Using libemu to create malware flow graph Muhammad Najmi Ahmad Zabidi [email protected]* Abstract In this paper basically I just document my personal experience, that is the process of extracting shellcodes from PDF malware and later put it into Graphviz’s picture. I adapt most the examples are from the tutorial given by [Jeremy, 2008]. 1 Introduction In this write up I will show to you on how to extract shellcodes from PDF files. 2 PDF malware Malicious PDF contains embedded Javascript (*.js). This Javascript may does harmful activity without the user’s consent. 3 Steps to extract shellcodes 3.1 Tools of trade What we need to do basically use the existing tool. As of now I suggest you to download the following tools: • http://code.google.com/p/pyew/ • http://libemu.carnivore.it/ • http://www.graphviz.org/ 3.2 Extracting the shellcode I used pdf example.py from the pyew package. ✞ ☎ $ ls pdf_example.py -l -rwxr-xr-x 1 najmi najmi 1497 2010-03-30 20:03 pdf_example.py ✝ ✆ Given that I have a PDF malware fetched from the wild: * Thanks to my wife, for providing hot coffee! 1
Libemu and extracting shellcodes from PDF malware, Graphviz
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
In this paper basically I just document my personal experience, thatis the process of extracting shellcodes from PDF malware and later put itinto Graphviz’s picture. I adapt most the examples are from the tutorialgiven by [Jeremy, 2008].
1 Introduction
In this write up I will show to you on how to extract shellcodes from PDF files.
2 PDF malware
Malicious PDF contains embedded Javascript (*.js). This Javascript may doesharmful activity without the user’s consent.
3 Steps to extract shellcodes
3.1 Tools of trade
What we need to do basically use the existing tool. As of now I suggest you todownload the following tools:
• http://code.google.com/p/pyew/
• http://libemu.carnivore.it/
• http://www.graphviz.org/
3.2 Extracting the shellcode
I used pdf example.py from the pyew package.� �$ ls pdf_example.py -l
-rwxr -xr-x 1 najmi najmi 1497 2010 -03 -30 20:03 pdf_example.py� �Given that I have a PDF malware fetched from the wild: