Execution

Jose Miguel Esparza edited this page Apr 15, 2015 · 2 revisions

Execution


``` Usage: ./peepdf.py [options] PDF_file

Options: -h, --help show this help message and exit -i, --interactive Sets console mode. -s SCRIPTFILE, --load-script=SCRIPTFILE Loads the commands stored in the specified file and execute them. -c, --check-vt Checks the hash of the PDF file on VirusTotal. -f, --force-mode Sets force parsing mode to ignore errors. -l, --loose-mode Sets loose parsing mode to catch malformed objects. -m, --manual-analysis Avoids automatic Javascript analysis. Useful with eternal loops like heap spraying. -u, --update Updates peepdf with the latest files from the repository. -g, --grinch-mode Avoids colorized output in the interactive console. -v, --version Shows program's version number. -x, --xml Shows the document information in XML format.


There are four possible ways of execution:

  * [Basic execution](#basic-execution)
  * [Interactive console](#interactive-console)
  * [Batch mode](#batch-mode)
  * [XML Output](#xml-output)

All of them accept two parameters to ignore errors and continue with the analysis and deal with malformed objects:

  * _-f_: ignores errors and continues with the analysis of the document. It's useful to analyse malicious documents.
  * _-l_: does not search for the _endobj_ tag during the parsing process, so it can be useful when the analysed document is malformed.

Also, there are three more parameters:

  * _-g_: avoids colorized output.
  * _-c_: checks the hash of the PDF file on VirusTotal.
  * _-m_: avoids performing any automatic Javascript analysis. This can be helpful when the analysis does not end due to a endless loop in the Javascript code.

Before executing peepdf it is recommended to try to update it, just in case there are new changes in the project. See the next section to know how to do it.


### Updating peepdf ###
In order to update the tool you can just use the _-u_ parameter:

$ ./peepdf.py -u

[-] Checking if there are new updates... [+] There are new updates!! [-] Getting paths from the repository... [+] Done [-] Getting local files information... [+] Done [-] Checking files... [+] File "JSAnalysis.py" updated successfully [+] File "PDFConsole.py" updated successfully [+] File "PDFCore.py" updated successfully [+] File "PDFCrypto.py" updated successfully [+] File "PDFFilters.py" updated successfully [+] File "PDFUtils.py" updated successfully [+] File "README" updated successfully [+] File "peepdf.dtd" updated successfully [+] File "peepdf.py" updated successfully [+] peepdf updated successfully to v0.2 r191

<br />

### Basic execution ###
If we only want to know the information about objects, streams, vulnerabilities, etc, without executing any commands the correct way of execution would be the following:

$ ./peepdf.py sample.pdf

File: sample.pdf MD5: f77cca021c686f1ebe5c98cbfaa8c53a Size: 1312 bytes Version: 1.1 Binary: False Linearized: False Encrypted: False Updates: 0 Objects: 8 Streams: 2 Comments: 0 Errors: 0

Version 0: Catalog: 2 Info: 8 Objects (8): [1, 2, 3, 4, 5, 6, 7, 8] Streams (2): [1, 5] Encoded (0): [] Suspicious elements: /OpenAction: [2] /JS: [6] /JavaScript: [6]

<br />
### Interactive console ###
The normal way of execution of the interactive console is giving a PDF file to analyse:

$ ./peepdf.py -i sample.pdf

File: sample.pdf MD5: f77cca021c686f1ebe5c98cbfaa8c53a Size: 1312 bytes Version: 1.1 Binary: False Linearized: False Encrypted: False Updates: 0 Objects: 8 Streams: 2 Comments: 0 Errors: 0

Version 0: Catalog: 2 Info: 8 Objects (8): [1, 2, 3, 4, 5, 6, 7, 8] Streams (2): [1, 5] Encoded (0): [] Suspicious elements: /OpenAction: [2] /JS: [6] /JavaScript: [6]

PPDF>

<br />
When we see the _PPDF>_ prompt we can launch the different commands (commands documentation [here](Commands)):

PPDF> help

Documented commands (type help ):

bytes exit js_join quit set
changelog filters js_unescape rawobject show
create hash js_vars rawstream stream
decode help log references tree
decrypt info malformed_output replace vtcheck
embed js_analyse metadata reset xor
encode js_beautify modify save xor_search encode_strings js_code object save_version encrypt js_eval offsets sctest
errors js_jjdecode open search

<br />
Also, it's possible to launch the interactive console wihout specifying any PDF file:

$ peepdf.py -i

PPDF>

<br />
But now we cannot launch all the commands until a PDF file has been opened, but we can execute Javascript and shellcodes, encode/decode contents, etc. The available commands will be the following:

create decode encode exit help js_analyse js_beautify js_eval js_jjdecode js_join js_unescape js_vars log malformed_output open quit replace reset sctest set show vtcheck xor xor_search

<br />
### Batch mode ###
Instead of executing peepdf as an interactive console it is also possible to execute it in batch mode in order to perform automatic analysis. So after creating a file with the commands we want to execute:

$ cat command_file.txt tree offsets


we should execute the tool this way:

$ ./peepdf.py -s command_file.txt sample.pdf

/Catalog (2) /Pages (3) /Page (4) /Pages (3) stream (5) /Annot (7) stream (1) /Action /JavaScript (6) /Info (8) stream (1)

   0 Header
  10
    Object  1 (58)
  67
  70
    Object  2 (67)
 136
 139
    Object  3 (57)
 195
 198
    Object  4 (264)
 461
 464
    Object  5 (139)
 602
 605
    Object  6 (180)
 784
 787
    Object  7 (227)
1013
1016
    Object  8 (35)
1050
1053
    Xref Section (188)
1240
1242
    Trailer (64)
1305
1306 EOF
<br />
### XML Output ###
Additionaly, it's possible to obtain the same information provided in the [basic execution](#Basic_execution) in XML format thanks to the -x option (combined with -fl if needed). The associated DTD can be found [here (peepdf.dtd)](http://peepdf.googlecode.com/svn/trunk/peepdf.dtd).

$ ./peepdf.py -flx 517fe6ba9417e6c8b4d0a0b3b9c4c9a9 <peepdf_analysis url="http://peepdf.eternal-todo.com" version="0.1 r92" author="Jose Miguel Esparza"> 2012-03-24 17:09 517fe6ba9417e6c8b4d0a0b3b9c4c9a9 517fe6ba9417e6c8b4d0a0b3b9c4c9a9 abf382f076f8a021dbf82aca425b152d172fa5ca fa32485935ab75d09cae7d52f5251fb6620813205fb45a1b05d91e23b56068a1 80577 <pdf_version>1.7</pdf_version> 0 <num_objects>16</num_objects> <num_streams>5</num_streams> 0 <error_message>%%EOF not found</error_message> <js_objects> <container_object id="15"/> </js_objects> <suspicious_elements> <container_object id="4"/> <container_object id="4"/> <container_object id="14"/> <container_object id="14"/> CVE-2009-3953 CVE-2009-3959 CVE-2011-2462 <container_object id="10"/> </suspicious_elements> <suspicious_urls/> </peepdf_analysis>

Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.