) <</Length 273>>] – Streams
  • 5. Introduction to the PDF format
  • 6. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 7. Introduction to the PDF format • Object types – Indirect objects • Reference: “object_id generation_number R”
  • 8. Introduction to the PDF format • Updatable documents – Older versions stay in the document Header Body Cross reference table Original Trailer Body Cross reference table Update Trailer
  • 9. Introduction to the PDF format • Logical structure – Tree structure – Root node: /Catalog – If an element isn’t in the downward path from the /Catalog DOES NOT EXIST
  • 10. Introduction to the PDF format
  • 11. Introduction to the PDF format • Actions – /Launch – /Javascript – /GoToE (go to embedded) – /URI – /SubmitForm – … • Triggers – /OpenAction: global – /AA: pages, annotations
  • 12. Introduction to the PDF format
  • 13. Introduction to the PDF format
  • 14. Introduction to the PDF format
  • 15. Introduction to the PDF format
  • 16. Obfuscation and evasion techniques • Practical example – pdf.pdf (2009)
  • 20. Obfuscation and evasion techniques • Automatic execution – Avoid /OpenAction – Use of /Catalog elements • /Names • /AcroForm – /AA: applied to pages, annotations…
  • 23. Obfuscation and evasion techniques • Strings to avoid/hide – /Javascript /JS – More than two “unescape” in Javascript code – Characteristic metadata – /pdftk_PageNum
  • 26. Obfuscation and evasion techniques • Suspicious objects? – Strings (21/43) vs. Streams (27/43) • Filters – Avoid known filters: /FlateDecode /ASCIIHexDecode – Parameters (included default ones) – Multiple filters [ /FlateDecode /LZWDecode /RunLengthDecode ]
  • 28. Obfuscation and evasion techniques • Strings/names encoding – Names • Hexadecimal codification /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154
  • 29. Obfuscation and evasion techniques • Strings/names encoding – Names • Hexadecimal codification NO! /Fl#61#74#65De#63#6f#64e (/FlateDecode) – Strings • Hexadecimal <7368656c6c636f6465> • Octal values 163150145154154
  • 34. Obfuscation and evasion techniques • Hiding Javascript code – Functions to obtain parts of the document • getAnnots() • getPageNumWords()/getPageNthWord() •… • Splitting up Javascript code – Several objects in /Names /Names [(part1) 3 0 R (part2) 7 0 R (part3) 10 0 R]
  • 35. Obfuscation and evasion techniques • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream
  • 38. Obfuscation and evasion techniques • Duplicated objects • Updated objects • Malformed documents – Garbage bytes in the header – Bad version number (%PDF-1.0) – No xref table – No ending tags: endobj or endstream
  • 41. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 44. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 46. Obfuscation and evasion techniques • Compressed objects (object streams) – Incompatible with malformed documents • Encryption – /Encrypt (streams and strings) – RC4 o AES (40-128bits) – Default password • padding = “x28xBFx4Ex5Ex4Ex75x8Ax41x64x00x4Ex56xFFxFA”+ “x01x08x2Ex2Ex00xB6xD0x68x3Ex80x2Fx0CxA9xFEx64x53x69x7A” • password = password + padding[:32-(len(password))] • password = ‘’ password = padding • Nested PDFs – /EmbeddedFiles
  • 48. Obfuscation and evasion techniques • Mixing techniques • Summary: – Remove characteristic strings – Split up Javascript code (/Names) – If the code is in: • String octal encoding (143172) • Stream filters (not usuals, parameters) – Compress (object streams) – Encrypt (default password) – Malform (endobj, header) – Nest PDFs
