pdfalyzer 1.16.9__py3-none-any.whl → 1.16.10__py3-none-any.whl

.pdfalyzer.example

@@ -0,0 +1,66 @@
+# If you place a filed called '.pdfalyzer' in your home dir or the current dir environment variables specified
+# in that .pdfalyzer file will be added to the environment each time pdfalyzer is invoked. (See the `dotenv`
+# package for more details.) This file contains environment variables you can place in .pdfalyzer to configure
+# the application above and beyond providing command line options.  Useful if you want to permanently
+# configure options you tend to reuse (e.g. '--maximize-width') so you can stop remembering to type them.
+#
+# Almost all of the yaralyzer (yes, you read that right - The Pdfalyzer uses The Yaralyzer for all
+# kinds of backend functionality) command line options can be configured in this file by capitalizing them and
+# prefixing 'YARALYZER'. e.g. to configure the --maximize-width option for every invocation, you would set:
+# YARALYZER_MAXIMIZE_WIDTH=True
+#
+# Note that many of these options are actually configuring the yaralyzer, which is a separate tool leveraged
+# by the Pdfalyzer to actually do the work of finding patterns. More info can be found at
+# https://github.com/michelcrypt4d4mus/yaralyzer
+
+
+
+# Expand the width of the output to the fit the display window (same as the --maximize-width options)
+#    YARALYZER_MAXIMIZE_WIDTH=True
+
+# yara-python internal options passed through to yara.set_config() as the stack_size and max_match_data arguments
+#    YARALYZER_STACK_SIZE=10485760
+#    YARALYZER_MAX_MATCH_LENGTH=10737418240
+
+# Suppress all PDF binary regex matching/scanning/etc
+#    YARALYZER_SUPPRESS_DECODES_TABLE=False
+
+# Suppress the display of the table showing the the encoding assessments given by `chardet.detect()`
+# about a particular chunk of binary data. (The most important data in the chardet confidence table is
+# redunandant anyways. Only the low likelihood encodings are hidden from the usef)
+#    YARALYZER_SUPPRESS_CHARDET_TABLE=False
+# Minimum confidence to display an encoding in the chardet results table
+#    YARALYZER_MIN_CHARDET_CONFIDENCE=2.0
+
+# Configure how many bytes before and after any binary data should be included in scans and visualizations
+#    YARALYZER_SURROUNDING_BYTES=64
+
+# Size thresholds (in bytes) under/over which pdfalyzer will NOT make attempts to decode a match.
+# Longer byte sequences are for obvious reasons slower to decode by force.
+# It may feel counterintuitive but larger chunks of random binary are also harder to examine and
+# (in my experience) less likely to be maningful. Consider it - two frontslash characters 20,000 lines apart
+# are more likely to be random than those same frontslashes when placed nearer to each other and
+# in the vicinity of lot of computerized sigils of internet power like `.', `+bacd*?`,. and other regexes.*
+# Keeping the max value number low will do more to affect the speed of the app than ay anything else you
+# can easily configure..
+#
+#    YARALYZER_MIN_DECODE_LENGTH=1
+#    YARALYZER_MAX_DECODE_LENGTH=256
+
+# Directory to write application logs to. Must be an absolute path, not a relative one.
+# These logs are not normally written to a file and the default log level means that the standard behavior
+# is to more or less discard them. Be aware that if you configure this variable a few things will change:
+#
+#   1. Logs WILL NOT be written to STDOUT. They will stream ONLY to files in the configured directory.
+#      This is true even with the -D option.
+#   2. The default log_level will be decreased from WARN (extremely spartan) to INFO (fairly verbose).
+#      The -D option, which sets the log level to DEBUG, will be respected whether or not
+#      YARALYZER_LOG_DIR is configured.
+#
+#     YARALYZER_LOG_DIR=/path/to/pdfalyzer/log_dir/
+
+# Log level
+#     YARALYZER_LOG_LEVEL='INFO'
+
+# Path to directory containing Didier Stevens's pdf-parser.py. Only required for extracting binary streams to files.
+#     PDFALYZER_PDF_PARSER_PY_PATH=/path/to/pdfparserdotpy/

