Permalink
Browse files

initial import

  • Loading branch information...
William Ballenthin
William Ballenthin committed Mar 4, 2016
0 parents commit 3692b8e20be9cf43bd2d1256c7cf39f67fbdfc37
128 README.md
@@ -0,0 +1,128 @@
<img src="resources/logo.png?raw=true " width="350"/>
# FireEye Labs Obfuscated String Solver
Malware authors encode data in binary files to hide malicious activity and
impede reverse engineering.
The goal of this project is to develop a tool that can automatically detect,
extract, and decode obfuscated strings in PE executable files.
# Quick Installation
- Install vivisect:
`$ pip install https://github.com/williballenthin/vivisect/zipball/master`
- Install FLOSS:
`$ pip install https://github.com/fireeye/flare-floss/zipball/master`
# Usage
Extract obfuscated strings from a malware binary:
$ floss /path/to/malware/binary
Invoke the string decoder on a file.
$ floss /path/to/malware/binary
Test individual functions (or a list of functions) using the `-f` switch.
$ floss /path/to/malware/binary -f 0x40166C,0x402647
Display the help/usage screen to see all available switches.
$ ./floss -h
# Setup
## Requirements
- `vivisect` - https://github.com/vivisect/vivisect, installable module from https://github.com/williballenthin/vivisect.git
$ pip install https://github.com/williballenthin/vivisect/zipball/master
- `viv-utils` - https://www.github.com/williballenthin/viv-utils
$ pip install viv-utils
- `pytest` - http://pytest.org
$ pip install pytest
## Installation from Github
This technique installs FLOSS to your local Python environment,
but does not keep editable source files around for you to hack on.
- Install vivisect:
`$ pip install https://github.com/williballenthin/vivisect/zipball/master`
- Install FLOSS:
`$ pip install https://github.com/fireeye/flare-floss/zipball/master`
## Installation from source
Use this technique to install FLOSS, yet also keep source files in
the `flare-floss` directory for you to hack on.
- Install vivisect:
`$ pip install https://github.com/williballenthin/vivisect/zipball/master`
- Clone this git repository:
`$ git clone https://github.com/fireeye/flare-floss`
- Install FLOSS:
`$ pip install -e flare-floss`
- (optional) Install pytest:
`$ pip install pytest`
## Building standalone executables
- Install pyinstaller:
`$ pip install pyinstaller`
- Build standalone executable:
`$ pyinstaller floss.spec`
- Distribute standalone executable:
`$ cp ./dist/floss.exe /the/internet`
## Test
Individual plugins and the whole program can be tested using `py.test` (http://pytest.org/latest/usage.html).
The `--sp` option is required to configure the filesystem path of the directory containing sample files.
## Examples
Run all tests:
py.test --sp samples/malicious/ tests/
Run all tests from file:
py.test --sp samples/malicious/ tests/test_floss.py
Run test from file
py.test --sp samples/malicious/ tests/test_floss.py::test_plugins
# Known Decoding Functions
| Sample Hash | Function Offset |
| --- | --- |
|6ee35da59f92f71e757d4d5b964ecf00|0x40166C|
|6ee35da59f92f71e757d4d5b964ecf00|0x402647|
|8c713117af4ca6bbd69292a78069e75b|0x40104F|
|8c713117af4ca6bbd69292a78069e75b|0x401718|
|bf8616bbed6d804a3dea09b230c2ab0c|0x4010BB|
@@ -0,0 +1,152 @@
# -*- mode: python -*-
block_cipher = None
a = Analysis(
['floss/main.py'],
pathex=['floss'],
binaries=None,
datas=None,
hiddenimports=[
"plugnplay",
"viv_utils",
# vivisect stuff
"pycparser",
"vivisect.analysis",
"vivisect.analysis.amd64",
"vivisect.analysis.amd64.emulation",
"vivisect.analysis.crypto",
"vivisect.analysis.crypto.constants",
"vivisect.analysis.elf",
"vivisect.analysis.elf.elfplt",
"vivisect.analysis.generic",
"vivisect.analysis.generic.codeblocks",
"vivisect.analysis.generic.emucode",
"vivisect.analysis.generic.funcentries",
"vivisect.analysis.generic.impapi",
"vivisect.analysis.generic.mkpointers",
"vivisect.analysis.generic.pointers",
"vivisect.analysis.generic.pointertables",
