Author Topic: How to reach escript.api in Malicious pdf file  (Read 3006 times)

0 Members and 1 Guest are viewing this topic.

May 25, 2010, 05:38:13 pm
Read 3006 times

kristofer_nolen

  • Newbie

  • Offline
  • *

  • 6
Hello,

I am very keen to know how to reach escript.api which is responsible for executing malicious java scripts embedded with malicious PDF files.

I came to know this through a blog which is http://traversecode.com/2010/03/08/from-pdfexploit-to-zeustrojan-subject-steals-bank-credentials/

Its a good one however the author did not explain how to reach escript.api through ollydbg as his explanation is very simple on this.

Any help on this would be much appreciated.

Thanks in advance
Kris 

May 25, 2010, 06:15:29 pm
Reply #1

ratsoul

  • Jr. Member

  • Offline
  • **

  • 23
    • inReverse
Hi Kris,

escript.api is located here: <Adobe Dir>\Reader\plug_ins\ .

Regards,
 - ratsoul

June 10, 2010, 05:40:09 pm
Reply #2

shivtheone

  • Newbie

  • Offline
  • *

  • 1
Hey Kris,

I am the Author of this Blog (www.traversecode.com). To reach escript.api, load adobe.exe in Olly Debugger and then open malicious pdf file using adobe which is loaded inside the Olly. Now click 'E' in Olly which shows you the currently loaded modules. Here you can find escript.api. Double click on that and place breakpoint on the calls for further analysis.

Regards,
Shiv

June 18, 2010, 02:16:34 am
Reply #3

kristofer_nolen

  • Newbie

  • Offline
  • *

  • 6