flare-floss icon indicating copy to clipboard operation
flare-floss copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Import Detection Heuristics from `mrphrazer/obfuscation_detection` Repository

Open r0ny123 opened this issue 1 year ago • 7 comments

This issue note aims to suggest the integration of detection heuristics from the mrphrazer/obfuscation_detection by @mrphrazer into the FLOSS tool, to enhance its capabilities in detecting and decoding obfuscated strings in malware samples. The mrphrazer/obfuscation_detection repository contains a comprehensive set of detection heuristics for various obfuscation techniques mentioned here.

Integrating these heuristics into FLOSS would allow the tool to recognize a wide range of obfuscation methods and ultimately improve its decoding performance.

r0ny123 avatar Apr 30 '23 08:04 r0ny123

Very cool! Thanks for sharing this here. Could be useful for FLOSS and capa.

mr-tz avatar May 02 '23 10:05 mr-tz

Hi @mr-tz , I was thinking of trying this out.

Do you have any heuristics that you want to implement from the repo? or we need to put some scoping effort on this?

So if i take xor decryption loops heuristics as an example, We need to find the function with the xor loops and print its offset right? I am trying to figure out once we get the heuristics how we will print it out.

c-urly avatar Mar 13 '24 06:03 c-urly

Hey, I don't have specific heuristics in mind so feel free to propose some here. XOR decryption loops sounds like a good start.

Once we have the heuristics, we'd want to plug them into the decoding function identification code (e.g. find_decoding_function_features). These functions are then emulated to obtain potential obfuscated strings.

mr-tz avatar Mar 13 '24 13:03 mr-tz

Hi @mr-tz , So I am thinking of using extract_function_loop to detect loop in function. We need to add logic to get start and end address for blocks with loop and then apply xor detection logic in that. How does that sounds?

c-urly avatar Mar 17 '24 23:03 c-urly

I have made some changes should I raise a PR on master branch? What i did is extracted instruction with a immediate value as operand and did an intersection with xor + loop. So xor decryption logic will be xor + loop + imm heuristic.

c-urly avatar Mar 18 '24 08:03 c-urly

Did you check https://github.com/mandiant/flare-floss/blob/master/floss/features/extract.py? We have loop and XOR detection, for example. If you have more heuristics, feel free to open a PR :)

mr-tz avatar Mar 19 '24 07:03 mr-tz

Task list for heuristics in mrphrazer repo. Will go through all the tasks and check if it is already present in floss, otherwise add them.

  • [ ] Large Basic Blocks
  • [ ] Complex Functions
  • [ ] Flattened Functions
  • [ ] Uncommon Instruction Sequences
  • [ ] Instruction Overlapping
  • [ ] Most Called Functions
  • [ ] Xor Decryption loops
  • [ ] Complex Arithmetic

Along with the heuristics which target wider scope of code, there are helper to identify functions with narrower scope.

  • [ ] Entry Functions
  • [ ] Leaf Functions
  • [ ] Section Entropy

c-urly avatar Mar 27 '24 02:03 c-urly