Using libemu to create malware ﬂow graph
Muhammad Najmi Ahmad Zabidi
In this paper basically I just document my personal experience, thatis the process of extracting shellcodes from PDF malware and later put itinto Graphviz’s picture. I adapt most the examples are from the tutorialgiven by [Jeremy, 2008].
In this write up I will show to you on how to extract shellcodes from PDF ﬁles.
2 PDF malware
3 Steps to extract shellcodes
3.1 Tools of trade
What we need to do basically use the existing tool. As of now I suggest you todownload the following tools:
3.2 Extracting the shellcode
I used pdf example.py from the pyew package.
$ ls pdf_example.py -l-rwxr-xr-x 1 najmi najmi 1497 2010-03-30 20:03 pdf_example.py
Given that I have a PDF malware fetched from the wild:
Thanks to my wife, for providing hot coﬀee!