Decalage

Articles and tools about Python, IT Security and more.

user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'Origapy is a Python interface to <a href=\"http://www.security-labs.org/origami/\">Origami</a>, a PDF parser written in Ruby. It provides access to pdfclean.rb, in order to sanitize PDF files by disabling all active content (javascript, launch actions, embedded files, etc). Because Origami is a full PDF parser, it is much more effective than <a href=\"/python/pdfid\">PDFiD</a> (when sanitizing/disarming PDF files), but also quite slower.\n', created = 1369255378, expire = 1369341778, headers = '', serialized = 0 WHERE cid = '1:949c0fcbcab403a93f62b0b87de8498f' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'PDF files may be used to trigger malicious content, as described <a href=\"/file_formats_security/pdf\">here</a>. <a href=\"http://blog.didierstevens.com/programs/pdf-tools/#pdfid\">PDFiD</a> is a Python tool to analyze and <a href=\"http://blog.didierstevens.com/2009/04/29/quickpost-disarming-a-pdf-file/\">sanitize</a> PDF files, written by <a href=\"http://blog.didierstevens.com/\">Didier Stevens</a>. Here is PDFiD_PL, a version that I have slightly modified so that it can be imported as a module in Python applications (originally for <a href=\"/exefilter\">ExeFilter</a>).\n', created = 1369255378, expire = 1369341778, headers = '', serialized = 0 WHERE cid = '1:487ef28ec4e7da5e3cf452d0bee140fb' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = '<div class=\"abstract\">\nPaper and presentation about visualization and dynamic risk assessment for cyber defence, presented at the <a href=\"http://www.sstic.org\">SSTIC</a> symposium on June 9 2010.\n</div>\n', created = 1369255378, expire = 1369341778, headers = '', serialized = 0 WHERE cid = '1:952d509612e7d3c12215f36caf21dd22' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'pyxmldsig is a Python module to create and verify <a href=\"http://www.w3.org/TR/xmldsig-core/\">XML Digital Signatures (XML-DSig)</a>. This is a simple interface to the <a href=\"http://pyxmlsec.labs.libre-entreprise.org\">PyXMLSec library</a>, aiming to provide a more pythonic API suitable for Python applications.\n', created = 1369255378, expire = 1369341778, headers = '', serialized = 0 WHERE cid = '1:062f8f6b85389ac7706c5e2daaff98ef' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'With Python 2.6+, that\'s quite simple:\n<pre>\nprint "{0:b}".format(i)\n</pre>', created = 1369255378, expire = 1369341778, headers = '', serialized = 0 WHERE cid = '1:80d63e09163f076e0e9b6dcaa377f9a8' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'This article explains how many common file formats (DOC, XLS, PDF, HTML, XML, RTF, ...) may hide or trigger malicious code (virus, Trojan horse, ...) using their native features such as active content (macros, Javascript, etc). It was presented at the SSTIC symposium and OSSIR in 2003.\n', created = 1369255378, expire = 1369341778, headers = '', serialized = 0 WHERE cid = '1:9e295a3df15b513a75c8c9480986f6a3' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = '<div class=\"content clear-block\">\nOn the 29 March 2010, Didier Stevens revealed in <a href=\"http://blog.didierstevens.com/2010/03/29/escape-from-pdf/\">his blog</a> that he found a way to launch an executable file stored in a PDF document, without using any JavaScript or buffer overflow. This short article shows how <a href=\"../../../../../../en/exefilter\">ExeFilter</a> can be used to sanitize such PDF files to block this type of attack.\n</div>\n', created = 1369255379, expire = 1369341779, headers = '', serialized = 0 WHERE cid = '1:abc1baebc0568938d81caed72e68f0a6' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'This is a Python course I have written to quickly teach Python to my colleagues and students, made of slides and samples for hands-on exercises. \n', created = 1369255379, expire = 1369341779, headers = '', serialized = 0 WHERE cid = '1:b6ae9afc341aaff83f9faced7e8501ac' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'This short article shows how <a href=\"http://www.decalage.info/en/exefilter\">ExeFilter</a> can be used to disable JavaScript in PDF files, which is effective against many Adobe Reader exploits discovered in 2009, including the recent zero-day <a href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4324\">CVE-2009-4324</a>.\n', created = 1369255379, expire = 1369341779, headers = '', serialized = 0 WHERE cid = '1:26a3a4617c329c506eaacb4c919d5239' in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
user warning: UPDATE command denied to user 'decalaged'@'10.0.95.30' for table 'cache_filter' query: UPDATE cache_filter SET data = 'This article (written in French) was presented at the <a href=\"http://www.sstic.org\">SSTIC</a> symposium on the 6th June 2008.\nIt describes several methods to perform malware analysis, especially on Windows platforms. It focuses in detail on dynamic analysis, also called runtime analysis or sandboxing. Dynamic malware analysis consists in running malicious code on a dedicated system, configured to record all its actions to determine its behaviour. It is then possible to quickly determine the nature of the malware and decide how to respond to an incident. The article also shows how to build a simple dynamic malware analysis lab at low cost, provides details about the methodology and suggests how to go further.\n', created = 1369255379, expire = 1369341779, headers = '', serialized in /homez.14/decalaged/www/drupal/includes/cache.inc on line 109.
warning: array_map() [function.array-map]: Argument #2 should be an array in /homez.14/decalaged/www/drupal/modules/system/system.module on line 1015.
warning: array_keys() [function.array-keys]: The first argument should be an array in /homez.14/decalaged/www/drupal/includes/theme.inc on line 1817.
warning: Invalid argument supplied for foreach() in /homez.14/decalaged/www/drupal/includes/theme.inc on line 1817.

