SlideShare une entreprise Scribd logo

Teaser Brucon 2013 Hacking PDF Training

Télécharger en tant que ODP, PDF
D
DidierStevens
Technologie
1  sur  19
Hacking PDF Training Brucon 2013 Gent didier@DidierStevensLabs.com
Didier Stevens Renowned Malicious PDF Expert Author Of Popular Free PDF Tools 30+ Years Of Hacking
2 Days Training Day 1: PDF Language & Analysis Day 2: PDF Creation
Day 1: PDF Language Intro
Example of PDF Language Intro String obfuscation /JS (app.alert({cMsg: 'Hello from PDF JavaScript'});) /JS <61 70 70 2E 61 6C 65 72 74 28 7B 63 4D 73 67 3A 20 27 48 65 6C 6C 6F 20 66 72 6F 6D 20 50 44 46 20 4A 61 76 61 53 63 72 69 70 74 27 7D 29 3B>
Day 1: Simple Analysis Exercises 20 simple exercises with benign PDFs* Understanding malicious PDFs Getting familiar with PDF analysis tools: pdfid pdf-parser … *You also get my screencasts for these simple exercises
Day 1: Simple Analysis Exercises Example: extracting payload from PDF pdf-parser.py -s /EmbeddedFile ex013.pdf pdf-parser.py -o 8 -f -d file.exe ex013.pdf
Day 1: Complex Analysis Exercises The Real Deal Analyzing “in the wild” PDF malware 5+ exercises
Day 1: Complex Analysis Exercises Example: 3-The Obama Administration and the Middle East.pdf.zip Learn to find the exploit, extract the shellcode and analyze it with shellcode simulator
Day 2: PDF Creation A full day learning how to create PDFs “For Fun and Profit” with Python tools
Day 2: PDF Creation You receive my Private PDF Creation Tools
Day 2: PDF Creation Receive private mPDF module + documentation Create New PDFs Modify Existing PDFs All from Python, no Adobe products required
Day 2: PDF Creation Receive many private PDF creation & modification tools Example: t-modify-pdf-incremental-update.py Learn to modify Mandiant_APT1_Report.pdf
Day 2: PDF Creation Example: PDF fuzzer to find vulnerabilities in PDF readers Smart Fuzzing of JPEG embedded in PDF
Creation Exercises Learn how to use my private shellcode for PDFs
Day 2: PDF Creation Learn how to bypass AV and IDS detection with PDF obfuscation
Day 2: PDF Creation Learn the internal details of my /Launch exploit and use the automated creation tool
Summary Learn how to analyze and create PDFs in 2 days from a malicious pdf expert Receive many of my private, unreleased tools No need to be a Python expert, just have basic skills to modify a Python script No shellcode skills needed
Questions? Contact me: didier@DidierStevensLabs.com @DidierStevens

Recommandé

Staffan Laestadius - Omställning till grön ekonomi 28/10
Staffan Laestadius - Omställning till grön ekonomi 28/10Staffan Laestadius - Omställning till grön ekonomi 28/10
Staffan Laestadius - Omställning till grön ekonomi 28/10Global Utmaning
 
High Rent Vacancy: Not Actually Automatic Deregulation
High Rent Vacancy: Not Actually Automatic DeregulationHigh Rent Vacancy: Not Actually Automatic Deregulation
High Rent Vacancy: Not Actually Automatic DeregulationVendomeRealEstateMedia
 
11.ส่วนที่ 7
11.ส่วนที่ 711.ส่วนที่ 7
11.ส่วนที่ 7Junior Bush
 
RoweremDoPracy.pl | O projekcie
RoweremDoPracy.pl | O projekcieRoweremDoPracy.pl | O projekcie
RoweremDoPracy.pl | O projekcieAdam Kopera
 
Presentation
PresentationPresentation
Presentations1170102
 
Susan Mortimer Sketch Book Jan 2008 1
Susan Mortimer Sketch Book Jan 2008 1Susan Mortimer Sketch Book Jan 2008 1
Susan Mortimer Sketch Book Jan 2008 1susanmort
 
Langely Fundamental Middle and Highschool September 26, 2013
Langely Fundamental Middle and Highschool September 26, 2013Langely Fundamental Middle and Highschool September 26, 2013
Langely Fundamental Middle and Highschool September 26, 2013Jonathan Vervaet
 
