couldn't floss detect splitted push strings? - Githubissues

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Apache License 2.0

3.17k stars 445 forks source link

couldn't floss detect splitted push strings? #317

Closed Ana06 closed 2 years ago

Ana06 commented 4 years ago

Consider the following code

push 3233h
push 5F327377h
call function_with_1_param

equivalently:

push '23'
push '_2sw'
call function_with_1_param

Gives the function function_with_1_param the parameter ws2_32, but FLOSS doesn't detect this string. Could FLOSS detect this and other similar cases?

williballenthin commented 4 years ago

FLOSS should be able to detect this, so if it doesn't, then I'd call this a bug. Do you have a test case or an example binary that shows this?

Ana06 commented 4 years ago

Let me check if I can send you the binary (I guess I am not allowed to upload it here). Btw, I am running FLOSS with the -s option (not sure if that helps).

Ana06 commented 4 years ago

@williballenthin I have emailed you the binary :wink:

williballenthin commented 4 years ago

fyi: binary received.

williballenthin commented 4 years ago

i think the problem here is likely that the payload is shellcode, and the analysis engine doesn't do a good job of detecting the functions

williballenthin commented 4 years ago

also, i think the shellcode is broken, possibly due to the way it was dumped from memory. here's what i see:

williballenthin commented 4 years ago

yeah, vivisect isn't finding any functions:

williballenthin commented 4 years ago

so, i think that FLOSS would handle this case if the program analysis step worked better (and found the functions in this shellcode, which is also broken). we could construct in C and add it to our test suite here:

https://github.com/fireeye/flare-floss/tree/master/tests/src

mr-tz commented 2 years ago

out of scope issue at the analysis level, please re-open if this comes up again