CHANGELOG.md

@@ -1,5 +1,9 @@
 # NEXT RELEASE
 
+### 1.16.10
+* Add `Environment :: Console` and `Programming Language :: Python` to pypi classifiers
+* Add `.pdfalyzer.example` to PyPi package
+
 ### 1.16.9
 * Add `Development Status :: 5 - Production/Stable` to pypi classifiers
 

pdfalyzer/binary/binary_scanner.py

@@ -12,8 +12,8 @@ from yaralyzer.decoding.bytes_decoder import BytesDecoder
 from yaralyzer.encoding_detection.character_encodings import BOMS
 from yaralyzer.helpers.bytes_helper import hex_string, print_bytes
 from yaralyzer.helpers.string_helper import escape_yara_pattern
-from yaralyzer.output.rich_console import BYTES_NO_DIM, console, console_width
 from yaralyzer.output.regex_match_metrics import RegexMatchMetrics
+from yaralyzer.output.rich_console import BYTES_NO_DIM, console, console_width
 from yaralyzer.yara.yara_rule_builder import HEX, REGEX, safe_label
 from yaralyzer.yaralyzer import Yaralyzer
 from yaralyzer.util.logging import log

pdfalyzer/config.py

@@ -1,3 +1,7 @@
+"""
+PdfalyzerConfig object holds the unification of configuration options parsed from the command line
+as well as those set by environment variables and/or a .pdfalyzer file.
+"""
 import importlib.resources
 from argparse import Namespace
 from os import environ, pardir, path

pdfalyzer/font_info.py

@@ -2,7 +2,6 @@
 Unify font information spread across a bunch of PdfObjects (Font, FontDescriptor,
 and FontFile) into a single class.
 """
-
 from pypdf._cmap import build_char_map, prepare_cm
 from pypdf.generic import IndirectObject, PdfObject
 from rich.text import Text
@@ -11,9 +10,9 @@ from yaralyzer.util.logging import log
 
 from pdfalyzer.binary.binary_scanner import BinaryScanner
 from pdfalyzer.output.character_mapping import print_character_mapping, print_prepared_charmap
-from pdfalyzer.output.tables.font_summary_table import font_summary_table
 from pdfalyzer.output.layout import print_section_subheader
 from pdfalyzer.output.styles.node_colors import get_label_style
+from pdfalyzer.output.tables.font_summary_table import font_summary_table
 from pdfalyzer.util.adobe_strings import (FONT, FONT_DESCRIPTOR, FONT_FILE, FONT_LENGTHS, RESOURCES,
      SUBTYPE, TO_UNICODE, TYPE, W, WIDTHS)
 

pdfalyzer/helpers/pdf_object_helper.py

@@ -20,6 +20,7 @@ def does_list_have_any_references(_list) -> bool:
 
 
 def _sort_pdf_object_refs(refs: List[PdfObjectRelationship]) -> List[PdfObjectRelationship]:
+    """Sort a list of PdfObjectRelationship objects by their to_obj's idnum. Only used by pytest."""
     return sorted(refs, key=lambda ref: ref.to_obj.idnum)
 
 

pdfalyzer/helpers/rich_text_helper.py

@@ -1,13 +1,11 @@
 """
-Functions for miscellaneous Rich text/string operations.
+Functions for miscellaneous Rich text/string pretty printing operations.
 """
 from typing import List, Union
 
 from pypdf.generic import PdfObject
 from rich.console import Console
-from rich.highlighter import RegexHighlighter, JSONHighlighter
 from rich.text import Text
-from yaralyzer.output.rich_console import console
 
 from pdfalyzer.helpers.pdf_object_helper import pypdf_class_name
 from pdfalyzer.output.styles.node_colors import get_label_style, get_class_style_italic

pdfalyzer/output/layout.py

@@ -1,5 +1,5 @@
 """
-Methods to help with the design of the output
+Methods to help with the formatting of the output tables, headers, panels, etc.
 """
 from rich import box
 from rich.padding import Padding

