SlideShare una empresa de Scribd logo

How to really obfuscate your pdf malware

Z
zynamics GmbH
Tecnología
1 de 52
Descargar para leer sin conexión
How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email: sebastian.porst@zynamics.com Twitter: @LambdaCube 1
Targeted Attacks 2008 Adobe Acrobat Microsoft Word; Reader; 28.61% 34.55% Microsoft PowerPoint; Microsoft Excel; 16.87% 19.97% http://www.f-secure.com/weblog/archives/00001676.html 2
Targeted Attacks 2009 Adobe Acrobat Microsoft Word; Reader; 48.87% 39.22% Microsoft Microsoft PowerPoint; Excel; 7.39% 4.52% 3
Exploited in the wild CVE- CVE- CVE- CVE- 2007- 2009- 2009- 2009- 5659 0658 1492 4324 CVE- CVE- CVE- CVE- 2008- 2009- 2009- 2010- 2992 0927 3459 0188
Four common exploit paths Broken PDF Parser Vulnerable JavaScript Engine Vulnerable external libraries /Launch 5
PDF Malware Obfuscation Different tricks for different purposes Make manual analysis more difficult Resist automated analysis Avoid detection by virus scanners 6
PDF Malware Obfuscation Conflicting goals Avoid detection Make analysis by being difficult by being wellformed malformed 7
How to achieve these goals Being harmless Being evil • Avoid JavaScript • Use heavy • Do not use unusual obfuscation encodings • Try to break tools • Do not try to break parser-based tools • Ideally use an 0-day 8
Let‘s be evil 9
Breaking tools
Rule #1: Do the unexpected 11
This is what tools expect • ASCII Strings • Boring encodings like #41 instead of A • Wellformed or only moderately malformed PDF file structure 12
Malformed documents • Adobe Reader tries to load malformed PDF files • Very, very liberal interpretation of the PDF specification • Parser-based analysis tools need to know about Adobe Reader file correction 13
Malformed PDF file – Example I 7 0 obj << /Type /Action /S /JavaScript /JS (app.alert('whatever');) >> endobj 14
Malformed PDF file – Example II 5 0 obj << /Length 45 >> stream some data endstream endobj 15
Further reading 16
Obfuscating JavaScript code
Goal of JavaScript obfuscation Hide the shellcode 18
JavaScript obfuscation in the wild • Screwed up formatting • Name obfuscation • Eval-chains • Splitting JavaScript code • Simple anti-emulation techniques • callee-trick • ... 19
Screwed up formatting • Basically just remove all newlines • Completely useless: jsbeautifier.org 20
Name obfuscation • Variables or function names are renamed to hide their meaning • Most JavaScript obfuscators screw this up 21
Obfuscation example: Original code function executePayload(payload, delay) { if (delay > 1000) { // Whatever } } function heapSpray(code, repeat) { for (i=0;i<repeat;i++) { code = code + code; } } 22
Obfuscation without considering scope function executePayload(hkof3ewhoife, fhpfewhpofe) { if (fhpfewhpofe > 1000) { // Whatever } } function heapSpray(hoprwehjoprew, hoifwep43) { for (jnpfw93=0;jnpfw93<hoifwep43;jnpfw93++) { hoprwehjoprew = hoprwehjoprew + hoprwehjoprew; } } 23
Obfuscation with considering scope function executePayload(grtertttrr, hnpfefwefee) { if (hnpfefwefee > 1000) { // Whatever } } function heapSpray(grtertttrr, hnpfefwefee) { for (hjnprew=0;hjnprew<hnpfefwefee;hjnprew++) { grtertttrr = grtertttrr + grtertttrr; } } 24
Obfuscation: Going the whole way function ____(____, _____) { if (_____ > 1000) { // Whatever } } function _____(____, _____) { for (______=0; ______<_____; ______++) { ____ = ____ + ____; } } 25
Name obfuscation: Lessons learned • Consider name scope – Deobfuscator needs to know scoping rules too • Use underscores – Drives human analysts crazy • Also cute: Use meaningful names that have nothing to do with the variable – Maybe shuffle real variable names 26
Eval chains • JavaScript code can execute JavaScript code in strings through eval • Often used to hide later code stages which are decrypted on the fly • Common way to extract argument: replace eval with a printing function 27
Eval chains: Doing it better • Make sure your later stages reference variables or functions from earlier stages • Re-use individual eval statements multiple times to make sure eval calls can not just be replaced 28
