Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
research tool for the analysis of malicious pdf documents. make sure to run the installer first to get all of the 3rd party dlls installed correctly. then goto the install directory and git the current source. Source is installed with the main installer. This is just for updates and version control.
Visual Basic C C# C++ JavaScript
branch: master
Failed to load latest commit information.
AS3_WebInstall added Tools->Download URL menu item
dependancies tools - flash decompress lzma (ZWS Header)
husk updated new husk to vs2008 and added x64 build.
iTextFilters misc fixes, ignores, line endings
libemu Now AV 0 detections: shellcode2exe now opens web page, sclog download…
mupdf misc fixes, ignores, line endings
plugins Now AV 0 detections: shellcode2exe now opens web page, sclog download…
scripts initial commit
unused moving to scivb_lite for bugfixes
xor_bruteforcer unmime handles crlf or lf data now. mnushellcode can now prompt for f…
.gitattributes misc fixes, ignores, line endings
.gitignore moving to scivb_lite for bugfixes
.todo.txt updated scivb_lite & lexer. FirstLine bugfix, highlight word on dblclick
CApplyFilters.cls small tweaks
CDisassembler.cls initial commit
CFunc.cls frmRefactor - ability to keep original func names +
CInstruction.cls initial commit
CPDFStream.cls frmJS.lvFuncs.SequentialRename right click, updated scivb and hexed
CPdfParser.cls frmJS.lvFuncs.SequentialRename right click, updated scivb and hexed
CScriptFunctions.cls autoswitch tabs if binary data (new option default on)
CSharpFilters.cls better message if no .NET version found
Form1.frm error streams - save all menu item
Form1.frx uses hexed.ocx now, added dependancies, bugfix in fso.bas
Form2.frm unmime handles crlf or lf data now. mnushellcode can now prompt for f…
Form2.frx updated scivb_lite & lexer. FirstLine bugfix, highlight word on dblclick
JS_UI_Readme.txt new right click menu options in build_db examine batch tab
Module4.bas long decompression detection, ability to escape it,
PDFStreamDumper.exe unmime handles crlf or lf data now. mnushellcode can now prompt for f…
Project1.vbp unmime handles crlf or lf data now. mnushellcode can now prompt for f…
Project1.vbw unmime handles crlf or lf data now. mnushellcode can now prompt for f…
Readme.txt view as image menu item, C# CCTIFaxDecode (from sun), simplified Appl…
_min_install_script.iss tools - flash decompress lzma (ZWS Header)
b64.bas unmime handles crlf or lf data now. mnushellcode can now prompt for f…
beautify.js initial commit
clsCmnDlg.cls moving to scivb_lite for bugfixes
frmAbout.frm added dedicated built in hexeditor for hex view tab and misc viewing..
frmAbout.frx beta support for JBIG2 and FaxDecode now integrated (bulk testing req…
frmBruteZLib.frm updated scivb_lite & lexer. FirstLine bugfix, highlight word on dblclick
frmBruteZLib.frx added quick zlib bruteforcer
frmFilterVisualizer.frm Main UI Cleanup code (thanks Darren!), CCTIFaxDecode now defaults to …
frmInlineDecoderCalls.frm moving to scivb_lite for bugfixes
frmInlineDecoderCalls.frx frmRefactor - ability to keep original func names +
frmManualFilters.frm updated scivb_lite & lexer. FirstLine bugfix, highlight word on dblclick
frmManualFilters.frx initial commit
frmRefactor.frm updated scivb_lite & lexer. FirstLine bugfix, highlight word on dblclick
frmReplace.frm moving to scivb_lite for bugfixes
frmScTest.frm long decompression detection, ability to escape it,
frmSclog.frm Now AV 0 detections: shellcode2exe now opens web page, sclog download…
frmSclog.frx initial commit
full_install_script.iss_ tools - flash decompress lzma (ZWS Header)
husk.dat misc fixes, ignores, line endings
husk.exe tweaked new_husk, drag and drop to some sc file fields, update sclog/…
iTextFilters.dll autoswitch tabs if binary data (new option default on)
iTextFilters.tlb misc fixes, ignores, line endings
java.hilighter moving to scivb_lite for bugfixes
js_api.txt moving to scivb_lite for bugfixes
lzma.bas tools - flash decompress lzma (ZWS Header)
lzma.exe tools - flash decompress lzma (ZWS Header)
modCrc.bas initial commit
modEscapes.bas moving to scivb_lite for bugfixes
mupdf.bas view as image menu item, C# CCTIFaxDecode (from sun), simplified Appl…
mupdf.dll fixed mem leak in jbig dll (my error), misc tweaks and bulk testing
myMain.js initial commit
sclog.exe Now AV 0 detections: shellcode2exe now opens web page, sclog download…
sclog_README.txt updated to new sclog
simple-fso..bas jsui.function list (column sort,rename,navigate,find refs, rescan), f…
simple_husk.dat uses hexed.ocx now, added dependancies, bugfix in fso.bas
userLib.js fixed bug in userlib.info class loader (ignore null entry),
zlib.dll added version of zlib.dll which is compatiable with win2k+ (previous …

