Open appsworld opened 1 year ago
The analysis is slow and may be similar to #743 (sample is also packed).
If you disable all modes that require vivisect (--no decoded stack tight
) no code analysis is performed and only static strings are extracted - which is fast. Can you please confirm the options or are really seeing this with your above provided arguments?
If you disable all modes that require vivisect (--no decoded stack tight) no code analysis is performed and only static strings are extracted - which is fast. Can you please confirm the options or are really seeing this with your above provided arguments?
Yes it runs relatively fast < 3 seconds, and yes these are themida packed binaries.
Looking at https://github.com/mandiant/flare-floss/issues/743: Yes these are definitely vivisect problems. I'll investigate another approach for the stack strings in these scenario. Thank you @mr-tz.
Floss Version Tried: 2.2.0 and 2.0.0 Platform: Ubuntu 21.04, Windows 10 and Windows 11 Example reference file: https://www.virustotal.com/gui/file/9cc387fd485e91fc58a626d2c64b85e0502ba60f3718afd7b5fd6e5b46721bb9
On the above file, floss runs for hours when you
floss.exe -n 7 file_path --no-decoded-strings
. However, it finishes within seconds when run with--no-stack-strings --no-decoded-strings
. It appears this is likely a bug within vivisect or how floss interacts with vivisect.Output when it is stuck:
Basic File Meta: