** Home page **

http://peepdf.eternal-todo.com
http://twitter.com/peepdf


** Dependencies **


- In order to analyse Javascript code "PyV8" is needed:

    http://code.google.com/p/pyv8/


- The "sctest" command is a wrapper of "sctest" (libemu). Besides libemu pylibemu is used and must be installed:

    http://libemu.carnivore.it (latest version from git repository, Sourceforge package is outdated)
    https://github.com/buffer/pylibemu


- Included modules: lzw, ccitt (Thanks to all the developers!!)


** Installation **

Run, in peepdf directory

    easy_install .

The setup script handles the installation of jsbeautifier, colorama, pythonaes and lxml


** Execution **

There are two important options when peepdf is executed:

-f: Ignores the parsing errors. Analysing malicious files propably leads to parsing errors, so this parameter should be set.
-l: Sets the loose mode, so does not search for the endobj tag because it's not obligatory. Helpful with malformed files.


* Simple execution

Shows the statistics of the file after being decoded/decrypted and analysed:

    peepdf.py [options] pdf_file


* Interactive console

Executes the interactive console to let play with the PDF file:

    peepdf.py -i [options] pdf_file

If no PDF file is specified it's possible to use the decode/encode/js*/sctest commands and create a new PDF file:

    peepdf.py -i


* Batch execution

It's possible to use a commands file to specify the commands to be executed in the batch mode. This type of execution is good to automatise analysis of several files:

    peepdf.py [options] -s commands_file pdf_file



** Updating **

The option has been desactivated as it is not working for now.
To update, cd to peepdf directory and type:

    git pull origin master
    easy_install .



** Some hints **

If the information shown when a PDF file is parsed is not enough to know if it's harmful or not, the following commands can help to do it:

* tree

Shows the tree graph of the file or specified version. Here we can see suspicious elements.


* offsets 

Shows the physical map of the file or the specified version of the document. This is helpful to see unusual big objects or big spaces between objects.


* search

Search the specified string or hexadecimal string in the objects (decoded and encrypted streams included).


* object/rawobject

Shows the (raw) content of the object.


* stream/rawstream

Shows the (raw) content of the stream.


* The rest of commands, of course

> help



** Bugs **

Send me bugs and comments, please!! ;) You can do it via mail (jesparza AT eternal-todo.com) or through Github (https://github.com/jesparza/peepdf/issues).

Thanks!!