Readme.txt


           PdfStream Dumper v.9.3xx

Developer: David Zimmer <dzzie@yahoo.com>
Homepage:  http://sandsprite.com/blogs/index.php?uid=7&pid=57

Capabilities
--------------------------------------

	This tool is designed to allow you to parse and analyze PDF files in their raw format.
	It includes allot of features like being able to:
	
	- view all pdf objects
	- view deflated streams
	- view stream details such as file offsets, header, etc
	- save raw and deflated data
	- decompile Flash ActionScript 3 files with AS3 Sorcerer (Trial included) 
	- supports filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, 
                            ASCII85Decode, LZWDecode, FaxDecode, JBIG2Decode
        - supports filter chaining (ie multiple filters applied to same stream)
        - supports unescaping encoded pdf headers
	- search streams for strings
	- perform various types of manual escapes on selected data portions.
	- scan for functions which contain pdf exploits (dumb scan)
	- format javascript using js beautifier (see credits at end)
	- view streams as hex dumps
	- zlib compress/decompress arbitrary files
	- replace/update pdf streams with your own data
	- basic javascript interface so you can execute parts of embedded scripts
	- integrated UI for sclog shellcode analysis tool from idefense. (seperate install)
	- integrated UI for sctest shellcode analysis tool using libemu. (included in install)
	- js ui also has access to a toolbox class to do a bunch of things (dump to file etc)
	- decrypt encrypted pdf files (uses iTextSharp)
	- basic ability to rename obsfuscated javascript functions, arguments, and variables
	- can hide: header only streams, duplicate streams (by crc), selected streams
	
	This tool is useful for many things, it is free and open source.
	
	It does not parse pdfs fully, it basically just extracts obj streams and headers.
	
	I dont want to try to make it to smart, few assumptions means fewer places
	to try to break its analysis by malicious pdfs. Even if this means you have
	to manuallly apply more smarts when looking at it. 
	
	I am trying to keep this tool pretty raw so you can see their tricks yet
	still have the tools on hand to bypass them. 
	
	Decryption app is in C# using iTextSharp. It copies the contents of the owner
	password protected pdf into a new file and unencrypts it as it does so. 


Notes:
-----------------------------------------

	Some filters and the pdf decrypt features are optional
	they require .NET 2.0 (or above) installed. The app should run fine without
        them, just wont support these extra features.
	
	sclog (iDefense) and scdbg (libemu) shellcode analysis tools are included with the installer.
	
	 -----> sclog runs LIVE SHELLCODE so    <----
	 -----> ONLY USE IT ON A TEST MACHINE ! <---- (duh)
	
	scdbg is powered by libemu and analyzes shellcode in an emulation envirnoment
	so should be safe(r).

	If you find a pdf which pdfstreamdumper cant deal with, feel free to mail
	it in a password protected zip file to me at dzzie@yahoo.com


Command line options:
--------------------------------------------
	PdfStreamDumper currently only supports one command line option which is /extract

	usage: pdfstreamdumper "c:\blah blah\bad.pdf" /extract "c:\some folder"

        When run in this mode, it will load the pdf file (interface visible) extract all of
        of the streams it could process without error to the folder specified and then exit.