"vivisect.analysis.generic.relocations",
"vivisect.analysis.generic.strconst",
"vivisect.analysis.generic.switchcase",
"vivisect.analysis.generic.thunks",
"vivisect.analysis.i386",
"vivisect.analysis.i386.calling",
"vivisect.analysis.i386.importcalls",
"vivisect.analysis.i386.thunk_bx",
"vivisect.analysis.ms",
"vivisect.analysis.ms.hotpatch",
"vivisect.analysis.ms.localhints",
"vivisect.analysis.ms.msvc",
"vivisect.analysis.ms.msvcfunc",
"vivisect.analysis.ms.vftables",
"vivisect.analysis.pe",
"vivisect.storage",
"vivisect.storage.basicfile",
"vivisect.parsers.blob",
"vivisect.parsers.elf",
"vivisect.parsers.ihex",
"vivisect.parsers.macho",
"vivisect.parsers.pe",
"vivisect.parsers.utils",
"vivisect.analysis.amd64",
"vivisect.analysis.crypto",
"vivisect.analysis.elf",
"vivisect.analysis.generic",
"vivisect.analysis.i386",
"vivisect.analysis.ms",
"vivisect.impapi.windows",
"vivisect.impapi.windows.amd64",
"vivisect.impapi.windows.i386",
"vstruct.constants",
"vstruct.constants.ntstatus",
"vstruct.defs",
"vstruct.defs.arm7",
"vstruct.defs.bmp",
"vstruct.defs.dns",
"vstruct.defs.elf",
"vstruct.defs.gif",
"vstruct.defs.ihex",
"vstruct.defs.inet",
"vstruct.defs.java",
"vstruct.defs.kdcom",
"vstruct.defs.macho",
"vstruct.defs.macho.const",
"vstruct.defs.macho.fat",
"vstruct.defs.macho.loader",
"vstruct.defs.macho.stabs",
"vstruct.defs.minidump",
"vstruct.defs.pcap",
"vstruct.defs.pe",
"vstruct.defs.pptp",
"vstruct.defs.rar",
"vstruct.defs.swf",
"vstruct.defs.win32",
"vstruct.defs.windows",
"vstruct.defs.windows.win_5_1_i386",
"vstruct.defs.windows.win_5_1_i386.ntdll",
"vstruct.defs.windows.win_5_1_i386.ntoskrnl",
"vstruct.defs.windows.win_5_1_i386.win32k",
"vstruct.defs.windows.win_5_2_i386",
"vstruct.defs.windows.win_5_2_i386.ntdll",
"vstruct.defs.windows.win_5_2_i386.ntoskrnl",
"vstruct.defs.windows.win_5_2_i386.win32k",
"vstruct.defs.windows.win_6_1_amd64",
"vstruct.defs.windows.win_6_1_amd64.ntdll",
"vstruct.defs.windows.win_6_1_amd64.ntoskrnl",
"vstruct.defs.windows.win_6_1_amd64.win32k",
"vstruct.defs.windows.win_6_1_i386",
"vstruct.defs.windows.win_6_1_i386.ntdll",
"vstruct.defs.windows.win_6_1_i386.ntoskrnl",
"vstruct.defs.windows.win_6_1_i386.win32k",
"vstruct.defs.windows.win_6_1_wow64",
"vstruct.defs.windows.win_6_1_wow64.ntdll",
"vstruct.defs.windows.win_6_2_amd64",
"vstruct.defs.windows.win_6_2_amd64.ntdll",
"vstruct.defs.windows.win_6_2_amd64.ntoskrnl",
"vstruct.defs.windows.win_6_2_amd64.win32k",
"vstruct.defs.windows.win_6_2_i386",
"vstruct.defs.windows.win_6_2_i386.ntdll",
"vstruct.defs.windows.win_6_2_i386.ntoskrnl",
"vstruct.defs.windows.win_6_2_i386.win32k",
"vstruct.defs.windows.win_6_2_wow64",
"vstruct.defs.windows.win_6_2_wow64.ntdll",
"vstruct.defs.windows.win_6_3_amd64",
"vstruct.defs.windows.win_6_3_amd64.ntdll",
"vstruct.defs.windows.win_6_3_amd64.ntoskrnl",
"vstruct.defs.windows.win_6_3_i386",
"vstruct.defs.windows.win_6_3_i386.ntdll",
"vstruct.defs.windows.win_6_3_i386.ntoskrnl",
"vstruct.defs.windows.win_6_3_wow64",
"vstruct.defs.windows.win_6_3_wow64.ntdll",
],
hookspath=None,
runtime_hooks=None,
excludes=None,
win_no_prefer_redirects=None,
win_private_assemblies=None,
cipher=block_cipher)
pyz = PYZ(a.pure, a.zipped_data,
cipher=block_cipher)
exe = EXE(pyz,
a.scripts,
a.binaries,
exclude_binaries=False,
name='floss',
icon='resources/icon.ico',
debug=False,
strip=None,
upx=True,
console=True )
coll = COLLECT(exe,
a.binaries,
a.zipfiles,
a.datas,
strip=None,
upx=True,
name='floss-dat')
@@ -0,0 +1,12 @@
import viv_utils
class ArgumentMonitor(viv_utils.emulator_drivers.Monitor):
def __init__(self, vw):
viv_utils.emulator_drivers.Monitor.__init__(self, vw)
def prehook(self, emu, op, starteip):
self._logger.debug("prehook: %s: %s", hex(starteip), op)
def apicall(self, emu, op, pc, api, argv):
self._logger.debug("apicall: %s %s %s %s", op, pc, api, argv)
Oops, something went wrong.

0 comments on commit 3692b8e

Please sign in to comment.