Змагання "Осінні старти - 2015"
Змагання "Осінні старти - 2015"Змагання "Осінні старти - 2015"
Змагання "Осінні старти - 2015"Marina Tkachuk
 

Recommandé

Staffan Laestadius - Omställning till grön ekonomi 28/10
Staffan Laestadius - Omställning till grön ekonomi 28/10Staffan Laestadius - Omställning till grön ekonomi 28/10
Staffan Laestadius - Omställning till grön ekonomi 28/10Global Utmaning
 
High Rent Vacancy: Not Actually Automatic Deregulation
High Rent Vacancy: Not Actually Automatic DeregulationHigh Rent Vacancy: Not Actually Automatic Deregulation
High Rent Vacancy: Not Actually Automatic DeregulationVendomeRealEstateMedia
 
11.ส่วนที่ 7
11.ส่วนที่ 711.ส่วนที่ 7
11.ส่วนที่ 7Junior Bush
 
RoweremDoPracy.pl | O projekcie
RoweremDoPracy.pl | O projekcieRoweremDoPracy.pl | O projekcie
RoweremDoPracy.pl | O projekcieAdam Kopera
 
Presentation
PresentationPresentation
Presentations1170102
 
Susan Mortimer Sketch Book Jan 2008 1
Susan Mortimer Sketch Book Jan 2008 1Susan Mortimer Sketch Book Jan 2008 1
Susan Mortimer Sketch Book Jan 2008 1susanmort
 
Langely Fundamental Middle and Highschool September 26, 2013
Langely Fundamental Middle and Highschool September 26, 2013Langely Fundamental Middle and Highschool September 26, 2013
Langely Fundamental Middle and Highschool September 26, 2013Jonathan Vervaet
 
Змагання "Осінні старти - 2015"
Змагання "Осінні старти - 2015"Змагання "Осінні старти - 2015"
Змагання "Осінні старти - 2015"Marina Tkachuk
 
150306(조간) 주간아파트가격동향 (20150302기준)
150306(조간) 주간아파트가격동향 (20150302기준)150306(조간) 주간아파트가격동향 (20150302기준)
150306(조간) 주간아파트가격동향 (20150302기준)ChunTaek Jeong
 
Richard Bustillo's Best Practice
Richard Bustillo's Best PracticeRichard Bustillo's Best Practice
Richard Bustillo's Best PracticeRichard Bustillo
 
temporal lobe quake
temporal lobe quake temporal lobe quake
temporal lobe quake Mitchell Poor
 
Akamai internet insights
Akamai internet insightsAkamai internet insights
Akamai internet insightsJustin Dorfman
 
Humor business
Humor businessHumor business
Humor businessAnand singh
 
Some fixed point theorems in fuzzy mappings
Some fixed point theorems in fuzzy mappingsSome fixed point theorems in fuzzy mappings
Some fixed point theorems in fuzzy mappingsAlexander Decker
 
Gsm1
Gsm1Gsm1
Gsm1Vikran Kottaisamy
 
Class Project
Class ProjectClass Project
Class ProjectMariana Martinez
 
Raj n Naina
Raj n NainaRaj n Naina
Raj n Nainazuman_sheikh
 
Geet ramayan android app
Geet ramayan android appGeet ramayan android app
Geet ramayan android appdhekanenandkishor
 
Loscuatroacuerdos
LoscuatroacuerdosLoscuatroacuerdos
LoscuatroacuerdosYuli Avila
 
ICNC 2013 SenSec Presentation
ICNC 2013 SenSec PresentationICNC 2013 SenSec Presentation
ICNC 2013 SenSec PresentationJiang Zhu
 
Learing english
Learing englishLearing english
Learing englishseemia
 
Adrenal gland
Adrenal glandAdrenal gland
Adrenal glandPhattharawadee Kaeowklun
 
Firewall
FirewallFirewall
Firewallegoitzz13
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 

Contenu connexe

En vedette

150306(조간) 주간아파트가격동향 (20150302기준)
150306(조간) 주간아파트가격동향 (20150302기준)150306(조간) 주간아파트가격동향 (20150302기준)
150306(조간) 주간아파트가격동향 (20150302기준)ChunTaek Jeong
 
