PDF Attack: A Journey from the Exploit Kit to the Shellcode (Slides) |
As I already announced in the last blog post, I was in Las Vegas giving a workshop about how to analyze exploit kits and PDF documents at BlackHat. The part related to exploit kits included some tips to analyze obfuscated Javascript code manually and obtain the exploit URLs or/and shellcodes. The tools needed to accomplish this task were just a text editor, a Javascript engine like Spidermonkey, Rhino or PyV8, and some tool to beautify the code (like peepdf ;p). In a generic way, we can say that the steps to analyze an exploit kit page are the following:
- Removing unnecessary HTML tags
- Convert HTML elements which are called in the Javascript code to Javascript variables
- Find and replace eval functions with prints, for example, or hook the eval function if it is possible (PyV8)
- Execute the Javascript code
- Beautify the code
- Find shellcodes and exploit URLs
- Repeat if necessary
In the second part of the session I focused on the analysis of PDF files with the help of peepdf, showing the new functionalities, like the new command vtcheck to check hashes of the file, objects, shellcodes, etc. on VirusTotal. As I have mentioned, all the exercises were practical, using real malicious PDF files found in the wild to show and solve the most common problems you can find when you analyze a PDF document.
During the last minutes of the workshop was the time to show the obfuscation capabilities of peepdf. I created some custom PDF files using encryption, compression, encodings and embedding in another PDF file to difficult the analysis and obfuscate documents.
These are the slides of the workshop, you can download them from here:
This time I have not released a new version or package of peepdf yet, because I want to include some more fixes and functionalities, but you can update it with -u to get the new stuff. Remember that I have replaced Spidermonkey with PyV8 as Javascript engine, I hope it works better now ;)
Good Presentation. Thanks for
Good Presentation. Thanks for the details surrounding pdf attack