	The folder need not exist, it will build the path to it if it can. The files will be 
	named stream_x.ext where ext is the relevant file type extension if it can be determined.


Hot Keys and other Behaviors:
---------------------------

	main form left hand listview supports coloring based on stream types, use mouseover to
	see tooltip, or use Tools->About lv Colors to see color map info.
	
	this listview also supports some hot keys. 
	Ctrl-a = select all
	ctrl-n = select none
	ctrl-d = deleted selected (no changes are made to the pdf)
	ctrl-i = invert selection
	
	these are useful with the listview right click menu options to save streams because these
	menu items work on all streams in the listview itself.
	
	also the Search menu item will auto select all the matches it finds in this main listview too
	in case you want to select all fonts and then save them the streams you are only a couple clicks
	away regardless of how many are in the file. 
	
	once you trim out the list, you can reload it anytime by clicking the load button again.
	
	also check out the Tools->options menu where you can auto hide duplicate streams, and header only
	streams. (you probably wan to view headers by default)
	
	Example: 
	--------------------
	  How do I extract all of the unique fonts in a decompressed format from a 
	  pdf quickly if the pdf has hundreds of objects?
	
	  1) make sure the tools->options->hide duplicate streams option is set
	  2) click the search_for->TTF Fonts This will select all fonts in main list.
	  3) right click on one of the selected fonts in the main list (on left) 
	      and choose the menu option to hide unselected
	  4) right click on main list (which only contains the fonts now) and choose
	      save all decompressed streams
	
	  To reload all of the streams again, just click the load button to start over.


Source Code and projects
---------------------------------------

	Source code is included with this installer. 
	You will find a \source directory on the start menu entry with the
	project files. 
	
	latest source can always be pulled from github:

	pdfstreamdumper https://github.com/dzzie/pdfstreamdumper
        sclog           https://github.com/dzzie/sclog
	scdbg
	 - vc/win32     https://github.com/dzzie/VS_LIBEMU
         - gcc/*nix     https://github.com/dzzie/SCDBG

Credits:
---------------------------

	Original stream parser was written by by VBboy136 - 12/9/2008
	http://www.codeproject.com/KB/DLL/PDF2TXTVB.aspx
	
	Scintilla by Neil Hodgson [neilh@scintilla.org] 
        http://www.scintilla.org/

        ScintillaVB by Stu Collier
        http://www.ceditmx.com/software/scintilla-vb/

	AS3 Sorcerer Trial provided courtesy of Manitu Group. 
	http://www.as3sorcerer.com/

	JS Beautify by Einar Lielmanis, <einar@jsbeautifier.org>_
	conversion to Javascript code by Vital, <vital76@gmail.com>
	http://jsbeautifier.org/
	
	zlib.dll by Jean-loup Gailly and Mark Adler
	http://www.zlib.net/
	
	CRC32 code by Steve McMahon
	http://www.vbaccelerator.com/home/vb/code/libraries/CRC32/article.asp
	
	iTextDecode/iTextFilters use iTextSharp by Bruno Lowagie and Paulo Soares
	http://itextpdf.com/terms-of-use/index.php
	
	olly.dll GPL code Copyright (C) 2001 Oleh Yuschuk.
	http://home.t-online.de/home/Ollydbg/
        http://sandsprite.com/CodeStuff/olly_dll.html
	
	MuPDF is released under GPL and Copyright 2006-2012 Artifex Software, Inc.
	http://www.mupdf.com/

        CCTIFaxDecoder copyright Sun MicroSystems and intarsys consulting GmbH.
	http://java.net/projects/pdf-renderer/
  
	libemu written by Paul Baecher and Markus Koetter 2007.	
	http://libemu.carnivore.it/about.html

	scdbg homepage
	http://sandsprite.com/blogs/index.php?uid=7&pid=152
	
        sclog is a tool i wrote back at iDefense (no longer available on their site)
        https://github.com/dzzie/sclog

	Interface by dzzie@yahoo.com 
	http://sandsprite.com
	
	Other thanks to Didier Stevens for the info on his blog on tags and encodings.
	http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways
	
Something went wrong with that request. Please try again.