0
1
00:00:11,920 --> 00:00:18,640
There is another image that denotes the complete structure in a way how we just followed.
1

2
00:00:18,670 --> 00:00:25,350
So you have the header then you have all the objects then you have a cross reference table if you see
2

3
00:00:25,350 --> 00:00:29,700
here the cross-reference tables are basically linked with all the object numbers.
3

4
00:00:29,970 --> 00:00:34,110
And then we have a trailer and then we have the end of file.
4

5
00:00:34,230 --> 00:00:41,450
So end of file basically contains the bytes from where the cross-reference table starts.
5

6
00:00:41,460 --> 00:00:48,310
So it points to basically the cross-reference table and from cross table we start parsing the objects.
6

7
00:00:48,360 --> 00:00:52,270
So this is how the entire structure of a PDF file works.
7

8
00:00:53,540 --> 00:00:56,820
It is a hex representation of PDF files.
8

9
00:00:56,940 --> 00:01:03,370
Load the PDF file into a hex editor.
9

10
00:01:03,390 --> 00:01:06,400
In my case I have loaded it in 0 1 0 editor.
10

11
00:01:06,510 --> 00:01:10,380
You can see the same PDF structure that we just talked about.
11

12
00:01:10,380 --> 00:01:17,820
So the good thing with 0 1 0 editor is that it has a bunch of file parsing templates so it basically
12

13
00:01:17,820 --> 00:01:21,820
helps you in understanding the file formats in much better way.
13

14
00:01:21,870 --> 00:01:31,620
So 0 1 0 editor also has PDF template as well which parses the PDF files and gives you more information
14

15
00:01:31,620 --> 00:01:34,370
about different objects.
15

16
00:01:34,440 --> 00:01:44,190
So if you look here at the bottom, it tells you about the PDF's header then it tells you that there is a
16

17
00:01:44,190 --> 00:01:45,690
white space.
17

18
00:01:45,690 --> 00:01:52,210
Then it tells you that there is an object and its starting position is 10.
18

19
00:01:52,320 --> 00:01:59,880
So if you come back to our presentation you'll see that in the cross-reference table position number
19

20
00:01:59,960 --> 00:02:02,820
10 is basically pointing to the first object.
20

21
00:02:02,820 --> 00:02:03,290
Right.
21

22
00:02:03,450 --> 00:02:08,330
So this is how we can verify that how the PDF file is parsed.
22

23
00:02:08,340 --> 00:02:10,380
What exactly did different locations mean.
23

24
00:02:10,380 --> 00:02:16,170
So you have 10 The first one you have 69 for the second and you are 141 for the third object.
24

25
00:02:16,170 --> 00:02:20,440
If you go back here you can see that they are exactly the same locations.
25

26
00:02:20,580 --> 00:02:25,380
So this helps us in better understanding that cross-reference table and how it has marked different memory
26

27
00:02:25,380 --> 00:02:27,560
locations.
27

28
00:02:27,790 --> 00:02:30,660
So this is all about PDF file structure.
28

29
00:02:30,820 --> 00:02:37,570
Starting next videos we'll start analyzing malicious files using different PDF of analysis tools.
29

30
00:02:37,570 --> 00:02:38,170
Thanks for watching.