search

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Apache License 2.0
3.16k stars 445 forks source link

Decoded strings false positives #296

Closed capnspacehook closed 2 years ago

capnspacehook commented 6 years ago

Recently as I've been using Floss, I've noticed that the decoded strings that Floss returns are the exact same as the static strings it finds.

I was running Floss against the Practical Malware Analysis lab binaries at the time, so I looked in the book and confirmed that the binaries I was running Floss against don't have any encoded strings embedded in them.

I have been comparing the decoded strings against the static strings Floss finds, and not displaying the decoded strings that are also found as stack strings.

There could be strings that are both decoded and found statically, so to improve this detection heuristic I suggest that offsets be compared. That way a decoded/stack string would only be discarded if its offset matches an offset of a static string.

Does this sound like a good idea? I would be happy to write a pull request if you think so.

Binaries link: https://github.com/mikesiko/PracticalMalwareAnalysis-Labs

I've mostly been running Floss against lab binaries from Chapter 1, 11, and 13.

williballenthin commented 6 years ago

Hey @capnspacehook

Neat idea. I think we should explore seeing if this can work. Would you be up for the challenge?

To be honest, I'm a bit surprised about this. I believe we only extract strings from memory that has changed during emulation, so I wouldn't expect static strings to be emitted, unless they are copied somewhere else. However, its also possible that we missed some edge cases.

Therefore, let's start by writing a unit test that demonstrates the issue. Then we can triage it and update the heuristics.

capnspacehook commented 6 years ago

I am up for the challenge :smiley: I'll make sure that the strings that are both found in the decoded strings and static strings have the same offsets, I haven't tested that yet.

This has been happening to almost every binary from the Practical Malware Analysis labs, so I should be able to find some cases of this.

capnspacehook commented 6 years ago

From the digging I did, I can't find any way to compare DecodedString's and String's offsets. The 'String' class Floss creates has an 'offset' member, but 'DecodedString' does not. Is there any way to get the offset of a DecodedString?

williballenthin commented 6 years ago

Yes, you can use the .va property of a DecodedString to fetch its location in memory.

The definition of a DecodedString is here: https://github.com/fireeye/flare-floss/blob/ae92b5e0cf27ab619a30e29bd8ed377efe504b45/floss/decoding_manager.py#L21

capnspacehook commented 6 years ago

Yeah I saw DecodedString's definition, and tried using the .va property to compare with the .offset property of String, but the results from both were wildly different. I'm guessing .va stands for 'Virtual Address'? If so, how can I convert a virtual address into something I can compare with the String.offset property?

williballenthin commented 6 years ago

It looks like static strings are extracted from the raw file that hasn't been loaded into memory. The decoded string offset refers to a virtual address of an executable file that has been loaded into memory.

We'll want to keep static string extraction working against the raw file, since this covers data that may be outside of executable sections. However, I think it's feasible to do a translation from the decoded string offset back to the file offset. This would involve enumerating the viv workspace memory map and figuring out where the sections are. How does that sound?

On Mon, Jul 9, 2018, 5:49 PM capnspacehook notifications@github.com wrote:

Yeah I saw DecodedString's definition, and tried using the .va property to compare with the .offset property of String, but the results from both were wildly different. I'm guessing .va stands for 'Virtual Address'? If so, how can I convert a virtual address into something I can compare with the String.offset property?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/fireeye/flare-floss/issues/296#issuecomment-403654636, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJjkBCJZRQcapbsP1dim8Ji7wP2u4WLks5uE-wAgaJpZM4VFbmL .

capnspacehook commented 6 years ago

That sounds good. So basically, I'll have to figure out from viv's memory map where the executable sections are, subtract the virtual address of a decoded string against the virtual address of the start of the section its in, and subtract the offset of the section on disk from that to obtain the physical offset of a decoded string. Am I thinking this through correctly?

williballenthin commented 6 years ago

Yup, that sounds about right!

