search

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Apache License 2.0
3.25k stars 452 forks source link

qs: show interesting strings first within each section #797

Open williballenthin opened 1 year ago

williballenthin commented 1 year ago

via #761 and @r0ny123

Currently, QS ranks strings based on offsets within sections, can we use stringsifter or something like that to show the most relevant strings first within the sections?

williballenthin commented 1 year ago

this is a neat idea! keeping all the important data together should make it easier for humans to review.

i wonder if we can duplicate the important strings: show the group of important strings up top, and then continue to show all strings in linear order later on. for example:

32.exe                                                                                  #important         00028f5c              ┃┃┃┃┃┃┃┃┃┃┃┃
file size = %d bytes                                                                    #important         00029084              ┃┃┃┃┃┃
fseek(SEEK_SET) failed                                                                  #important         0002909c              ┃┃┃┃┃┃
---------------------------------------------------------------------------------------------------------------------------------┃┃┃┃┃┃
\\\\.\\a:                                                                                                  00028ec0              ┃┃┃┃┃┃
FILENAME                                                                                        #common    00028ec8              ┃┃┃┃┃┃
\\restore\\                                                                                                00028edc              ┃┃┃┃┃┃
Software\\Microsoft\\MSNetMng                                                                              00028ee8              ┃┃┃┃┃┃
Global\\DirectMarketing                                                                                    00028f08              ┃┃┃┃┃┃
Policy                                                                                          #common    00028f20              ┃┃┃┃┃┃
Version                                                                                           #curl    00028f28              ┃┃┃┃┃┃
Status                                                                                          #common    00028f34              ┃┃┃┃┃┃
Explorer.exe                                                                                    #common    00028f3c              ┃┃┃┃┃┃
32.exe                                                                                                     00028f5c              ┃┃┃┃┃┃
\\System32                                                                                      #common    00028f70              ┃┃┃┃┃┃
SYSTEMROOT                                                                                      #common    00028f7c              ┃┃┃┃┃┃
Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon                                       #common    00028f90              ┃┃┃┃┃┃
System\\CurrentControlSet\\Services\\USBSTOR\\Enum                                                         00028fcc              ┃┃┃┃┃┃
ProductId                                                                                       #common    00029010              ┃┃┃┃┃┃
RegisteredOrganization                                                                          #common    0002901c              ┃┃┃┃┃┃
RegisteredOwner                                                                                 #common    00029034              ┃┃┃┃┃┃
Software\\Microsoft\\Windows NT\\CurrentVersion                                                 #common    00029044              ┃┃┃┃┃┃
file size = %d bytes                                                                                       00029084              ┃┃┃┃┃┃
fseek(SEEK_SET) failed                                                                                     0002909c              ┃┃┃┃┃┃
System\\CurrentControlSet\\Services\\PartMgr\\Enum                                                         000290b8              ┃┃┃┃┃┃
WS     TMP                                                                                                 000290e8              ┃┃┃┃┃┃
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛┃┃┃┃┃
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛┃┃┃┃
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛┃┃┃
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛┃┃