JavaScript splitting • JavaScript can be split over several PDF objects • These scripts can be executed consecutively • Context is preserved between scripts • In the wild I‘ve seen splitting across 2-4 objects 29
JavaScript splitting: Doing it better • One line of JavaScript per object • Randomize the order of JavaScript objects • Admittedly it takes only one script to sort and extract the scripts from the objects 30
Anti-emulation code • Simple checks for Adobe Reader extensions • Multistaged JavaScript code 31
Current malware loads code from Pages Annotations Info Dictionary 32
Example: Loading code from annotations y = app.doc; y.syncAnnotScan(); var p = y["getAnnots"]({nPage: 0}); var s = p[0].subject; eval(s); 33
Problems with current approaches Code is Easy to in the file extract 34
Anti-emulation code: Improved Key ideas behind anti-emulation code Find idiosyncrasies in the Adobe JavaScript engine Find extensions that are difficult to emulate 35
Exhibit A: Idiosyncrasy cypher = [7, 17, 28, 93, 4, 10, 4, 30, 7, 77, 83, 72]; cypherLength = cypher.length; hidden = "ThisIsNotTheKeyYouAreLookingFor"; hiddenLength = hidden.toString().length; for(i=0,j=0;i<cypherLength;i++,j++) { cypherChar = cypher[i]; keyChar = hidden.toString().charCodeAt(j); cypher[i] = String.fromCharCode(cypherChar ^ keyChar); if (j == hiddenLength - 1) j = -1; } eval(cypher.join("")); 36
Exhibit A: Explained JavaScript Standard Adobe Reader JavaScript hidden = false; hidden = false; hidden = "Key"; hidden = "Key"; hidden has the value „Key“ hidden has the value „true“ 37
Exhibit A: Explained The Adobe Reader JavaScript engine defines global variables that do not change their type on assignment. (I suspect this happens because they are backed by C++ code) 38
Exhibit B: Difficult to emulate • Goal: Find Adobe JavaScript API functions which are nearly impossible to emulate • Then use effects of these functions in sneaky ways to change malware behavior • The Adobe Reader JavaScript documentation is your friend 39
Exhibit B: Difficult to emulate Functions to look for Rendering engine Forms extensions Multimedia extensions 40
Exhibit B: Difficult to emulate crypt = "T^_]^[T IEYYD__ FuRRKBD "; plain = Array(); key = getPageNthWordQuads(0, 0).toString().split(",")[1]; for (i=0,j=0;i<crypt.length;i++,j++) { plain = plain + String.fromCharCode((crypt.charCodeAt(i) ^ key.charCodeAt(j))); if (j >= key.length) j = 0; } app.alert(plain); ) 41
Exhibit B: Difficult to emulate Functions to avoid Anything with security restrictions 42
Exhibit C: Multi-threaded JavaScript • Multi-threaded applications are difficult to reverse engineer • Problem: There are no threads in JavaScript • Solution: setTimeOut • Example: Cooperative multi-threading with message-passing between objects 43
Basic idea • Multiple server objects • String messages are passed between servers • Messages contain new timeout value and code to evaluate 44
function Server(name) { ... } s1 = new Server("S1"); s2 = new Server("S2"); s1.receive(ENCODED_MESSAGE); 45
function Server(name) { this.name = name; this.receive = function(message) { recipient = parse_recipient(message) delayTime = parse_delay(message) eval_string = parse_eval_string(message) msg_string = parse_message_string(message) eval(eval_string); command = "recipient.receive('" + msg_string + "')"; this.x = app.setTimeOut(command, delayTime); } }; 46
How to improve this • Use a global string object as the message queue and manipulate the object on the fly • Usage of non-commutative operations so that execution order really matters • Message broadcasting • Add anti-emulation code to eval-ed code 47
callee-trick • Not specific to Adobe Reader • Frequently used by JavaScript code in other contexts • Function accesses its own source and uses it as a key to decrypt code or data • Add a single whitespace and decryption fails 48
callee-trick Example function decrypt(cypher) { var key = arguments.callee.toString(); for (var i = 0; i < cypher.length; i++) { plain = key.charCodeAt(i) ^ cypher.charCodeAt(i); } ... } 49
More ideas for the future • Combine anti-debugging, callee-trick, and message passing • Find more JavaScript engine idiosyncracies: Sputnik JavaScript test suite 50
Thanks • Didier Stevens • Julia Wolf • Peter Silberman • Bruce Dang 51
52

Recomendados

Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversingjduart
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caringsporst
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish codejduart
 
Bootstrapping iPhone Development
Bootstrapping iPhone DevelopmentBootstrapping iPhone Development
Bootstrapping iPhone DevelopmentThoughtWorks
 
Learn To Test Like A Grumpy Programmer - 3 hour workshop
Learn To Test Like A Grumpy Programmer - 3 hour workshopLearn To Test Like A Grumpy Programmer - 3 hour workshop
Learn To Test Like A Grumpy Programmer - 3 hour workshopchartjes
 
Assignment1 B 0
Assignment1 B 0Assignment1 B 0
Assignment1 B 0Mahmoud
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applicationseightbit
 
FlawDetector - Rubykaigi2013 LT
FlawDetector - Rubykaigi2013 LT FlawDetector - Rubykaigi2013 LT
FlawDetector - Rubykaigi2013 LT ginriki
 

Recomendados

Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversingjduart
 
ShaREing Is Caring
ShaREing Is CaringShaREing Is Caring
ShaREing Is Caringsporst
 
Packer Genetics: The selfish code
Packer Genetics: The selfish codePacker Genetics: The selfish code
Packer Genetics: The selfish codejduart
 
Bootstrapping iPhone Development
Bootstrapping iPhone DevelopmentBootstrapping iPhone Development
Bootstrapping iPhone DevelopmentThoughtWorks
 
Learn To Test Like A Grumpy Programmer - 3 hour workshop
Learn To Test Like A Grumpy Programmer - 3 hour workshopLearn To Test Like A Grumpy Programmer - 3 hour workshop
Learn To Test Like A Grumpy Programmer - 3 hour workshopchartjes
 
Assignment1 B 0
Assignment1 B 0Assignment1 B 0
Assignment1 B 0Mahmoud
 
Rootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift ApplicationsRootcon X - Reverse Engineering Swift Applications
Rootcon X - Reverse Engineering Swift Applicationseightbit
 
FlawDetector - Rubykaigi2013 LT
FlawDetector - Rubykaigi2013 LT FlawDetector - Rubykaigi2013 LT
FlawDetector - Rubykaigi2013 LT ginriki
 
Php extensions
Php extensionsPhp extensions
Php extensionsElizabeth Smith
 
Handout 00 0
Handout 00 0Handout 00 0
Handout 00 0Mahmoud
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Courseeightbit
 
Ch01 basic-java-programs
Ch01 basic-java-programsCh01 basic-java-programs
Ch01 basic-java-programsJames Brotsos
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
C++ to java
C++ to javaC++ to java
C++ to javaAjmal Ak
 
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)Alex Balhatchet
 
Net serialization
Net serializationNet serialization
Net serializationGreg Sohl
 
Object Oriented Apologetics
Object Oriented ApologeticsObject Oriented Apologetics
Object Oriented ApologeticsVance Lucas
 
C#
C#C#
C#Gokul Ram
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScriptdanwrong
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#Mohammad Faizan
 
C# features
C# featuresC# features
C# featuressagaroceanic11
 
Clean Code summary
Clean Code summaryClean Code summary
Clean Code summaryJan de Vries
 
C++vs java
C++vs javaC++vs java
C++vs javaPradeep wolf king
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paperVincenzo Iozzo
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caringzynamics GmbH
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzingVincenzo Iozzo
 

Más contenido relacionado

La actualidad más candente

Handout 00 0
Handout 00 0Handout 00 0
Handout 00 0Mahmoud
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Courseeightbit
 
Ch01 basic-java-programs
Ch01 basic-java-programsCh01 basic-java-programs
Ch01 basic-java-programsJames Brotsos
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Joxean Koret
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryJoxean Koret
 
