flare-floss icon indicating copy to clipboard operation
flare-floss copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Emulate more functions

Open mr-tz opened this issue 4 years ago • 1 comments

Currently FLOSS only emulates the top 10 or so decoding function candidates.

Improvement ideas on this:

  • increase function count
  • emulate all user functions (needs library ID, likely slow, so maybe need timeout)
  • adding other heuristics to e.g.
    • backtrace from relevant APIs, see #279
    • always emulate the first N functions (sorted by FVA)

mr-tz avatar Jul 21 '21 14:07 mr-tz

might also try emulation a couple times for each candidate, and if they yield results, keep going, otherwise move along.

williballenthin avatar Jul 21 '21 14:07 williballenthin