On Tue, Jul 10, 2018, 4:15 AM capnspacehook notifications@github.com wrote:

That sounds good. So basically, I'll have to figure out from viv's memory map where the executable sections are, subtract the virtual address of a decoded string against the virtual address of the start of the section its in, and subtract the offset of the section on disk from that to obtain the physical offset of a decoded string. Am I thinking this through correctly?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/fireeye/flare-floss/issues/296#issuecomment-403772964, or mute the thread https://github.com/notifications/unsubscribe-auth/AAJjkMUAnQFwDY6D3iDn90MsnyYpQ4nMks5uFH6vgaJpZM4VFbmL .

capnspacehook commented 6 years ago

I've been trying to calculate the decoded string's offsets on disk, with no results so far. Here's what I've been testing with:

from floss import identification_manager as id_man
from floss import main
from floss import stackstrings
from floss import strings as static
import os
import vivisect
import pefile

MIN_STRINGLEN = 6
MAX_FILESIZE = 16*1024*1024

file = "/path/to/Practical_Malware_Anaysis_Labs/BinaryCollection/Chapter_13L/Lab13-01.exe"
data = open(file, "r").read(MAX_FILESIZE)

static_strings = []
for static_str in static.extract_ascii_strings(data, MIN_STRINGLEN):
    static_strings.append(static_str)

for static_str in static.extract_unicode_strings(data, MIN_STRINGLEN):
    static_strings.append(static_str)

vw = vivisect.VivWorkspace()
vw.loadFromFile(file)
vw.analyze()

selected_functions = main.select_functions(vw, None)
decoding_functions_candidates = id_man.identify_decoding_functions(
    vw, main.get_all_plugins(), selected_functions
)

decoded_strings = main.decode_strings(
    vw, decoding_functions_candidates, MIN_STRINGLEN
)
decoded_strs = main.filter_unique_decoded(decoded_strings)

pe = pefile.PE(file, fast_load=True)
eop = pe.OPTIONAL_HEADER.AddressOfEntryPoint
print("Entry point on disk: %d" % eop)

entryPoint = vw.getEntryPoints()
print("Entry point in memory: %d\n" % entryPoint[0])

decoded_offsets = []
for dec_str in decoded_strings:
    offset = (dec_str.va - entryPoint[0]) - eop
    decoded_offsets.append(offset)
    print(""""%s":\t(%d - %d) - %d = %d""" % (dec_str.s, dec_str.va, entryPoint[0], eop, offset))

for dec_offset in decoded_offsets:
    for string in static_strings:
        if dec_offset == string.offset:
            print("Found! - %d" % dec_offset)

And the output:

No handlers could be found for logger "floss.function_argument_getter.FunctionArgumentGetter"
Entry point on disk: 5761
Entry point in memory: 4200065

"Runtime Error!":       (3216244572 - 4200065) - 5761 = 3212038746
"Program: ":        (3216244588 - 4200065) - 5761 = 3212038762
"<program name unknown>":       (3216244312 - 4200065) - 5761 = 3212038486
"- floating point not loaded":      (3216244739 - 4200065) - 5761 = 3212038913

As you can see, the result I'm getting is nowhere near what an offset for a static string would be. Am I getting the virtual address of the section that contains the decoded strings wrong? Or something else?

williballenthin commented 6 years ago

periodic comment to demonstrate i'm still paying attention. however, i'm travelling this week, so haven't had a chance to reproduce and provide suggestions. sorry for the delay!

capnspacehook commented 6 years ago

You're good, thanks for the heads up though!

williballenthin commented 6 years ago

To help me understand where the static string collisions were I used the following snippet:

decoded_offsets = []
for dec_str in decoded_strings:
    for segstart, seglen, segname, fname in vw.getSegments():
        if segstart <= dec_str.va < segstart + seglen:
            print('string found in PE segment: 0x%x: %s' % (dec_str.va, dec_str.s))
            print('  in segment %s from 0x%x to 0x%x' % (segname, segstart, segstart + seglen))

This only outputs strings that are found within memory segments mapped from the PE file. By the way, here's what the output of vw.getSegments() looks like:

In [11]: vw.getSegments()
Out[11]:
[(400000, 1000, 'PE_Header', 'lab13_01'),
 (401000, 3FF6, '.text', 'lab13_01'),
 (405000, 9D0, '.rdata', 'lab13_01'),
 (406000, 1E68, '.data', 'lab13_01'),
 (408000, 80, '.rsrc', 'lab13_01')]

For chap 13, lab 1, there weren't any hits for decoded strings found in PE segments. Is this the same result you are getting? If so, would you point me towards a sample that has overlapping static and decoded strings?

capnspacehook commented 6 years ago

I knew there was something wrong with my code... I wasn't calculating the virtual addresses wrong. I modifed the script I posted above with your code snippet, and ran it recursively on all the lab binaries from Practial Malware Analysis. I did get some results, here they are:

File: /home/capnspacehook/Downloads/MalwareLabs/BinaryCollection/Chapter_13L/Lab13-03.exe
string found in PE segment: 0x412f00: lkjiponmtsrqxwvu
  in segment .data from 0x412000 to 0x414d68
File: /home/capnspacehook/Downloads/MalwareLabs/BinaryCollection/Chapter_13L/Lab13-03.exe
string found in PE segment: 0x412fa8: 11nV_#<)
  in segment .data from 0x412000 to 0x414d68
File: /home/capnspacehook/Downloads/MalwareLabs/BinaryCollection/Chapter_13L/Lab13-03.exe
string found in PE segment: 0x413220: lkjiponmtsrqxwvu
  in segment .data from 0x412000 to 0x414d68
File: /home/capnspacehook/Downloads/MalwareLabs/BinaryCollection/Chapter_15L/Lab15-03.exe
string found in PE segment: 0x403010: http://www.practicalmalwareanalysis.com/tt.html
  in segment .data from 0x403000 to 0x40340c

So out of all the lab binaries, chap 13 lab 3 has a few decoded strings found in PE segments, and chap 15 lab 3 does as well. This got me thinking, maybe a good way to rule out decoded strings false positives would to check if the decoded strings found are in a PE segment.

The output of running the script I posed with your modification makes more sense if you realize that only chap 13, lab 3 and chap 15, lab 3 have decoded strings found in PE segments... the other decoded strings found in all other binaries were also found statically. So maybe discarding decoded strings that aren't found in PE sections would be a good way to cut back on false positives?

williballenthin commented 6 years ago

maybe a good way to rule out decoded strings false positives would to check if the decoded strings found are in a PE segment.

We're on the right track here, but this won't quite work. For example, the .data section often contains global variables that may be manipulated during runtime. Sometimes malware will decode data in global variables. If we blindly drop decoded strings that came from the .data section, we'd miss some strings.

I think we need to:

1) check if the decoded string is found in a PE section, 2) if so, check and see if the decoded string matches the data in the raw PE section (its a static string), 3) if so, then skip it. otherwise, its actually been decoded by the program, and should be kept.

Does that make sense?

capnspacehook commented 6 years ago

Sometimes malware will decode data in global variables. If we blindly drop decoded strings that came from the .data section, we'd miss some strings.

That makes sense, but that wasn't what I meant. I actually meant the opposite. Sorry if I was a little unclear. So, the process I'm proposing would be:

  1. check if the decoded string is found in a PE section,
  2. if NOT, check and see if the decoded string matches the data in the raw PE section (its a static string),
  3. if so, then skip it. otherwise, its actually been decoded by the program, and should be kept.

Running Floss against all the lab binaries from Practical Malware Analysis, I've found that only the decoded strings found in a PE sections are legitimate. The other decoded strings not found in PE sections almost always match static strings.