Origapy - a Python module to sanitize PDF files

Origapy is a Python interface to Origami, a PDF parser written in Ruby. It provides access to pdfclean.rb, in order to sanitize PDF files by disabling all active content (javascript, launch actions, embedded files, etc). Because Origami is a full PDF parser, it is much more effective than PDFiD (when sanitizing/disarming PDF files), but also quite slower.

PDFiD - a Python module to analyze and sanitize PDF files

PDF files may be used to trigger malicious content, as described here. PDFiD is a Python tool to analyze and sanitize PDF files, written by Didier Stevens. Here is PDFiD_PL, a version that I have slightly modified so that it can be imported as a module in Python applications (originally for ExeFilter).

SSTIC10 - Visualization and Dynamic Risk Assessment for Cyber Defence

Security

Paper and presentation about visualization and dynamic risk assessment for cyber defence, presented at the SSTIC symposium on June 9 2010.

pyxmldsig - a Python module to create and verify XML Digital Signatures (XML-DSig)

pyxmldsig is a Python module to create and verify XML Digital Signatures (XML-DSig). This is a simple interface to the PyXMLSec library, aiming to provide a more pythonic API suitable for Python applications.

How to obtain the binary representation of an integer in Python

With Python 2.6+, that's quite simple:

print "{0:b}".format(i)

SSTIC03 - Malware and file formats

Security

This article explains how many common file formats (DOC, XLS, PDF, HTML, XML, RTF, ...) may hide or trigger malicious code (virus, Trojan horse, ...) using their native features such as active content (macros, Javascript, etc). It was presented at the SSTIC symposium and OSSIR in 2003.

ExeFilter vs. the Escape from PDF (CVE-2010-1240)

Submitted by decalage on Tue, 07/27/2010 - 05:33

Security

On the 29 March 2010, Didier Stevens revealed in his blog that he found a way to launch an executable file stored in a PDF document, without using any JavaScript or buffer overflow. This short article shows how ExeFilter can be used to sanitize such PDF files to block this type of attack.

Python crash course

This is a Python course I have written to quickly teach Python to my colleagues and students, made of slides and samples for hands-on exercises.

Using ExeFilter against PDF exploits and zero-days such as CVE-2009-4324

Submitted by decalage on Wed, 01/06/2010 - 20:30

This short article shows how ExeFilter can be used to disable JavaScript in PDF files, which is effective against many Adobe Reader exploits discovered in 2009, including the recent zero-day CVE-2009-4324.

SSTIC08 - Dynamic Malware Analysis for Dummies

Security

This article (written in French) was presented at the SSTIC symposium on the 6th June 2008.

It describes several methods to perform malware analysis, especially on Windows platforms. It focuses in detail on dynamic analysis, also called runtime analysis or sandboxing. Dynamic malware analysis consists in running malicious code on a dedicated system, configured to record all its actions to determine its behaviour. It is then possible to quickly determine the nature of the malware and decide how to respond to an incident. The article also shows how to build a simple dynamic malware analysis lab at low cost, provides details about the methodology and suggests how to go further.