What is it?

origami is a Ruby framework designed to parse, analyze, and forge PDF documents. This is NOT a PDF rendering library. It aims at providing a scripting tool to generate and analyze malicious PDF files. As well, it can be used to create on-the-fly customized PDFs, or to inject (evil) code into already existing documents.

Features

  • Create PDF documents from scratch.
  • Parse existing documents, modify them and recompile them.
  • Explore documents at the object level, going deep into the document structure, uncompressing PDF object streams and desobfuscating names and strings.
  • High-level operations, such as encryption/decryption, signature, file attachments...
  • A GTK interface to quickly browse into the document contents.

origami walker

Quick look

# Create a simple PDF document.
contents = ContentStream.new
contents.write 'I AM EMPTY',
  :x => 350, :y => 750, :rendering => Text::Rendering::STROKE, :size => 15
PDF.new.append_page(Page.new.setContents(contents)).save('empty.pdf')
# Read a PDF document and add an action.
pdf = PDF.read("foo.pdf")
pdf.onDocumentOpen Action::URI.new('http://google.com')
pdf.save('bar.pdf')
# Return an array of objects whose name begins with 'JS'
pdf.ls(/^JS/)

# Return an array of objects containing '/bin/sh'
pdf.grep('/bin/sh')

# Add a JS script to execute on first page.
pdf.pages.first.onOpen Action::JavaScript.new('app.alert("Hello");')

# Attach an embedded file to a document
pdf.attach_file('other_doc.pdf')

Full scripts

We provide some scripts helping to perform common actions on PDF files. Feel free to send us your own scripts at origami(at)security-labs.org.

  • pdfcop: A PDF filtering engine, performing an automated analysis given a configured policy.
  • pdfdecrypt:Decrypts a PDF file.
  • pdfencrypt: Encrypts a PDF file.
  • pdfdecompress: Removes any compression/encoding from a document.
  • pdfcocoon: Embeds a document into another and makes it open at startup.
  • pdfmetadata: Retrieves metadata out of a document.
  • pdf2graph: Generates a DOT or GraphML file out of a document.
  • pdf2ruby: Generates a Ruby script from a document, that Origami can recompile into the same original document.

More to come on next releases...

Download

Current stable version in Rubygems:

gem install origami

Development version available on GoogleCode

Mailing List

A mailing list is now hosted on Google Groups

License

LGPL

Author & Contributors

  • Guillaume Delugré: Lead developer
  • Fred Raynal: Contributor
  • Contact: origami(at)security-labs.org