exclude/tag strings that match expert patterns

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Apache License 2.0

3.22k stars 447 forks source link

exclude/tag strings that match expert patterns #700

Open williballenthin opened 1 year ago

mr-tz commented 1 year ago

For collecting community knowledge it should be easy to add raw entries by just adding to a file for example:

string; explanation; tags
...
too many length or distance symbols; GZIP text exception; gzip
.?AV?$basic_ostream@DU?$char_traits@D@std@@@std@@; mangled name; cpp

maybe use tab \t as separator so text can contain all symbols

mr-tz commented 1 year ago

Would also be cool to capture and explain multi-line strings, like:

<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level='asInvoker' uiAccess='false' />
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>

williballenthin commented 1 year ago

should enumerate all the Windows API functions (and DLLs) so that they can be reasoned about (e.g., API not part of the import table).

williballenthin commented 1 year ago

i blindly pull all strings referenced by capa rules into an "expert" database which results in this output:

seems like a pretty good starting point!