Origami in PDF
What is it? | Blog | Download | Mailing List | Doc | Others | Contact | Greetings
What is it?
origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.
Features
- Create PDF documents from scratch.
- Parse existing documents, modify them and recompile them.
- Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
- High-level operations, such as encryption/decryption, signature, file attachments...
- A GTK interface to quickly browse into the document
contents.
Quick look
# Create a simple PDF document.
contents = ContentStream.new
contents.write 'I AM EMPTY',
:x => 350, :y => 750, :rendering => PS::Text::Rendering::STROKE, :size => 15
PDF.new.append_page(Page.new.setContents(contents)).saveas('empty.pdf')
# Read a PDF document and add an action.
pdf = PDF.read("foo.pdf")
pdf.onDocumentOpen Action::URI.new('http://google.com')
pdf.saveas('bar.pdf')
# Return an array of objects whose name begins with 'JS' pdf.ls(/^JS/) # Return an array of objects containing '/bin/sh' pdf.grep('/bin/sh') # Add a JS script to execute on first page. pdf.pages.first.onOpen Action::JavaScript.new('app.alert("Hello");') # Attach an embedded file to a document pdf.attach_file('other_doc.pdf')
Full scripts
We provide some scripts helping to perform common actions on PDF files. Feel free to send us your own scripts at origami(at)security-labs.org.
- detectjs.rb: search for all JavaScript objects.
- embed.rb: add an attachment to a PDF file.
- create-jspdf.rb: add a JavaScript to a PDF file, executed when the document is opened.
- moebius.rb: transform a PDF to a moebius strip.
- encrypt.rb: encrypt a PDF file.
More to come on next releases...
Blog
A new version: beta3
Aug. 26, 2010
Changes:
- Decrypting documents should be a *lot* faster.
- Can now parse malformed objects with no endobj token.
- The graphical interface (Walker) includes an image viewer.
- Lot of code refactoring in the parser and the graphics methods.
- PDF#insert alias for PDF#<<. Some may find this syntax clearer.
- Various bug fixes.
Datasheet
Apr. 1, 2010
Guillaume wrote a very useful documentation which gives an overview of the Origami framework methods: http://code.google.com/p/origami-pdf/downloads/list
Google Group and information sharing
Apr. 1, 2010
We have created a Google group to exchange information about origami (and other tools), one's scripts, help, and analisys of PDF files.
 |
| Subscribe to origami-pdf |
| Visit this group |
New release (yes, seriously, ti's not a joke ;)
Apr. 1, 2010
At least, a new release with many cleanings and new features.
Warning: Directory tree has changed. Sources are in the
origami folder, and you have to require origami.rb located in the
root directory.
- Added a force flag to detect PDF header in the file.
- Support for Flash/RichMedia integration.
- PDF#objects prototype has changed.
- XFA forms.
- Fixed various bugs.
- |walker|: Search feature.
Release is available on Google Code.
A new life
Mar 24, 2010
We have move the code to http://code.google.com/p/origami-pdf/.
This provide us a pulic mercurial access, a mailing list (origami-pdf(at)googlecode.com), and so
many useful features to make origami still better.
A new release will arrive soon. We changed its licence to
LGPL. This way, it will be easy to submit scripts and push them in
the release.
Stay tuned!
New version fixing stupid bug
Oct 30, 2009
We released a new version, 1.0.0-beta1b fixing a bug in some samples due to internal changes. Sorry for the mess.
A new version while at HITB
Oct 6, 2009
This version 1.0.0-beta1 while at HITB comes up with the ability to forge documents with more graphical contents (such as shapes, colors, gradients...). However, graphical contents modifications from existing documents are not supported. Some templates have been added to quickly create forms widgets. Linearized documents might cause issues during recompilation of existing documents, so a new feature has been added to delinearize a document. A new flag is also present to (syntactically) obfuscate a PDF upon saving, which might be useful to confuse a later analysis. This new version fixes various bugs and slightly improves performance.
Is this PDF malicious?
Jun 26, 2009
A new article, Is this PDF malicious? dealing with the analysis of a suspicious PDF file.
Origami: release 1.0.0-beta0
July 6, 2009
What's new in this release:
- sources/scripts/
- scan/pdfscan.rb: a scanner for malicious PDF, or get a quickview of what is going to happen when handling a given PDF.
- antivir/pdfclean.rb: a script to remove all dynamic features from a PDF file.
- metadata: extract metadata from a PDF, that is author, creation date, and some other piece of information.
- sources/samples/open/: 4 ways to trigger events when a PDF is opened (see here).
- Parser: add support for new objects (XRef streams, Object streams, PNG stream predictor functions).
(At least) 4 ways to die opening a PDF
Jun 26, 2009
Find our last article. It deals with how to trigger an action when a PDF is opened...
Source code will be available in next release (1.0.0-beta0)
Download
- Current version: available on GoogleCode
- All previous releases
Mailing List
A mailing list is now hosted on Google Groups:
|
| Subscribe to origami-pdf |
| Visit this group |
Articles, slides, doc...
- Origami pour forger, analyser et manipuler des fichiers PDF malicieux (X. Poli)
Sogeti ESEC R&D blog
- Is this PDF malicious?: how to analyze a PDF by looking at its structure.
- (At least) 4 ways to die opening a PDF: how to trigger an action when a PDF is opened?
- Virus total with origami?: is it easy to conceal a virus in a PDF?
- Streams and filters in PDF with origami: manipulating streams or JavaScript hidding howto with PDF.
- Playing with origami in PDF: a short intro to the usage of origami
- Focus on the PDF language and various readers
- Slides in English and Japanish
- Samples based on Acrobat Reader 9.0.0
Other interesting stuffs about PDFs
- Didier Stevens: very interesting posts about PDF, and many other topics.
- New Viral Threats of PDF Language (A. Blonce, E. Filiol, L. Frayssignes): what you can do with the PDF language.
Author & Contributors
- Lead developer: Guillaume Delugré
- Contributor: Fred Raynal
- Contact: origami(at)security-labs.org
Greetings
- Sogeti/CapGemini: the company we work at to let us research on this project.
- Bot.cat: amazing web designer ;)