Richard Bustillo's Best Practice
Richard Bustillo's Best PracticeRichard Bustillo's Best Practice
Richard Bustillo's Best PracticeRichard Bustillo
 
temporal lobe quake
temporal lobe quake temporal lobe quake
temporal lobe quake Mitchell Poor
 
Akamai internet insights
Akamai internet insightsAkamai internet insights
Akamai internet insightsJustin Dorfman
 
Some fixed point theorems in fuzzy mappings
Some fixed point theorems in fuzzy mappingsSome fixed point theorems in fuzzy mappings
Some fixed point theorems in fuzzy mappingsAlexander Decker
 
Loscuatroacuerdos
LoscuatroacuerdosLoscuatroacuerdos
LoscuatroacuerdosYuli Avila
 
ICNC 2013 SenSec Presentation
ICNC 2013 SenSec PresentationICNC 2013 SenSec Presentation
ICNC 2013 SenSec PresentationJiang Zhu
 
Learing english
Learing englishLearing english
Learing englishseemia
 

En vedette (15)

150306(조간) 주간아파트가격동향 (20150302기준)
150306(조간) 주간아파트가격동향 (20150302기준)150306(조간) 주간아파트가격동향 (20150302기준)
150306(조간) 주간아파트가격동향 (20150302기준)
 
Richard Bustillo's Best Practice
Richard Bustillo's Best PracticeRichard Bustillo's Best Practice
Richard Bustillo's Best Practice
 
temporal lobe quake
temporal lobe quake temporal lobe quake
temporal lobe quake
 
Akamai internet insights
Akamai internet insightsAkamai internet insights
Akamai internet insights
 
Humor business
Humor businessHumor business
Humor business
 
Some fixed point theorems in fuzzy mappings
Some fixed point theorems in fuzzy mappingsSome fixed point theorems in fuzzy mappings
Some fixed point theorems in fuzzy mappings
 
Gsm1
Gsm1Gsm1
Gsm1
 
Class Project
Class ProjectClass Project
Class Project
 
Raj n Naina
Raj n NainaRaj n Naina
Raj n Naina
 
Geet ramayan android app
Geet ramayan android appGeet ramayan android app
Geet ramayan android app
 
Loscuatroacuerdos
LoscuatroacuerdosLoscuatroacuerdos
Loscuatroacuerdos
 
ICNC 2013 SenSec Presentation
ICNC 2013 SenSec PresentationICNC 2013 SenSec Presentation
ICNC 2013 SenSec Presentation
 
Learing english
Learing englishLearing english
Learing english
 
Adrenal gland
Adrenal glandAdrenal gland
Adrenal gland
 
Firewall
FirewallFirewall
Firewall
 

Dernier

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAnitaRaj43
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 

