search

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Apache License 2.0
3.22k stars 447 forks source link

[Bug] Floss runs for hours on some binaries #778

Open appsworld opened 1 year ago

appsworld commented 1 year ago

Floss Version Tried: 2.2.0 and 2.0.0 Platform: Ubuntu 21.04, Windows 10 and Windows 11 Example reference file: https://www.virustotal.com/gui/file/9cc387fd485e91fc58a626d2c64b85e0502ba60f3718afd7b5fd6e5b46721bb9

On the above file, floss runs for hours when you floss.exe -n 7 file_path --no-decoded-strings. However, it finishes within seconds when run with --no-stack-strings --no-decoded-strings . It appears this is likely a bug within vivisect or how floss interacts with vivisect.

Output when it is stuck:


INFO:floss:Generating vivisect workspace...
WARNING:vtrace.platforms.win32:LoadLibrary PATH\vtrace\platforms\windll\amd64\symsrv.dll: Failed to load dynlib/dll 
'PATH\\vtrace\\platforms\\windll\\amd64\\symsrv.dll'. Most probably this dynlib/dll was not found when the application was frozen.
WARNING:vtrace.platforms.win32:LoadLibrary 
PATH\vtrace\platforms\windll\amd64\dbghelp.dll: Failed to load dynlib/dll 
'PATH\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll'. Most probably this dynlib/dll was not found when the application was frozen.

Basic File Meta:

MD5 f7de7d878835793ae439c5e551597b1e
SHA-1   f72c37925fe9022214395a90258449aec0a3c0ed
SHA-256 9cc387fd485e91fc58a626d2c64b85e0502ba60f3718afd7b5fd6e5b46721bb9
Vhash   [01703e0f7d60101011z11z47z1015z13z1fz](https://www.virustotal.com/gui/search/vhash%253A01703e0f7d60101011z11z47z1015z13z1fz)
Authentihash    [d7a5d26ede1f10837aaff7925aafb4b73c272bd416da313d8a37536006cf7b75](https://www.virustotal.com/gui/search/authentihash%253Ad7a5d26ede1f10837aaff7925aafb4b73c272bd416da313d8a37536006cf7b75)
Imphash [38c0cbb9bf97b36d1b93444db348f0cf](https://www.virustotal.com/gui/search/imphash%253A38c0cbb9bf97b36d1b93444db348f0cf)
mr-tz commented 1 year ago

The analysis is slow and may be similar to #743 (sample is also packed).

If you disable all modes that require vivisect (--no decoded stack tight) no code analysis is performed and only static strings are extracted - which is fast. Can you please confirm the options or are really seeing this with your above provided arguments?

appsworld commented 1 year ago

If you disable all modes that require vivisect (--no decoded stack tight) no code analysis is performed and only static strings are extracted - which is fast. Can you please confirm the options or are really seeing this with your above provided arguments?

Yes it runs relatively fast < 3 seconds, and yes these are themida packed binaries.

Looking at https://github.com/mandiant/flare-floss/issues/743: Yes these are definitely vivisect problems. I'll investigate another approach for the stack strings in these scenario. Thank you @mr-tz.