Import Detection Heuristics from `mrphrazer/obfuscation_detection` Repository

[r0ny123]

This issue note aims to suggest the integration of detection heuristics from the mrphrazer/obfuscation_detection by @mrphrazer into the FLOSS tool, to enhance its capabilities in detecting and decoding obfuscated strings in malware samples. The mrphrazer/obfuscation_detection repository contains a comprehensive set of detection heuristics for various obfuscation techniques mentioned here.

Integrating these heuristics into FLOSS would allow the tool to recognize a wide range of obfuscation methods and ultimately improve its decoding performance.

[mr-tz]

Very cool! Thanks for sharing this here. Could be useful for FLOSS and capa.

[c-urly]

Hi @mr-tz , I was thinking of trying this out.

Do you have any heuristics that you want to implement from the repo? or we need to put some scoping effort on this?

So if i take xor decryption loops heuristics as an example, We need to find the function with the xor loops and print its offset right? I am trying to figure out once we get the heuristics how we will print it out.

[mr-tz]

Hey, I don't have specific heuristics in mind so feel free to propose some here. XOR decryption loops sounds like a good start.

Once we have the heuristics, we'd want to plug them into the decoding function identification code (e.g. find_decoding_function_features). These functions are then emulated to obtain potential obfuscated strings.

[c-urly]

Hi @mr-tz , So I am thinking of using extract_function_loop to detect loop in function. We need to add logic to get start and end address for blocks with loop and then apply xor detection logic in that. How does that sounds?

[c-urly]

I have made some changes should I raise a PR on master branch? What i did is extracted instruction with a immediate value as operand and did an intersection with xor + loop. So xor decryption logic will be xor + loop + imm heuristic.

[mr-tz]

Did you check https://github.com/mandiant/flare-floss/blob/master/floss/features/extract.py? We have loop and XOR detection, for example. If you have more heuristics, feel free to open a PR :)

[c-urly]

Task list for heuristics in mrphrazer repo. Will go through all the tasks and check if it is already present in floss, otherwise add them.

• [ ] Large Basic Blocks
• [ ] Complex Functions
• [ ] Flattened Functions
• [ ] Uncommon Instruction Sequences
• [ ] Instruction Overlapping
• [ ] Most Called Functions
• [ ] Xor Decryption loops
• [ ] Complex Arithmetic

Along with the heuristics which target wider scope of code, there are helper to identify functions with narrower scope.

• [ ] Entry Functions
• [ ] Leaf Functions
• [ ] Section Entropy