pdfalyzer/output/pdfalyzer_presenter.py

@@ -23,9 +23,9 @@ from pdfalyzer.detection.yaralyzer_helper import get_bytes_yaralyzer, get_file_y
 from pdfalyzer.helpers.string_helper import pp
 from pdfalyzer.output.layout import (print_fatal_error_panel, print_section_header, print_section_subheader,
      print_section_sub_subheader)
+from pdfalyzer.output.tables.decoding_stats_table import build_decoding_stats_table
 from pdfalyzer.output.tables.pdf_node_rich_table import generate_rich_tree, get_symlink_representation
 from pdfalyzer.output.tables.stream_objects_table import stream_objects_table
-from pdfalyzer.output.tables.decoding_stats_table import build_decoding_stats_table
 from pdfalyzer.pdfalyzer import Pdfalyzer
 from pdfalyzer.util.adobe_strings import *
 
@@ -91,7 +91,6 @@ class PdfalyzerPresenter:
           2. Check for (and force decode) dangerous PDF instructions like /JavaScript and /OpenAction
           3. Check for (and force decode) any BOMs (byte order marks)
           4. Check for (and force decode) any sequences of bytes between quotes
-
         """
         print_section_header(f'Binary Stream Analysis / Extraction')
         console.print(self._stream_objects_table())
@@ -109,6 +108,7 @@ class PdfalyzerPresenter:
                 log.warning(msg)
                 node_stream_bytes = node_stream_bytes.encode()
 
+            console.line()
             print_section_subheader(f"{escape(str(node))} Summary and Analysis", style=f"{BYTES_HIGHLIGHT} reverse")
             binary_scanner = BinaryScanner(node_stream_bytes, node)
             console.print(bytes_hashes_table(binary_scanner.bytes))

pdfalyzer/output/tables/decoding_stats_table.py

@@ -1,3 +1,6 @@
+"""
+Helper functions for building a table that summarizes the decoding attempts made on binary data.
+"""
 from numbers import Number
 
 from rich.table import Table
@@ -13,6 +16,7 @@ NOT_FOUND_MSG = Text('(not found)', style='grey.dark_italic')
 REGEX_SUBTABLE_COLS = ['Metric', 'Value']
 DECODES_SUBTABLE_COLS = ['Encoding', '#', 'Decoded', '#', 'Forced', '#', 'Failed']
 
+
 def build_decoding_stats_table(scanner: 'BinaryScanner') -> Table:
     """Diplay aggregate results on the decoding attempts we made on subsets of scanner.bytes"""
     stats_table = _new_decoding_stats_table(scanner.label.plain if scanner.label else '')

pdfalyzer/output/tables/stream_objects_table.py

@@ -1,7 +1,6 @@
 """
 Build a rich table to show the sizes of embedded streams.
 """
-
 from typing import List
 
 from rich.table import Table

pdfalyzer/util/adobe_strings.py

@@ -1,7 +1,6 @@
 """
 String constants specified in the Adobe specs for PDFs, fonts, etc.
 """
-
 from pypdf.constants import (CatalogDictionary, ImageAttributes, PageAttributes,
      PagesAttributes, Resources)
 

pdfalyzer/util/argument_parser.py

@@ -1,5 +1,8 @@
+"""
+Parse command line arguments for pdfalyzer and construct the PdfalyzerConfig object.
+"""
 import sys
-from argparse import ArgumentError, ArgumentParser, Namespace
+from argparse import ArgumentParser, Namespace
 from collections import namedtuple
 from functools import partial, update_wrapper
 from importlib.metadata import version