C++ to java
C++ to javaC++ to java
C++ to javaAjmal Ak
 
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)Alex Balhatchet
 
Net serialization
Net serializationNet serialization
Net serializationGreg Sohl
 
Object Oriented Apologetics
Object Oriented ApologeticsObject Oriented Apologetics
Object Oriented ApologeticsVance Lucas
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScriptdanwrong
 
Clean Code summary
Clean Code summaryClean Code summary
Clean Code summaryJan de Vries
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Joxean Koret
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsFelipe Prado
 

La actualidad más candente (19)

Php extensions
Php extensionsPhp extensions
Php extensions
 
Handout 00 0
Handout 00 0Handout 00 0
Handout 00 0
 
Wahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash CourseWahckon[2] - iOS Runtime Hacking Crash Course
Wahckon[2] - iOS Runtime Hacking Crash Course
 
Ch01 basic-java-programs
Ch01 basic-java-programsCh01 basic-java-programs
Ch01 basic-java-programs
 
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
Pigaios: A Tool for Diffing Source Codes against Binaries (Hacktivity 2018)
 
Half-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code RecoveryHalf-automatic Compilable Source Code Recovery
Half-automatic Compilable Source Code Recovery
 
C++ to java
C++ to javaC++ to java
C++ to java
 
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
Introduction to Writing Readable and Maintainable Perl (YAPC::EU 2011 Version)
 
Net serialization
Net serializationNet serialization
Net serialization
 
Object Oriented Apologetics
Object Oriented ApologeticsObject Oriented Apologetics
Object Oriented Apologetics
 
C#
C#C#
C#
 
Metaprogramming JavaScript
Metaprogramming JavaScriptMetaprogramming JavaScript
Metaprogramming JavaScript
 
Tutorial c#
Tutorial c#Tutorial c#
Tutorial c#
 
C# features
C# featuresC# features
C# features
 
Clean Code summary
Clean Code summaryClean Code summary
Clean Code summary
 
C++vs java
C++vs javaC++vs java
C++vs java
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)Call Graph Agnostic Malware Indexing (EuskalHack 2017)
Call Graph Agnostic Malware Indexing (EuskalHack 2017)
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
 

Destacado

0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paperVincenzo Iozzo
 
Uni mannheim debuggers
Uni mannheim debuggersUni mannheim debuggers
Uni mannheim debuggerszynamics GmbH
 
Formale Methoden im Reverse Engineering
Formale Methoden im Reverse EngineeringFormale Methoden im Reverse Engineering
Formale Methoden im Reverse Engineeringzynamics GmbH
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)zynamics GmbH
 

Destacado (6)

0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paper
 
ShaREing is Caring
ShaREing is CaringShaREing is Caring
ShaREing is Caring
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 
Uni mannheim debuggers
Uni mannheim debuggersUni mannheim debuggers
Uni mannheim debuggers
 
Formale Methoden im Reverse Engineering
Formale Methoden im Reverse EngineeringFormale Methoden im Reverse Engineering
Formale Methoden im Reverse Engineering
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)
 

Similar a How to really obfuscate your pdf malware

Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agilityelliando dias
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2Uday Sharma
 
The operation principles of PVS-Studio static code analyzer
The operation principles of PVS-Studio static code analyzerThe operation principles of PVS-Studio static code analyzer
The operation principles of PVS-Studio static code analyzerAndrey Karpov
 
How to write good quality code
How to write good quality codeHow to write good quality code
How to write good quality codeHayden Bleasel
 
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...Nilesh Panchal
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0
JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0
JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0Marcel Bruch
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviCysinfo Cyber Security Community
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the CloudJim Driscoll
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017Andrey Karpov
 
Exciting JavaScript - Part II
Exciting JavaScript - Part IIExciting JavaScript - Part II
Exciting JavaScript - Part IIEugene Lazutkin
 
Documenting Bugs in Doxygen
Documenting Bugs in DoxygenDocumenting Bugs in Doxygen
Documenting Bugs in DoxygenPVS-Studio
 

Similar a How to really obfuscate your pdf malware (20)

Polyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better AgilityPolyglot and Poly-paradigm Programming for Better Agility
Polyglot and Poly-paradigm Programming for Better Agility
 
Fundamentals of java --- version 2
Fundamentals of java --- version 2Fundamentals of java --- version 2
Fundamentals of java --- version 2
 
Anti patterns part 2
Anti patterns part 2Anti patterns part 2
Anti patterns part 2
 
The operation principles of PVS-Studio static code analyzer
The operation principles of PVS-Studio static code analyzerThe operation principles of PVS-Studio static code analyzer
The operation principles of PVS-Studio static code analyzer
 
How to write good quality code
How to write good quality codeHow to write good quality code
How to write good quality code
 
Anti patterns part 2
Anti patterns part 2Anti patterns part 2
Anti patterns part 2
 
Django in the Real World
Django in the Real WorldDjango in the Real World
Django in the Real World
 
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...
Ruby on-rails-101-presentation-slides-for-a-five-day-introductory-course-1194...
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
Citibank
CitibankCitibank
Citibank
 
JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0
JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0
JUG Münster 2014 - Code Recommenders & Codetrails - Wissenstransfer 2.0
 
Js tacktalk team dev js testing performance
Js tacktalk team dev js testing performanceJs tacktalk team dev js testing performance
Js tacktalk team dev js testing performance
 
Clean Code V2
Clean Code V2Clean Code V2
Clean Code V2
 
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram KharviUnderstanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
Understanding & analyzing obfuscated malicious web scripts by Vikram Kharvi
 
Groovy In the Cloud
Groovy In the CloudGroovy In the Cloud
Groovy In the Cloud
 
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
PVS-Studio. Static code analyzer. Windows/Linux, C/C++/C#. 2017
 
Decompiling Android
Decompiling AndroidDecompiling Android
Decompiling Android
 
Exciting JavaScript - Part II
Exciting JavaScript - Part IIExciting JavaScript - Part II
Exciting JavaScript - Part II
 
Documenting Bugs in Doxygen
Documenting Bugs in DoxygenDocumenting Bugs in Doxygen
Documenting Bugs in Doxygen
 
Need 4 Speed FI
Need 4 Speed FINeed 4 Speed FI
Need 4 Speed FI
 

Más de zynamics GmbH

How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malwarezynamics GmbH
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)zynamics GmbH
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversingzynamics GmbH
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paperzynamics GmbH
 

Más de zynamics GmbH (6)

How to really obfuscate your pdf malware
How to really obfuscate your pdf malwareHow to really obfuscate your pdf malware
How to really obfuscate your pdf malware
 
Architectural Diversity (German)
Architectural Diversity (German)Architectural Diversity (German)
Architectural Diversity (German)
 
Introduction to mobile reversing
Introduction to mobile reversingIntroduction to mobile reversing
Introduction to mobile reversing
 
0-knowledge fuzzing white paper
0-knowledge fuzzing white paper0-knowledge fuzzing white paper
0-knowledge fuzzing white paper
 
Inbot10 vxclass
Inbot10 vxclassInbot10 vxclass
Inbot10 vxclass
 
0-knowledge fuzzing
0-knowledge fuzzing0-knowledge fuzzing
0-knowledge fuzzing
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Último (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 

