After some time without releasing any new version here is peepdf v0.3. It is not that I was not working in the project, but since the option to update the tool from the command line was released creating new versions became a secondary task. Besides this, since January 2014 Google removed the option to upload new downloads to the Google Code projects, so I had to figure out how to do it.
Some nights ago I was heading to a local theater with some (non-nerd) friends. We did not recall very well the address, so I brought out my phone (LG Nexus 4 with Android 4.4.2 and Google Chrome) and googled for it. I found the theater’s official site and started looking for the contact info, when Chrome suddenly opened a popup window pointing me to a Russian web site (novostivkontakte.ru) urging me to update my Flash Player.
- “it bypasses DEP and ASLR using impressive tricks and unusual methods” - Vupen
- “it uses a previously unpublished technique to bypass ASLR” - Metasploit Blog
- “exploit uses the ROP technique to bypass the ASLR and DEP” - ZDnet/Kasperky
- “it’s so scary I ran away screaming” - anonymous
Is that PDF so scary? I don’t think so.
DEP is an hardware feature that prevents execution of data, it obviously works if software sets the execution flag only on memory pages containing code.
The first part to the format discovery is 90% completed.
The program is now able to tokenize the sample packets and sort them to clusters according to token pattern.
The structure for a token looks like this:
// definition of a node for initial tokenization
struct sToken {
struct inferProperty* sProperty;
struct inferSemantic* sSemantic;
struct formatDistinguisher* sFD;
struct sToken* next;
};
struct inferProperty {
char szType[4]; //“s-c/c-s” / “bin” / “txt”