{pdfalyzer-1.16.9.dist-info → pdfalyzer-1.16.10.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: pdfalyzer
-Version: 1.16.9
+Version: 1.16.10
 Summary: A PDF analysis toolkit. Scan a PDF with relevant YARA rules, visualize its inner tree-like data structure in living color (lots of colors), force decodes of suspicious font binaries, and more.
 Home-page: https://github.com/michelcrypt4d4mus/pdfalyzer
 License: GPL-3.0-or-later
@@ -9,8 +9,10 @@ Author: Michel de Cryptadamus
 Author-email: michel@cryptadamus.com
 Requires-Python: >=3.9.2,<4.0.0
 Classifier: Development Status :: 5 - Production/Stable
+Classifier: Environment :: Console
 Classifier: Intended Audience :: Information Technology
 Classifier: License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)
+Classifier: Programming Language :: Python
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
@@ -304,12 +306,6 @@ These are the naming conventions at play in The Pdfalyzer code base:
 * [`PyPDF` documentation](https://pypdf.readthedocs.io/en/stable/) (latest is 4.x or something so these are the relevant docs for `pdfalyze`)
 
 
-# TODO
-* Highlight decodes with a lot of Javascript keywords
-* https://github.com/mandiant/flare-floss (https://github.com/mandiant/flare-floss/releases/download/v2.1.0/floss-v2.1.0-linux.zip)
-* https://github.com/1Project/Scanr/blob/master/emulator/emulator.py
-
-
 [^1]: The official Adobe PDF specification calls this tree the PDF's "logical structure", which is a good example of nomenclature that does not help those who see it understand anything about what is being described. I can forgive them given that they named this thing back in the 80s, though it's a good example of why picking good names for things at the beginning is so important.
 
 [^2]: An exception will be raised if there's any issue placing a node while parsing or if there are any nodes not reachable from the root of the tree at the end of parsing. If there are no exceptions then all internal PDF objects are guaranteed to exist in the tree except in these situations when warnings will be printed:

{pdfalyzer-1.16.9.dist-info → pdfalyzer-1.16.10.dist-info}/RECORD

@@ -1,9 +1,10 @@
-CHANGELOG.md,sha256=EvbWGXHL4_rqkwzObtVhY0QL58O4gP4uE0Z9JaqSAEA,12307
+.pdfalyzer.example,sha256=sh_qkUBw4hfJia_Dx2wB-fsqJInhx2sSgA7WJz3MHYo,3917
+CHANGELOG.md,sha256=ERsstc38Mfv5mBUifZK8OGPQEJJ-3Ci5O3sllSnUzcg,12451
 LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
 pdfalyzer/__init__.py,sha256=q8qSdGdyUYmTYGOp_d2bRCCFASnlVt4wa-DlBikD5-M,5362
 pdfalyzer/__main__.py,sha256=Ko_AoAyYMLIe_cmhiUSl6twheLZrGyT8aOSJ2CP7EZY,43
-pdfalyzer/binary/binary_scanner.py,sha256=7NrXx8GB2gpb04oR2bcZJKkOXOlzn2hWpcGlcYMqSfs,10217
-pdfalyzer/config.py,sha256=oN-pVR037lt3giRsnsm4c8ku5hCW8ChFqYFi9V7w1qU,1918
+pdfalyzer/binary/binary_scanner.py,sha256=6U0MmVRww3eNjUyQB9vKBWaN5QA4usJLchupGepnVao,10217
+pdfalyzer/config.py,sha256=4YMDZu3-t5RSGckjN9bT5LzXyhwHXcxi4QjzVQ4-N6U,2097
 pdfalyzer/decorators/document_model_printer.py,sha256=2tjJItZltukmOD2wjGvl2IsBM7Gug59wMHGLpzGDbV0,2682
 pdfalyzer/decorators/indeterminate_node.py,sha256=ivB6dX5aN8W9m0ksXhmUcixnjYjnuE7DARalH-nMjxY,6616
 pdfalyzer/decorators/pdf_object_properties.py,sha256=I7kix5hXNguAH2VW2uINIZRHJ8xYS4JGfc6Aiakyh4c,5522
@@ -13,26 +14,26 @@ pdfalyzer/detection/constants/binary_regexes.py,sha256=eFx1VVAOzxKmlacbGgicDCp1f
 pdfalyzer/detection/constants/javascript_reserved_keywords.py,sha256=CXXdWskdQa0Hs5wCci2RBVvipgZg34_cLfmkWG4Xcmg,991
 pdfalyzer/detection/javascript_hunter.py,sha256=_wT2vkKTMlm_RGCjYsmwcmV-ag1qep3EpkHmUw0nWcQ,711
 pdfalyzer/detection/yaralyzer_helper.py,sha256=KLGhX9qDB7eeuBbdl6mPRP1GivKkMZa79DPMTzq7b1c,2342
-pdfalyzer/font_info.py,sha256=0NQ6g4q3pTdirwGjJhur8HkXQlC732cR7IhilO33g2A,6663
+pdfalyzer/font_info.py,sha256=Ao_y035iFBeaEf_V0WhCVdWfa1HuLnyOWRQpW5Z-MKM,6662
 pdfalyzer/helpers/dict_helper.py,sha256=2TP0_EJBouaWD6jfnAekrEZ4M5eHKL8Tm61FgXZtBAg,303
 pdfalyzer/helpers/filesystem_helper.py,sha256=1clV0mqKFJUJC4xU2q_ApklpHCqCclxJAVJwRp93OF0,4110
 pdfalyzer/helpers/number_helper.py,sha256=8IlRmaOVLJsUV18VLvWRZU8SzRxL0XZjrY3sjmk2Ro4,292
-pdfalyzer/helpers/pdf_object_helper.py,sha256=Ija6cWKfFQRXCfZv2ezU1V2v0KFDn9f4ayeX8eG9GmI,1102
-pdfalyzer/helpers/rich_text_helper.py,sha256=j4zs41T94vjkr9e86ZVQRKYiUBjoZyZMdVJ4d4uiON8,2239
+pdfalyzer/helpers/pdf_object_helper.py,sha256=2JTn2hpAB7KSxaoid20JVgLjQZqD_0IHknYfrfguLQU,1203
+pdfalyzer/helpers/rich_text_helper.py,sha256=5fOXBDHKzh6RvJV8NK20R97MIIluuhDFVowWiVFRMAQ,2142
 pdfalyzer/helpers/string_helper.py,sha256=75EDEFw3UWHvWF32WtvZVBbqYY3ozO4y30dtH2qVMX0,2278
 pdfalyzer/output/character_mapping.py,sha256=MtC3jKdtMaugi5038fne0T_SFSo9QU4lZl_s7bW7gzI,2092
-pdfalyzer/output/layout.py,sha256=E58T9Tl6BYZTDsj6ouMr1J5SSUiXa7timUNxnOI2IzI,2149
-pdfalyzer/output/pdfalyzer_presenter.py,sha256=CSboSnYFlkgOfwMf3TcoTTJY6FLXJ9OulI9UieSTJeE,8492
+pdfalyzer/output/layout.py,sha256=lAJQiu76E-_5MRghpRK7zuXqkhWI7ZjsptfadXXZQF8,2183