Dernier (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 

Teaser Brucon 2013 Hacking PDF Training

  • 1. Hacking PDF Training Brucon 2013 Gent didier@DidierStevensLabs.com
  • 2. Didier Stevens Renowned Malicious PDF Expert Author Of Popular Free PDF Tools 30+ Years Of Hacking
  • 3. 2 Days Training Day 1: PDF Language & Analysis Day 2: PDF Creation
  • 4. Day 1: PDF Language Intro
  • 5. Example of PDF Language Intro String obfuscation /JS (app.alert({cMsg: 'Hello from PDF JavaScript'});) /JS <61 70 70 2E 61 6C 65 72 74 28 7B 63 4D 73 67 3A 20 27 48 65 6C 6C 6F 20 66 72 6F 6D 20 50 44 46 20 4A 61 76 61 53 63 72 69 70 74 27 7D 29 3B>
  • 6. Day 1: Simple Analysis Exercises 20 simple exercises with benign PDFs* Understanding malicious PDFs Getting familiar with PDF analysis tools: pdfid pdf-parser … *You also get my screencasts for these simple exercises
  • 7. Day 1: Simple Analysis Exercises Example: extracting payload from PDF pdf-parser.py -s /EmbeddedFile ex013.pdf pdf-parser.py -o 8 -f -d file.exe ex013.pdf
  • 8. Day 1: Complex Analysis Exercises The Real Deal Analyzing “in the wild” PDF malware 5+ exercises
  • 9. Day 1: Complex Analysis Exercises Example: 3-The Obama Administration and the Middle East.pdf.zip Learn to find the exploit, extract the shellcode and analyze it with shellcode simulator
  • 10. Day 2: PDF Creation A full day learning how to create PDFs “For Fun and Profit” with Python tools
  • 11. Day 2: PDF Creation You receive my Private PDF Creation Tools
  • 12. Day 2: PDF Creation Receive private mPDF module + documentation Create New PDFs Modify Existing PDFs All from Python, no Adobe products required
  • 13. Day 2: PDF Creation Receive many private PDF creation & modification tools Example: t-modify-pdf-incremental-update.py Learn to modify Mandiant_APT1_Report.pdf
  • 14. Day 2: PDF Creation Example: PDF fuzzer to find vulnerabilities in PDF readers Smart Fuzzing of JPEG embedded in PDF
  • 15. Creation Exercises Learn how to use my private shellcode for PDFs
  • 16. Day 2: PDF Creation Learn how to bypass AV and IDS detection with PDF obfuscation
  • 17. Day 2: PDF Creation Learn the internal details of my /Launch exploit and use the automated creation tool
  • 18. Summary Learn how to analyze and create PDFs in 2 days from a malicious pdf expert Receive many of my private, unreleased tools No need to be a Python expert, just have basic skills to modify a Python script No shellcode skills needed

Notes de l'éditeur

  1. Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode &amp; ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf
  2. Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode &amp; ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf
  3. Check each exercise PDF document with PDFiD and pdf-parser Password for encrypted ZIP files: infected ex001.pdf plain text PDF document without JavaScript pdf-parser.py ex001.pdf ex002.pdf PDF document without JavaScript, text is compressed (FlateDecode) pdf-parser.py -o 5 -f ex002.pdf ex003.pdf PDF document without JavaScript, text is compressed (FlateDecode &amp; ASCIIHexDecode) pdf-parser.py -o 5 -f ex003.pdf ex004.pdf PDF document with JavaScript, without action pdf-parser.py -o 7 ex004.pdf ex005.pdf PDF document with JavaScript, with open action pdf-parser.py -o 7 ex005.pdf ex006.pdf PDF document with JavaScript, with open action, JavaScript is compressed pdf-parser.py -o 8 -f ex006.pdf ex007.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex007.pdf ex008.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated and compressed pdf-parser.py -o 8 -f ex008.pdf ex009.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via annotation and compressed pdf-parser.py -o 9 -f ex009.pdf ex010.pdf PDF document with JavaScript, with open action, JavaScript is obfuscated via object stream pdf-parser.py -o 1 -f ex010.pdf ex011.pdf PDF document with JavaScript, with open action, JavaScript triggers util.printf bug pdf-parser.py -o 7 ex011.pdf ex012.pdf PDF document with JavaScript, with open action, JavaScript executes heap spray and triggers util.printf bug pdf-parser.py -o 7 ex012.pdf ex013.pdf PDF document with embedded file pdf-parser.py -o 8 -f -d file.exe ex013.pdf ex014.pdf Malformed PDF document with file appended at the end pdf-parser.py -x file.exe ex014.pdf ex015.pdf PDF document with JavaScript in AcroForm pdf-parser.py -o 8 -f ex015.pdf ex016.pdf PDF document with metadata XML-bomb (small), trigger with JavaScript pdf-parser.py -o 7 -f ex016.pdf ex017.pdf PDF document with JavaScript, with open action, JavaScript switchs to full screen pdf-parser.py -o 7 ex017.pdf secret.pdf PDF document with /Launch action and embedded executable pdf-parser.py -o 7 secret.pdf ex019.pdf PDF document with JavaScript, with open action, PDF document is encrypted with owner password qpdf --decrypt ex019.pdf ex019-decrypted.pdf pdf-parser.py -o 2 ex019-decrypted.pdf ex020.pdf PDF document with JavaScript, with open action, PDF document is encrypted with user password (password is secret) qpdf --decrypt --password=secret ex020.pdf ex020-decrypted.pdf pdf-parser.py -o 2 ex020-decrypted.pdf