When a user chooses to open a PDF file in IDA, the IdaPdf loader recognizes the file format and performs
a number of different tasks. First, the loader breaks the PDF into its component objects. Each object
is labeled and any stream objects are flagged for further processing. Object references generate data
cross references in Ida and a substantial amount of information is stored into the database to enable
additional processing by the IdaPdf plugin without requiring the plugin to parse the entire PDF again.
For any stream object that is encountered, the loader checks to see if the stream has any filters that
need to be applied. If a stream is filtered, then the loader extracts the raw stream blob, applies as
many filters as it possibly can (encryption related filters are not applied and images are not decoded)
before saving the unfiltered data to a new segment in the database and creating a cross reference link
back to the raw stream data. This allows the analyst to view unfiltered stream data such as ascii text
and javascript.
The related IdaPdf plugin is automatically loaded for all PDF files. Upon initialization, the plugin
makes used of stored data generated by the loader to create a list of all objects in the PDF file. The
list contains the address of each object, the type of each object, and the address of any related
unfiltered version of the object. Context sensitive menu options allow the user to jump to view the
beginning of each object section. Additional context menu options allow the user to extract raw or
unfiltered stream data from the database directly to a file. Additionally the plugin adds two menu
options to the Edit/Other menu which allow the user to select a region of data and have the plugin
perform a base64 decode or a JavaScript unescape operation over the selected region with the result
being saved to a new section within the database.
The current version of IdaPdf may be found here: IdaPdf. Extract inside your IDA SDK directory and the loader source will be extracted to ldr/pdfldr, the plugin source will be extracted to plugins/pdf_plugin, and compiled binaries for IDA 6.1 for Windows will be extracted to bin/loaders/pdr_ldr.ldw and bin/plugins/pdf_plugin.plw. To install, copy the loader module and the plugin module to <idadir>/loaders and <idadir>/plugins respectively.