  • 50. Obfuscation vs. Antivirus • Better results – JS in string + octal + no characteristic strings • object stream – malformed + nested + filters with parameters (0/43) http://www.virustotal.com/file-scan/report.html?id=fbfd6df6a14f3cab3742d84af2b7d3d881ad11ef7d1344ba166092c890f47f77-1298457739 – filters with parameters + malformed (0/43) http://www.virustotal.com/file-scan/report.html?id=5a963ca0d20e12851fae7b98bc0e9bcf28cc0e43a12ef33450cf3877b170fa67-1298154940 • malformed: endobj, bad header (2/43) http://www.virustotal.com/file-scan/report.html?id=9759c500df94e2ccc243f00479967ddb77484203403b79e1523ea1148077b565-1298157405 • encrypted (5/43) http://www.virustotal.com/file-scan/report.html?id=9e2195450ee4f2c15f27b3730fb09bf004cc4bd6ef848f039291d9eea0f6b69d-1298054113 • Exploit working
  • 51. Obfuscation vs. Antivirus Antivirus Puntos débiles AntiVir JS in string, without JS strings Avast Embedded, no endobj, Flate params AVG Embedded, Flate params, characteristic strings, without JS strings BitDefender Characteristic strings, octal strings ClamAV Flate params, octal strings, bytes header DrWeb Characteristic strings, octal strings F-Secure Splitted up JS code, octal strings, bytes header, object streams Fortinet Flate params, splitted up JS code, bytes header, metadata GData No endobj, Flate params Kaspersky Flate params, characteristic strings, splitted up JS code, object streams McAfee Execution with /Names, embedded, characteristic strings, hexadecimal names, octal strings, without JS strings
  • 52. Obfuscation vs. Antivirus Antivirus Puntos débiles McAfee-GW Flate params, characteristic strings, octal strings Microsoft Splitted up JS code, octal strings, bytes header, object streams NOD32 Embedded, characteristic strings, bad header (%PDF-1.0) Panda JS in string, without JS strings Prevx No detection Sophos Without JS strings, object stream + malformed endobj, encrypted Symantec Original detection as Downloader, JS in string, without JS strings TrendMicro No detection VBA32 Characteristic strings VirusBuster No detection
  • 53. Obfuscation vs. Analysis tools Herramientas Comentarios Wepawet No encryption support PDFDissector Comercial, not tested PDFStreamDumper Windows, errors with encryption, FlateDecode parameters pdf-parser (Didier) Search in streams not supported, 3 filters, object streams and encryption not supported OPAF Framework, not tested, encryption not supported Origami Good framework (filters, object streams, encryption), it’s necessary to code your own tool (Ruby) PDFExaminer Does not analyse Javascript code and does not look for exploits in object streams and encrypted objects malpdfobj Based on PDFTools (Didier Stevens)
  • 55. peepdf • Characteristics – Python – Command line – Interactive console – Command file option – Last developing phase http://peepdf.eternal-todo.com
  • 57. peepdf • Analysis – Decoding: hexadecimal, octal, names – Most used filters (5) – References in objects and to objects – Strings search (including streams) – Physical structure (offsets) – Tree structure (logical) – Metadata – Changes between versions (changelog) – Compressed objects – Malformed documents support – Javascript analysis and modification (Spidermonkey) • unescape, replace, join – Shellcode analysis (sctest, Libemu) – Variables to improve analysis (set command) – Extraction of different versions
  • 58. peepdf • Creation/Modification – Basic PDF creation – Creation of PDF with Javascript execution – Object compression (object streams) – Nested PDFs creation – Malformed PDFs – Strings and names codification – Filters modification – Object modification
  • 59. peepdf • TODO – Encryption – Nested PDFs analysis – Missing filters – Improve automatic Javascript analysis – GUI
  • 60. Conclusions • Very low detection when: – Nested PDFs – Compressed objects – New filters or filters with parameters – Encryption • Avoid detection by strings • Improve parsers
  • 61. Thanks • People working with PDF stuff: – Julia Wolf – Didier Stevens – Felipe Manzano (feliam) – Origami team – Brandon Dixon –…
  • 62. ???
  • 63. Thanks!! Jose Miguel Esparza jesparza eternal-todo.com jesparza s21sec.com http://eternal-todo.com @eternaltodo