+pdfalyzer/output/pdfalyzer_presenter.py,sha256=WG8H9kGdz5W15cS3DliUZ-7_0mjSGckiGUMNd4e9mLE,8518
 pdfalyzer/output/styles/node_colors.py,sha256=rfsTAUF43K_buw21SZoP6L5c_cLy7S-xA4GUiWJsDkc,3986
 pdfalyzer/output/styles/rich_theme.py,sha256=Y8QmuINlyZNIHvf3oD0CV3w2dC49NNKtvOChvudDCT8,1983
-pdfalyzer/output/tables/decoding_stats_table.py,sha256=mhQOiWhmovaC4sop38WcxStv_bIdAlQWUysAz5fW4MU,3461
+pdfalyzer/output/tables/decoding_stats_table.py,sha256=lVZUdEiI6R0t0cx4eryZSed4-pJ_Y2JvLZoOS4xNJz4,3567
 pdfalyzer/output/tables/font_summary_table.py,sha256=xfTqC7BlQd0agQf6nDDhkcJno7hru6mf9_xY1f5IDcw,2065
 pdfalyzer/output/tables/pdf_node_rich_table.py,sha256=7G-FLb_EUP50kZmYCTbo8Q6taU4xKp2QIGNOnQtYbNg,5908
-pdfalyzer/output/tables/stream_objects_table.py,sha256=nzCTci8Kqs8Pyghad3L5KWHDdIWRSrKCRNW8geA_rMo,707
+pdfalyzer/output/tables/stream_objects_table.py,sha256=PgQj8oTtW5_X8SMQb3FvCWDS-d4Zl6QiE44Qhiv7lTY,706
 pdfalyzer/pdf_object_relationship.py,sha256=ug-338eoXFdD4YtDWPdzcfxP2fQDQa-GE8I3m3a01TA,5339
 pdfalyzer/pdfalyzer.py,sha256=6JflqQJb2crXXaVA6DHHgWB45w2MBFB3pqE3AlZO5WI,11013
-pdfalyzer/util/adobe_strings.py,sha256=F1MOBtSyIuF5HPmzWDr8MgnLyVodOsZSy4AFFCMHq_Y,5033
-pdfalyzer/util/argument_parser.py,sha256=hC0CLZPIXerP9Z0WZYE4Vj8wEPLwo3KpA-iRio6VKm0,11918
+pdfalyzer/util/adobe_strings.py,sha256=yZPVULsnXZ6GIqWhyXlQdcqzo_4_OJQzUz-uJZGWu-I,5032
+pdfalyzer/util/argument_parser.py,sha256=CJpWsycG9SCFE0SRXVCuQqPcgI6nwR8k3RzqMguDnhE,11996
 pdfalyzer/util/debugging.py,sha256=nE64VUQbdu2OQRC8w8-AJkMtBOy8Kf3mjozuFslfWsw,156
 pdfalyzer/util/exceptions.py,sha256=XLFFTdx1n6i_VCmvuzvIOCa-djJvGEitfo9lhy3zq0k,98
 pdfalyzer/util/pdf_parser_manager.py,sha256=FVRYAYsCd0y5MAm--qvXnwCZnDtB3x85FdJtb-gpyw4,3109
@@ -42,8 +43,8 @@ pdfalyzer/yara_rules/__init.py__,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hS
 pdfalyzer/yara_rules/didier_stevens.yara,sha256=4XhqafU09xzYUP7LCygHHBXOpAXUblJf6Tkn37MUy0w,7253
 pdfalyzer/yara_rules/lprat.static_file_analysis.yara,sha256=i0CwRH8pBx_QshKFTQtr1CP5n378EZelsF2FxMY2y5A,21859
 pdfalyzer/yara_rules/pdf_malware.yara,sha256=jDqSTP5BQSi2I_1xZiFZdy68I4oVWDat2j08-qdfbto,91063
-pdfalyzer-1.16.9.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
-pdfalyzer-1.16.9.dist-info/METADATA,sha256=KfbRZuBph56FwH16RaEEfjuUf6Kxsfmb2P5QQF4rYjk,26228
-pdfalyzer-1.16.9.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
-pdfalyzer-1.16.9.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
-pdfalyzer-1.16.9.dist-info/RECORD,,
+pdfalyzer-1.16.10.dist-info/LICENSE,sha256=OXLcl0T2SZ8Pmy2_dmlvKuetivmyPd5m1q-Gyd-zaYY,35149
+pdfalyzer-1.16.10.dist-info/METADATA,sha256=Hdbh0DetO-jbNYELTwLRh4Z0Dy6Y7V7aAzD0rQEDbEw,26043
+pdfalyzer-1.16.10.dist-info/WHEEL,sha256=d2fvjOD7sXsVzChCqf0Ty0JbHKBaLYwDbGQDwQTnJ50,88
+pdfalyzer-1.16.10.dist-info/entry_points.txt,sha256=aZurgt-Xg3pojS7oTRI4hNLpK1hO4kTfChf0x2eQoD8,147
+pdfalyzer-1.16.10.dist-info/RECORD,,