7 Responses to “Analysing malicious PDF documents and shellcode”

1. ocean’s InsecLab » Blog Archive » Analyzing a malicious pdf file Says:
   December 21st, 2008 at 15:35

   [...] shellcode is just the same as the one analyzed here. it only changes the url from where to get the malicious [...]

2. Analysing malicious PDF documents and shellcode « 0day in {REA_TEAM} Says:
   January 28th, 2010 at 05:02

   [...] Norwegian Honeynet Project » Blog Archive » Analysing malicious PDF documents and shellcode.   Leave a [...]

3. c0b4lt Says:
   May 25th, 2010 at 22:23

   old post, but very informativ and good video!

   i have a question not concerning the main topic. but i’m wondering how you did the indenting in the emacs for the hashes. I mean, how you indent the values for the hashes array. i use vim and maybe i find a solution after it.

   thx for the info,

   cobalt

4. mkrakvik Says:
   May 25th, 2010 at 23:06

   Hi Cobalt, glad you enjoyed the video! Regarding indentation in emacs – that is done by pressing “ctrl-i” :-)

5. cobalt Says:
   May 26th, 2010 at 09:38

   Thx for your reply, mkrakvik.

   I tried it in the emacs, but i didn’t get the result i wish with ctrl + i. in your video, you get the following when indenting the value in hashes:

   first the code looks like this:
   1 hashes = [0x0000,
   2 0000,
   3 0000]

   and after one move in the 2nd line:
   1 hashes = [0x0000,
   2 0000,
   3 0000]

   i have to click three times ctrl + i, to tet to this position.

   maybe you have some configs in your .emacs file?

   thx you very much for the help! i saw this one-move array indenting the first time in your video and search now some days for a shortcut in vim…

   cobalt

6. mkrakvik Says:
   May 26th, 2010 at 09:57

   I don’t have anything custom in .emacs file. Is python-mode (M-x python-mode) enabled in your emacs?

7. cobalt Says:
   May 26th, 2010 at 11:55

   great! in the emacs, it was the python mode! thx a lot! keep up the good work!