Language: Python

Publication date: 2009-03-17

Description: This script compress/decompress a specified string or file using the Zlib library and writes to the standard output. If the input is a file and the method used is decompression, then the script looks for the streams compressed with the /FlateDecode filter, so it's focused on PDF files. If there is no filters in the file, the whole file is considered as a stream.

Download it!




Usage: zlibStreams -c|-d target
target: the string or file to be de/compressed.
-c: compress
-d: decompress


# zlibStreams -c "Hello World"


# zlibStreams -c "Hello World" > test
# zlibStreams -d test
Hello World


# zlibStreams -d myPOC.pdf



Hiding information in a PDF

I'm gonna stop writing about actions in PDFs to begin with the filters that can be applied to the stream objects. An stream object is composed by a dictionary followed by the real content between the words stream and endstream. Within this dictionary are defined the stream properties like size, filters to apply in order to decode/decompress it or the file name in the case of the stream is located in an external file.

As you suppose, a way to hide information in a PDF file is applying to it one or more filters in order to avoid identifying it easily and putting it hard to extract the real content. In fact this is an usual technique in most of the malicious files that try to exploit some of the latest vulnerabilities.

Syndicate content