Closed Ana06 closed 2 years ago
FLOSS should be able to detect this, so if it doesn't, then I'd call this a bug. Do you have a test case or an example binary that shows this?
Let me check if I can send you the binary (I guess I am not allowed to upload it here). Btw, I am running FLOSS with the -s
option (not sure if that helps).
@williballenthin I have emailed you the binary :wink:
fyi: binary received.
i think the problem here is likely that the payload is shellcode, and the analysis engine doesn't do a good job of detecting the functions
also, i think the shellcode is broken, possibly due to the way it was dumped from memory. here's what i see:
yeah, vivisect isn't finding any functions:
so, i think that FLOSS would handle this case if the program analysis step worked better (and found the functions in this shellcode, which is also broken). we could construct in C and add it to our test suite here:
https://github.com/fireeye/flare-floss/tree/master/tests/src
out of scope issue at the analysis level, please re-open if this comes up again
Consider the following code
equivalently:
Gives the
function function_with_1_param
the parameterws2_32
, but FLOSS doesn't detect this string. Could FLOSS detect this and other similar cases?