Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
May 16, 2023 08:59
May 16, 2023 08:59
August 25, 2017 07:30
February 22, 2014 06:54
August 25, 2017 07:30
March 31, 2011 12:44
March 31, 2011 12:44
May 16, 2023 08:59
May 16, 2023 08:59
May 16, 2023 08:59
March 31, 2011 12:44
August 17, 2017 20:19
March 31, 2011 12:44
August 17, 2017 20:19
March 31, 2011 12:44
August 25, 2017 07:30
March 31, 2011 12:44
March 31, 2011 12:44
August 25, 2017 07:30
August 25, 2017 07:30
September 17, 2012 19:43
May 16, 2023 08:59

           PdfStream Dumper v.9.3xx

Developer: David Zimmer <>


	This tool is designed to allow you to parse and analyze PDF files in their raw format.
	It includes allot of features like being able to:
	- view all pdf objects
	- view deflated streams
	- view stream details such as file offsets, header, etc
	- save raw and deflated data
	- decompile Flash ActionScript 3 files with AS3 Sorcerer (Trial included) 
	- supports filters: FlateDecode, RunLengthDecode, ASCIIHEXDecode, 
                            ASCII85Decode, LZWDecode, FaxDecode, JBIG2Decode
        - supports filter chaining (ie multiple filters applied to same stream)
        - supports unescaping encoded pdf headers
	- search streams for strings
	- perform various types of manual escapes on selected data portions.
	- scan for functions which contain pdf exploits (dumb scan)
	- format javascript using js beautifier (see credits at end)
	- view streams as hex dumps
	- zlib compress/decompress arbitrary files
	- replace/update pdf streams with your own data
	- basic javascript interface so you can execute parts of embedded scripts
	- integrated UI for sclog shellcode analysis tool from idefense. (seperate install)
	- integrated UI for sctest shellcode analysis tool using libemu. (included in install)
	- js ui also has access to a toolbox class to do a bunch of things (dump to file etc)
	- decrypt encrypted pdf files (uses iTextSharp)
	- basic ability to rename obsfuscated javascript functions, arguments, and variables
	- can hide: header only streams, duplicate streams (by crc), selected streams
	This tool is useful for many things, it is free and open source.
	It does not parse pdfs fully, it basically just extracts obj streams and headers.
	I dont want to try to make it to smart, few assumptions means fewer places
	to try to break its analysis by malicious pdfs. Even if this means you have
	to manuallly apply more smarts when looking at it. 
	I am trying to keep this tool pretty raw so you can see their tricks yet
	still have the tools on hand to bypass them. 
	Decryption app is in C# using iTextSharp. It copies the contents of the owner
	password protected pdf into a new file and unencrypts it as it does so. 


	Some filters and the pdf decrypt features are optional
	they require .NET 2.0 (or above) installed. The app should run fine without
        them, just wont support these extra features.
	sclog (iDefense) and scdbg (libemu) shellcode analysis tools are included with the installer.
	 -----> sclog runs LIVE SHELLCODE so    <----
	 -----> ONLY USE IT ON A TEST MACHINE ! <---- (duh)
	scdbg is powered by libemu and analyzes shellcode in an emulation envirnoment
	so should be safe(r).

	If you find a pdf which pdfstreamdumper cant deal with, feel free to mail
	it in a password protected zip file to me at

Command line options:
	PdfStreamDumper currently only supports one command line option which is /extract

	usage: pdfstreamdumper "c:\blah blah\bad.pdf" /extract "c:\some folder"

        When run in this mode, it will load the pdf file (interface visible) extract all of
        of the streams it could process without error to the folder specified and then exit.

	The folder need not exist, it will build the path to it if it can. The files will be 
	named stream_x.ext where ext is the relevant file type extension if it can be determined.

Hot Keys and other Behaviors:

	main form left hand listview supports coloring based on stream types, use mouseover to
	see tooltip, or use Tools->About lv Colors to see color map info.
	this listview also supports some hot keys. 
	Ctrl-a = select all
	ctrl-n = select none
	ctrl-d = deleted selected (no changes are made to the pdf)
	ctrl-i = invert selection
	these are useful with the listview right click menu options to save streams because these
	menu items work on all streams in the listview itself.
	also the Search menu item will auto select all the matches it finds in this main listview too
	in case you want to select all fonts and then save them the streams you are only a couple clicks
	away regardless of how many are in the file. 
	once you trim out the list, you can reload it anytime by clicking the load button again.
	also check out the Tools->options menu where you can auto hide duplicate streams, and header only
	streams. (you probably wan to view headers by default)
	  How do I extract all of the unique fonts in a decompressed format from a 
	  pdf quickly if the pdf has hundreds of objects?
	  1) make sure the tools->options->hide duplicate streams option is set
	  2) click the search_for->TTF Fonts This will select all fonts in main list.
	  3) right click on one of the selected fonts in the main list (on left) 
	      and choose the menu option to hide unselected
	  4) right click on main list (which only contains the fonts now) and choose
	      save all decompressed streams
	  To reload all of the streams again, just click the load button to start over.

Source Code and projects

	Source code is included with this installer. 
	You will find a \source directory on the start menu entry with the
	project files. 
	latest source can always be pulled from github:

	 - vc/win32
         - gcc/*nix


	Original stream parser was written by by VBboy136 - 12/9/2008
	Scintilla by Neil Hodgson []

        ScintillaVB by Stu Collier

	AS3 Sorcerer Trial provided courtesy of Manitu Group.

	JS Beautify by Einar Lielmanis, <>_
	conversion to Javascript code by Vital, <>
	zlib.dll by Jean-loup Gailly and Mark Adler
	CRC32 code by Steve McMahon
	iTextDecode/iTextFilters use iTextSharp by Bruno Lowagie and Paulo Soares
	olly.dll GPL code Copyright (C) 2001 Oleh Yuschuk.
	MuPDF is released under GPL and Copyright 2006-2012 Artifex Software, Inc.

        CCTIFaxDecoder copyright Sun MicroSystems and intarsys consulting GmbH.
	libemu written by Paul Baecher and Markus Koetter 2007.

	scdbg homepage
        sclog is a tool i wrote back at iDefense (no longer available on their site)

	Interface by
        WinGraphViz OOD Tsen

        GraphViz - AT&T Labs

	Other thanks to Didier Stevens for the info on his blog on tags and encodings.

        HexEd hexeditor control codebase by Rang3r

        Microsoft Script Decoder (c)2000/2001 MrBrownstone



research tool for the analysis of malicious pdf documents. make sure to run the installer first to get all of the 3rd party dlls installed correctly.






No packages published