Feature: Analyze multiple files at once

[capnspacehook]

The ability to analyze multiple files could really benefit Fnord. Some obfuscated samples' only common strings are randomized upon payload generation, meaning Fnord produces Yara rules and displays common strings that are only useful when dealing with a specific payload, not the obfuscation technique in general.

Analyzing multiple files at once could reveal what patterns are common among different samples using the same obfuscation technique. This would allow the user to more easily build robust detections for an obfuscation technique in general, rather than a specific obfuscated sample.

[Neo23x0]

Good point. Right now you could append each of the files to a single big one and use Fnord to analyse this big composed file.

[capnspacehook]

Ok, that's a good temporary solution.

I think for the future though, the scoring algorithm should be modified to take multiple files into account. For instance, instead of it being (length * occurrences) + (keywords * 70), it could be changed to be something like (length * (average occurrences in files * number of files it occurs in)) + (keywords * 70). That would allow patterns that are present in a large percentage of the obfuscated samples to be captured and used, instead of Fnord using sequences that vary between every obfuscated sample.