Maybe we could test all decoded strings by comparing them against recovered static strings, I'm not sure. But I'm pretty sure discarding the decoded strings that match static strings and are NOT found in PE sections would be most beneficial.

capnspacehook commented 6 years ago

For example, here is the result of running my test snip with this modification, running against the lab 13 binaries:

for dec_str in decoded_strings:
        in_section = False
        for segstart, seglen, segname, fname in vw.getSegments():
            if segstart <= dec_str.va < segstart + seglen:
                in_section = True

        match_static_str = False
        for string in static_strings:
            if string.s == dec_str.s:
                match_static_str = True

        decoded_str_data.append([file.rsplit("/",1)[1], dec_str.s, in_section, match_static_str])

Output:

+--------------+-----------------------------+-----------------+-------------------------+
| File         | Decoded String              | In PE section   | Matches static string   |
+==============+=============================+=================+=========================+
| Lab13-01.exe | Runtime Error!              | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-01.exe | Program:                    | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-01.exe | <program name unknown>      | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-01.exe | - floating point not loaded | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-03.exe | Runtime Error!              | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-03.exe | Program:                    | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-03.exe | <program name unknown>      | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-03.exe | - floating point not loaded | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-03.exe | lkjiponmtsrqxwvu            | True            | False                   |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-03.exe | 11nV_#<)                    | True            | False                   |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-03.exe | lkjiponmtsrqxwvu            | True            | False                   |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-02.exe | Runtime Error!              | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-02.exe | Program:                    | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-02.exe | <program name unknown>      | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+
| Lab13-02.exe | - floating point not loaded | False           | True                    |
+--------------+-----------------------------+-----------------+-------------------------+

As you can see, in these binaries, the decoded strings found in PE sections never matched static strings. And vice versa, the decoded strings not found in PE sections always matched static strings, and to boot don't look like strings a malware author would try and hide. This isn't always the case, but is a good method of detecting false positives I think.

capnspacehook commented 6 years ago

If it helps, output of running floss against all the lab binaries, while checking if the decoded strings matched static strings and if they were found in a PE section:

+------------------------+-------------------------------------------------+-----------------+-------------------------+
| File                   | Decoded String                                  | In PE section   | Matches static string   |
+========================+=================================================+=================+=========================+
| Lab09-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-02.exe           | www.practicalmalwareanalysis.com                | False           | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-04.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-04.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-04.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-04.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab03-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-04.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-04.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-04.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-04.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | <not real>                                      | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab01-04.exe           | winlogon.exe                                    | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab19-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab19-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab19-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab19-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab09-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab12-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab16-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab21-01.exe           | ocl.exe                                         | False           | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab21-01.exe           | 1qaz2wsx3edc                                    | False           | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab21-01.exe           | 1qaz2wsx3edc                                    | False           | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab17-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab17-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab17-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab17-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-03.exe           | lkjiponmtsrqxwvu                                | True            | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-03.exe           | 11nV_#<)                                        | True            | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab13-03.exe           | lkjiponmtsrqxwvu                                | True            | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab14-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-03.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-03.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-03.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab11-03.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab07_01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab07_01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab07_01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab07_01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab20-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-02.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-02.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-02.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab10-02.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab15-03.exe           | http://www.practicalmalwareanalysis.com/tt.html | True            | False                   |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-01.exe           | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-01.exe           | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-01.exe           | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| Lab06-01.exe           | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| shellcode_launcher.exe | Runtime Error!                                  | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| shellcode_launcher.exe | Program:                                        | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| shellcode_launcher.exe | <program name unknown>                          | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
| shellcode_launcher.exe | - floating point not loaded                     | False           | True                    |
+------------------------+-------------------------------------------------+-----------------+-------------------------+
williballenthin commented 6 years ago

This is helpful. I'll triage a handful and see whats going on.

Any chance you'll be out around Vegas this coming weekend? I'll be around through Tuesday for some training, but unfortunately not around for DC. Would be cool to meet up sometime.

capnspacehook commented 6 years ago

No problem! What I've gathered from running that script, is that any decoded string that matches a static string, whether found in a PE section or not, is not a real decoded string, at least with the lab binaries. We'd have to do more extensive testing to say that conclusively, I doubt that always holds true.

I won't be in Vegas this weekend... I'm actually a broke college student right now, but hopefully will be able to attend hacker summer camp in the near future! I agree, would definitely be cool to meet up sometime!