How to really obfuscate your pdf malware

  • 1. How to really obfuscate your PDF malware Sebastian Porst - ReCon 2010 Email: sebastian.porst@zynamics.com Twitter: @LambdaCube 1
  • 2. Targeted Attacks 2008 Adobe Acrobat Microsoft Word; Reader; 28.61% 34.55% Microsoft PowerPoint; Microsoft Excel; 16.87% 19.97% http://www.f-secure.com/weblog/archives/00001676.html 2
  • 3. Targeted Attacks 2009 Adobe Acrobat Microsoft Word; Reader; 48.87% 39.22% Microsoft Microsoft PowerPoint; Excel; 7.39% 4.52% 3
  • 4. Exploited in the wild CVE- CVE- CVE- CVE- 2007- 2009- 2009- 2009- 5659 0658 1492 4324 CVE- CVE- CVE- CVE- 2008- 2009- 2009- 2010- 2992 0927 3459 0188
  • 5. Four common exploit paths Broken PDF Parser Vulnerable JavaScript Engine Vulnerable external libraries /Launch 5
  • 6. PDF Malware Obfuscation Different tricks for different purposes Make manual analysis more difficult Resist automated analysis Avoid detection by virus scanners 6
  • 7. PDF Malware Obfuscation Conflicting goals Avoid detection Make analysis by being difficult by being wellformed malformed 7
  • 8. How to achieve these goals Being harmless Being evil • Avoid JavaScript • Use heavy • Do not use unusual obfuscation encodings • Try to break tools • Do not try to break parser-based tools • Ideally use an 0-day 8
  • 11. Rule #1: Do the unexpected 11
  • 12. This is what tools expect • ASCII Strings • Boring encodings like #41 instead of A • Wellformed or only moderately malformed PDF file structure 12
  • 13. Malformed documents • Adobe Reader tries to load malformed PDF files • Very, very liberal interpretation of the PDF specification • Parser-based analysis tools need to know about Adobe Reader file correction 13
  • 14. Malformed PDF file – Example I 7 0 obj << /Type /Action /S /JavaScript /JS (app.alert('whatever');) >> endobj 14
  • 15. Malformed PDF file – Example II 5 0 obj << /Length 45 >> stream some data endstream endobj 15
  • 18. Goal of JavaScript obfuscation Hide the shellcode 18
  • 19. JavaScript obfuscation in the wild • Screwed up formatting • Name obfuscation • Eval-chains • Splitting JavaScript code • Simple anti-emulation techniques • callee-trick • ... 19
  • 20. Screwed up formatting • Basically just remove all newlines • Completely useless: jsbeautifier.org 20
  • 21. Name obfuscation • Variables or function names are renamed to hide their meaning • Most JavaScript obfuscators screw this up 21
  • 22. Obfuscation example: Original code function executePayload(payload, delay) { if (delay > 1000) { // Whatever } } function heapSpray(code, repeat) { for (i=0;i<repeat;i++) { code = code + code; } } 22
  • 23. Obfuscation without considering scope function executePayload(hkof3ewhoife, fhpfewhpofe) { if (fhpfewhpofe > 1000) { // Whatever } } function heapSpray(hoprwehjoprew, hoifwep43) { for (jnpfw93=0;jnpfw93<hoifwep43;jnpfw93++) { hoprwehjoprew = hoprwehjoprew + hoprwehjoprew; } } 23
  • 24. Obfuscation with considering scope function executePayload(grtertttrr, hnpfefwefee) { if (hnpfefwefee > 1000) { // Whatever } } function heapSpray(grtertttrr, hnpfefwefee) { for (hjnprew=0;hjnprew<hnpfefwefee;hjnprew++) { grtertttrr = grtertttrr + grtertttrr; } } 24
  • 25. Obfuscation: Going the whole way function ____(____, _____) { if (_____ > 1000) { // Whatever } } function _____(____, _____) { for (______=0; ______<_____; ______++) { ____ = ____ + ____; } } 25
  • 26. Name obfuscation: Lessons learned • Consider name scope – Deobfuscator needs to know scoping rules too • Use underscores – Drives human analysts crazy • Also cute: Use meaningful names that have nothing to do with the variable – Maybe shuffle real variable names 26
  • 27. Eval chains • JavaScript code can execute JavaScript code in strings through eval • Often used to hide later code stages which are decrypted on the fly • Common way to extract argument: replace eval with a printing function 27
  • 28. Eval chains: Doing it better • Make sure your later stages reference variables or functions from earlier stages • Re-use individual eval statements multiple times to make sure eval calls can not just be replaced 28
  • 29. JavaScript splitting • JavaScript can be split over several PDF objects • These scripts can be executed consecutively • Context is preserved between scripts • In the wild I‘ve seen splitting across 2-4 objects 29
