Emulate more functions - Githubissues

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Apache License 2.0

3.25k stars 452 forks source link

Open mr-tz opened 3 years ago

mr-tz commented 3 years ago

Currently FLOSS only emulates the top 10 or so decoding function candidates.

Improvement ideas on this:

increase function count
emulate all user functions (needs library ID, likely slow, so maybe need timeout)
adding other heuristics to e.g.
- backtrace from relevant APIs, see #279
- always emulate the first N functions (sorted by FVA)

williballenthin commented 3 years ago

might also try emulation a couple times for each candidate, and if they yield results, keep going, otherwise move along.