flare-floss
flare-floss copied to clipboard
mandiant
Show how many times a specific `decoding function` has been called
Currently, floss can identify the decoding functions in a binary and prints them with offset and score while running usng -v flag. Now, it's maybe useful to know that how many times a functions has been called which may better indicate several decoding routine present in the binary under analysis.
Hello , could you assign this issue to me . I have kind of made some changes , could you check it ?
You got it. Maybe @r0ny123 can specify a bit on what to display: number of xrefs to a function, number of emulated calls, etc. Curious to see what you display here.
@mr-tz @r0ny123 Could you please specify on what i need to do next now ?
Let's start on what you've done above. What were your thoughts and how did you go about them?
When I thought about adding a feature to FLOSS to track how often each decoding function is called, I had a few key ideas in mind:
-
I wanted to give people using FLOSS more insight into which decoding functions the binary file uses the most. This information could help someone figure out which functions play a big role in hiding or changing data, making their analysis more focused and efficient.
-
Since FLOSS already finds and runs these decoding functions by simulating (or "emulating") the program, I thought about keeping track of each time a function is called. For this, I used a dictionary function which would do the job well.
-
My goal was to add this new tracking feature without altering too much of FLOSS's existing code. This way, we can improve FLOSS without risking the stable parts of the program that already work well.
I see these ideas as just the beginning of making FLOSS even better. By introducing this feature thoughtfully, I aimed to make FLOSS not just more powerful for advanced users, but also more helpful and accessible for everyone, aligning with the tool's main goals and offering real benefits to its users.
@mr-tz Please correct me if i missed something.
If you already have some code feel free to open a PR, maybe it's easier to discuss in there concretely on the implementation. I'm curious to see how your count differs from the call counts displayed in the progress bar line.
https://github.com/mandiant/flare-floss/pull/958 - Please check this PR @mr-tz
@mr-tz could you provide me with the changes required or is it ok ?
Hi @RahulSankhla312, thanks for working on this. I like the printing of no. of calls a function has been called when using verbose mode.
FLARE FLOSS RESULTS (version 3.0.1)
+---------------------------------+------------------------------------------------------------------------------------+
| file path | 49ac6a6c5449396b98a89709b0ad21d078af783ec8f1cd32c1c8b5ae71bec129_unpacked |
| start date | 2024-03-07 21:01:17 |
| runtime | 00:43 |
| version | 3.0.1 |
| identified language | unknown |
| imagebase | 0x10000000 |
| min string length | 4 |
| extracted strings | |
| static strings | Disabled |
| language strings | 0 (0 characters) |
| stack strings | 0 |
| tight strings | 0 |
| decoded strings | 1 |
| analyzed functions | |
| discovered | 168 |
| library | 4 |
| stack strings | 125 |
| tight strings | 8 |
| decoded strings | 22 |
| identified decoding functions | 0x10003328 (0.972), 0x10003048 (0.964), 0x10001000 (0.962), 0x10001af6 (0.894), |
| (offset and score) | 0x1000285c (0.857), 0x10002ca7 (0.838), 0x10003852 (0.833), 0x10003be9 (0.825), |
| | 0x100011d1 (0.820), 0x10002f6f (0.820), 0x10003a1f (0.818), 0x1000405f (0.818), |
| | 0x10002d64 (0.800), 0x1000574f (0.800), 0x100022ad (0.778), 0x10004740 (0.773), |
| | 0x10003606 (0.764), 0x10001151 (0.760), 0x100054c3 (0.752), 0x10001bdd (0.743), |
| | 0x1000293c (0.647), 0x10004df9 (0.684) |
+---------------------------------+------------------------------------------------------------------------------------+
But I think we should display the no. of calls in identified decoding functions along with offset and score in the above output. Something like '0x10003328 (0.972) (3)', where 3 is the number of times the function has been called. I am considering including the length of the instructions to aid in more accurate detection of decoding functions. @williballenthin @mr-tz Thoughts?
@r0ny123, to clarify: do you mean how often a function is called as analyzed via static analysis (I.e. all the code cross-references to a function)?
@r0ny123 could you please provide me with the command , to get this type of flare floss results .
Sorry for the wait . @r0ny123 @mr-tz
I have implemented the logic of total count of cross referrences (xrefs). I just need to add it in the output now. Tell me if any other change is needed.
Thankyou
@mr-tz @r0ny123 could you tell me if the count values like this are correct ?
https://github.com/mandiant/flare-floss/pull/968 please check this pr @mr-tz @r0ny123
This is the new output as you suggested .
That looks great. @r0ny123, does that meet your expectations? Maybe instead of calls we use xrefs to (depending on the implementation)?
Yes, I'm ok with xrefs. Also, the implementation looks good to me. Thanks @RahulSankhla312. Good work!
Closing as already fixed with https://github.com/mandiant/flare-floss/pull/978.