  • 30. JavaScript splitting: Doing it better • One line of JavaScript per object • Randomize the order of JavaScript objects • Admittedly it takes only one script to sort and extract the scripts from the objects 30
  • 31. Anti-emulation code • Simple checks for Adobe Reader extensions • Multistaged JavaScript code 31
  • 32. Current malware loads code from Pages Annotations Info Dictionary 32
  • 33. Example: Loading code from annotations y = app.doc; y.syncAnnotScan(); var p = y["getAnnots"]({nPage: 0}); var s = p[0].subject; eval(s); 33
  • 34. Problems with current approaches Code is Easy to in the file extract 34
  • 35. Anti-emulation code: Improved Key ideas behind anti-emulation code Find idiosyncrasies in the Adobe JavaScript engine Find extensions that are difficult to emulate 35
  • 36. Exhibit A: Idiosyncrasy cypher = [7, 17, 28, 93, 4, 10, 4, 30, 7, 77, 83, 72]; cypherLength = cypher.length; hidden = "ThisIsNotTheKeyYouAreLookingFor"; hiddenLength = hidden.toString().length; for(i=0,j=0;i<cypherLength;i++,j++) { cypherChar = cypher[i]; keyChar = hidden.toString().charCodeAt(j); cypher[i] = String.fromCharCode(cypherChar ^ keyChar); if (j == hiddenLength - 1) j = -1; } eval(cypher.join("")); 36
  • 37. Exhibit A: Explained JavaScript Standard Adobe Reader JavaScript hidden = false; hidden = false; hidden = "Key"; hidden = "Key"; hidden has the value „Key“ hidden has the value „true“ 37
  • 38. Exhibit A: Explained The Adobe Reader JavaScript engine defines global variables that do not change their type on assignment. (I suspect this happens because they are backed by C++ code) 38
  • 39. Exhibit B: Difficult to emulate • Goal: Find Adobe JavaScript API functions which are nearly impossible to emulate • Then use effects of these functions in sneaky ways to change malware behavior • The Adobe Reader JavaScript documentation is your friend 39
  • 40. Exhibit B: Difficult to emulate Functions to look for Rendering engine Forms extensions Multimedia extensions 40
  • 41. Exhibit B: Difficult to emulate crypt = "T^_]^[T IEYYD__ FuRRKBD "; plain = Array(); key = getPageNthWordQuads(0, 0).toString().split(",")[1]; for (i=0,j=0;i<crypt.length;i++,j++) { plain = plain + String.fromCharCode((crypt.charCodeAt(i) ^ key.charCodeAt(j))); if (j >= key.length) j = 0; } app.alert(plain); ) 41
  • 42. Exhibit B: Difficult to emulate Functions to avoid Anything with security restrictions 42
  • 43. Exhibit C: Multi-threaded JavaScript • Multi-threaded applications are difficult to reverse engineer • Problem: There are no threads in JavaScript • Solution: setTimeOut • Example: Cooperative multi-threading with message-passing between objects 43
  • 44. Basic idea • Multiple server objects • String messages are passed between servers • Messages contain new timeout value and code to evaluate 44
  • 45. function Server(name) { ... } s1 = new Server("S1"); s2 = new Server("S2"); s1.receive(ENCODED_MESSAGE); 45
  • 46. function Server(name) { this.name = name; this.receive = function(message) { recipient = parse_recipient(message) delayTime = parse_delay(message) eval_string = parse_eval_string(message) msg_string = parse_message_string(message) eval(eval_string); command = "recipient.receive('" + msg_string + "')"; this.x = app.setTimeOut(command, delayTime); } }; 46
  • 47. How to improve this • Use a global string object as the message queue and manipulate the object on the fly • Usage of non-commutative operations so that execution order really matters • Message broadcasting • Add anti-emulation code to eval-ed code 47
  • 48. callee-trick • Not specific to Adobe Reader • Frequently used by JavaScript code in other contexts • Function accesses its own source and uses it as a key to decrypt code or data • Add a single whitespace and decryption fails 48
  • 49. callee-trick Example function decrypt(cypher) { var key = arguments.callee.toString(); for (var i = 0; i < cypher.length; i++) { plain = key.charCodeAt(i) ^ cypher.charCodeAt(i); } ... } 49
  • 50. More ideas for the future • Combine anti-debugging, callee-trick, and message passing • Find more JavaScript engine idiosyncracies: Sputnik JavaScript test suite 50
  • 51. Thanks • Didier Stevens • Julia Wolf • Peter Silberman • Bruce Dang 51
  • 52. 52