Video: PDF/XDP Malware Reversing

Since I don’t have time to write many articles, this is my first video tutorial. 🙂 This video is based on my 2016 article on cerbero-blog.com.

If you like it and want to see more, let me know!

Edit: since I was asked to share the comments in the disassembly, here’s a small snippet to add them. You can run the snippet by pressing Ctrl+Alt+R (make sure that the disassembly view is focused when running it).

from Pro.UI import proContext
from Pro.Carbon import caComment

comments = (
	(0x000000A2, "loop resolving the following APIs:\n   LoadLibraryA\n   WinExec\n   TerminateThread\n   GetTempPathA\n   VirtualProtect"),
	(0x000000C5, "calls VirtualProtect with stolen bytes"),
	(0x000000CC, "pushes URLMON string to stack"),
	(0x000000D2, "calls a gadget which calls LoadLibraryA and returns the URLMON base address"),
	(0x000000D9, "resolves URLDownloadToFileA"),
	(0x000000FB, "pushes \"regsvr32 -s \" to the stack"),
	(0x00000109, "call GetTempFilePathA"),
	(0x00000121, "appends \"wpbt0.dll\" to the path"),
	(0x00000139, "calls URLDownloadToFileA with the created path with the URL:\n   http://129.121.231.188/data/Home/w.php?f=16&e=4"),
	(0x00000143, "calls WinExec on the downloaded file"),
	(0x0000014C, "calls WinExec on \"regsvr32 -s \" followed by the downloaded file"),
	(0x00000166, "calls TerminateThread"),
)

def add_comments():
    v = proContext().getCurrentView()
    ca = v.getCarbon()
    db = ca.getDB()
    comment = caComment()
    for c in comments:
        comment.address = c[0]
        comment.text = c[1]
        db.setComment(comment)
    # update the view
    v.update()
    
add_comments()

PDF Insider Demo

A small, on the fly video presentation of my new utility.



The emphasis of this application stands on parsing correctly the PDF format, if it can’t because the PDF is malformed (very common among malicious PDFs), then it provides the tools to read the objects nonetheless. I tested it on many PDF (also malicious ones) and it handles all of them very well.

As I have written this application in five days, there are still some small features I’d like to add, but most of the code is already there. I started the development of it quite some time ago on a weekend while I was sick at home and have found only now the time to finish it.

I have no plans about how and when to release it yet, but some friends of mine will start using it in real world scenarios.

P.S. Thanks to Alessandro Gario for the throughout testing.