|
Project Information
Links
|
Update 22 Nov 2011: My former employer (General Dynamics Advanced Information Systems) believes that it owns the intellectual property associated with this project. After well over a year of their being aware of it's creation entirely on my own time, it's distribution under the GPL, and even it's inclusion in their approved training materials as FOSS, they have requested that I remove any downloads from this site. I completely disagree with them and I believe they are mistaken. However, given the availability of other similar tools it's probably no significant loss to the OS community to simply remove the downloads for this project to save everyone some hassle. If you disagree you're welcome to make it known to them when you have the opportunity. If you need a good and free GUI PDF analysis tool you may want to look up PDF Stream Dumper: http://www.woodmann.com/collaborative/tools/index.php/PDF_Stream_Dumper You stay classy, GD.
SummaryPDFubar is a GUI PDF analysis tool. The goal is to help expose the PDF structure using a convenient and easy to use interface. The following projects made this tool possible:
Check out the links on the right to learn more about any of these projects. InstallationBinary (easy route, Windows only): Download and extract the win32 build someplace, then execute pdfubar.exe. Source: Download and extract the src archive to any location. Then install the following:
UsageRun pdfubar. You will be prompted to select a file, at which point you should select the PDF you want to analyze. Once the GUI comes up you'll see a number of objects on the left hand side. Select any of these objects to view the report printout from pdf-tools, the text view, or the hex view. You may also see any yara signature hits in the log view at the bottom of the Window. The signatures used were taken from the jsunpack-n project. For streams that were decompressed, there is a child object listed called 'raw' that is the same data prior to decompression. If there were errors the type column will be appended with "/error", this usually occurs in malicious pdf files with streams that indicate they are compressed, however they don't contain compressed data. For indirect objects a type may be listed in the type column. You can right click on any object on the left side to export it to a file. If you copy from the text view, you'll get what you see (may be junk). The same is true for the hex view, where you'll get a buffer containing roughly what you see in the hex editor view. FAQWhy are the pdf-tools in this project different from the files on Didier Stevens' blog? Unfortunately Python doesn't like importing modules with a hyphen in the name, so I had to rename it. In the process of creating/testing this tool I also discovered some small bugs that I reported to Didier. Hopefully as he gets time he will integrate the fixes to the files hosted on his blog. I have since gotten permission from him to host these files on this project page. How does this compare to the other existing tools? I'm aware that Zynamics released a really awesome 'PDF Dissector', and it does way more than this project probably ever will. Unfortunately that tool isn't free. A link is over on the right in case you want to check it out. Also, NTCore recently published an entry on his blog about a tool under development called PDF Insider. It's also really cool, but as far as I've been told it will be released commercially at some point. As far as a functional comparison, feel free to do that for yourself. How do I get it running? I developed this tool on Windows, however as far as I know everything should run on other operating systems supported by Qt4. I also packaged everything you'll need into a single Windows executable (it's fairly huge, but convenient). To Do
Screenshots
|
|
