August 26, 2010
This is an example use of the opaflib. The script described here use opaflib to get some statistics about the different PDF objects that appear in you file stash. This 2 charts show the appearing frequencies of Filters and Object types in a 10Mbyte small database of a random pdf selection.
So it is better for your fuzzing base that this numbers seem even, otherwise you’ll be testing the same thing over and over.
Keep reading for more exciting details!!! WEEEEEEEEEEEE!
Read the rest of this entry »
August 23, 2010
It’s an Open PDF Analysis Framework!
Keep reading for a test run…
Read the rest of this entry »
August 22, 2010
As discussed in earlier posts the problem with PDF is that we can not apply an out-of-the-box scanner/parser design pattern. It won’t let you scan it properly. The size of a PDF stream is hard to be decided at scanner/lexer time. I’ve suggested the solution of escaping the “endstream” keyword. Also other patches emerged like, forcing the /Length keyword to be direct. Or calculate every object size using XREFs pointers (assuming not garbage between the objs (which in fact is what the spec says)).
Well in any case if you manage to run a lexer and tokenize it here you have the parsing grammar … weeee!!
object : NAME | STRING | HEXSTRING | NUMBER | TRUE | FALSE | NULL | R | dictionary | array dictionary : DOUBLE_LESS_THAN_SIGN dictionary_entry_list DOUBLE_GREATER_THAN_SIGN dictionary_entry_list : NAME object dictionary_entry_list | empty array : LEFT_SQUARE_BRACKET object_list RIGHT_SQUARE_BRACKET object_list : object object_list | empty indirect : indirect_object_stream | indirect_object indirect_object : OBJ object ENDOBJ indirect_object_stream : OBJ dictionary STREAM_DATA ENDOBJ xref : indirect_object_stream | XREF TRAILER dictionary pdf : HEADER pdf_update_list pdf_update_list : pdf_update_list body xref pdf_end | body xref pdf_end body : body indirect_object | body indirect_object_stream | empty pdf_end : STARTXREF EOF
August 6, 2010
In an attempt to irrevocably declare my insanity I went into the details of making a PDF lexer the most strict to the specification I can. This post is about making a Portable File Format lexer in python using the PLY parser generator. This lexer is based on the ISO 32000-1 standard. Yes! PDF is an ISO standard, see.
In a PDF we have hexstrings and strings, numbers, names, arrays, references and null, booleans, dictionaries, streams and the file structure entities (the header, the trailer dictionary, the eof mark, the startxref mark and the crossreference). We are going to describe in detail all the tokens needed to define the named entities. You’ll probably want to take a look on how a parser is written in PLY at this simple example.
Before we go into the really really really boring stuff, let’s do a quick demonstration of it’s value…
Let’s pick a random PDF out there… hmm.. for example jailbrakeme.pdf. Then grab the already done lexer here and run it like this…
it should output something like this…
It marks the position of every object!!! WOW!!!!!!