Don't know if it might help anyone, but here is a summary of each videos contents: 1 - Set up lab 2.1 - analysis of exercise 1 file, anatomy of a pdf 3.2 - open example pdf file and view filters in vim, pdfid, pdf-parser 4.3 - obfuscated data hidden in streams via filters: ASCIIHexDecode /Flatedecode 5.4 - JS/Javascript objects. pdf-parser search option -s 6.4-5 - non-triggered javascript 7.5 - OpenAction object to trigger Javascript on open 8.6 - Name-obfuscated javascript 9.7 - Analysing obfuscated javascript with patched Spidermonkey JS parser 10.8 - More JS analysis. Obfuscation with app viewerVersion property 11.9 - JS obfuscation using /FlateDecode and annotations using .getAnnots() 12.10 - Obfuscation using Objstm object streams (NOT stream objects) 13.11 - real exploits(1): using JS and OpenAction 14.11 - real exploits(1): continued, seeing previous exploit in action with debugger 15.12 - real exploits(2): Using JS and OpenAction, unescape and unicode shellcode payload 16.12 - real exploits(2): continued, seeing previous exploit in action with debugger 17.13 - malicious /EmbeddedFile. /FileSpec 18.14 - malicious embedded files via appending to end of file. -e switch, extended info. Entropy. -x switch, extract bytes 19.15 - malicious embedded files via /AcroForm and XML 20.16 - older exploits(1) obfuscated XML bomb using entities in DOCTYPE hidden in this.metadata 21.17 - older exploits(2) phishing by setting isFullScreen 22.18 - older exploits(3) abusing launch action to run arbitrary code 23.18 - older exploits(3) continued: analysing previous exploit 24.19 - encrypted pdf exploits(1): non-password encrypted pdfs, encrypted JS tags, qpdf tool 25.20 - encrypted pdf exploits(2): password encrypted pdfs, hidden object contents
Hi, i really like your videos! I have seen one of your older videos about vbe files. I have searched for a very long time to find this information, do you have any references to the vbe file format? I would be very grateful
Keep it up, this is underrated as we all have probably 20+ cables we use for multiple devices micro, mini, USB C , A .. it's a great way to test and toss all the older or garbage cables we hang onto to. I have the older version of that tester without USB C.. I'm going to try this. super helpful
I got PDF where stream objects contain even more stream objects inside, when I pipe -O to | pdfid it shows many more strobj included in the output of original stream objects. Was there an update? Has this changed and how can I investigate. If I pass it again to pdfid (as you expected) it fails
WOW, the famous internet strok center has a youtube channel? I am thankful for the free content you have been posting regularly sir. Sir can you make a video describing how college grads/students and high school student can get into information security? maybe a roadmap?
This is my (Didier Stevens) RU-vid channel, this is not the RU-vid channel of the SANS Internet Storm Center. I'm an SANS ISC handler, but this is my channel. The SANS ISC channel is here: ru-vid.com Best that you post your comment there.
@@dist67 okay sir, but after watching couple of videos on malware analysis and after doing some quick google search about you, I think if would be great if you can give some advice/path to younger generations who want to start into this feild. I came across your RE blog but I don't have pre-requisite knowledge to follow along. I would be grateful to you sir and willing to learn from your experience.
I always post a link in the description, where you can find all the information. Unfortunately, this time I included the wrong link. Please follow the updated link.
I published dnsresolver almost a year ago. I even have YT videos covering all the features & a playlist: ru-vid.com/group/PLa-ohdLO29_augQDv73OI37aIHZkrr5h6
