Let’s take a look at the newly introduced actions:
Even when ‘eval‘ calls are not being processed, the argument is still printed out for the user to inspect. And in case ‘eval‘s are performed, then the result (if any) is printed out as well.
js_eval: print('hello world'); 1 + 1
js_print: hello world
The debugger can be executed as a stand-alone utility (jsdbg.exe) as well.
It shouldn’t take long before the new version is ready and then we’ll see these features in action against some real world samples. Stay tuned!
The upcoming version 0.8.0 version of the Profiler features computation of entropy and the representation of it through a graphical plot. The algorithm used for the calculation is the one described by Ero Carrera on his blog.
When foreign data is present in a file, its entropy is automatically calculated. This is very important, because foreign data can be completely harmless and entropic analysis hugely helps evaluating the risk factor of it.
In this case the analyzed PDF contains 0x0A separators between objects and since it contains many objects, there’s also a lot of foreign data. However, since the entropy is extremely low, it is possible to assume that the foreign data doesn’t have a purpose.
Let’s take a look at a malicious PDF with foreign data. As one can see, the entropy is very high in this case.
Of course, it’s also possible to calculate the entropy in any hex view of a custom range of bytes and block size through the action Data->Entropy. This is the entropy for an entire malicious PDF with a block size of 256 bytes.
The encrypted malware begins at the position where the entropy raises and remains steady.
In the future the plot control will be exposed to the Python SDK so that plugin writers can use it too.
With the release of the 0.7.7 we’ve bundled a new Python action particularly useful when dealing with unformatted XML.
The following is an excerpt of an embedded XML file taken from a malicious PDF document.
Focusing on security, this beautifier does not try to validate the content of the document, having also the advantage of being faster than other tree-based indenters.
As a side note, this plugin is compatible with any SMGL-based such as HTML and XHTML.
Coming with the new 0.7.4 release, the Pastebin action is a handy tool for easy sharing of text-based content with colleagues and friends.
Thanks to the new property editor, the full feature set has been implemented; amongst the usual options like syntax highlight, title and content, the user will also be able to change the visibility preference and decide for how long the content should be available online.
A security confirmation check has also been added to avoid unintentional disclosure of information. 🙂