flare-floss
flare-floss copied to clipboard
mandiant
[Bug] Floss runs for hours on some binaries
Floss Version Tried: 2.2.0 and 2.0.0 Platform: Ubuntu 21.04, Windows 10 and Windows 11 Example reference file: https://www.virustotal.com/gui/file/9cc387fd485e91fc58a626d2c64b85e0502ba60f3718afd7b5fd6e5b46721bb9
On the above file, floss runs for hours when you floss.exe -n 7 file_path --no-decoded-strings. However, it finishes within seconds when run with --no-stack-strings --no-decoded-strings . It appears this is likely a bug within vivisect or how floss interacts with vivisect.
Output when it is stuck:
INFO:floss:Generating vivisect workspace...
WARNING:vtrace.platforms.win32:LoadLibrary PATH\vtrace\platforms\windll\amd64\symsrv.dll: Failed to load dynlib/dll
'PATH\\vtrace\\platforms\\windll\\amd64\\symsrv.dll'. Most probably this dynlib/dll was not found when the application was frozen.
WARNING:vtrace.platforms.win32:LoadLibrary
PATH\vtrace\platforms\windll\amd64\dbghelp.dll: Failed to load dynlib/dll
'PATH\\vtrace\\platforms\\windll\\amd64\\dbghelp.dll'. Most probably this dynlib/dll was not found when the application was frozen.
Basic File Meta:
MD5 f7de7d878835793ae439c5e551597b1e
SHA-1 f72c37925fe9022214395a90258449aec0a3c0ed
SHA-256 9cc387fd485e91fc58a626d2c64b85e0502ba60f3718afd7b5fd6e5b46721bb9
Vhash [01703e0f7d60101011z11z47z1015z13z1fz](https://www.virustotal.com/gui/search/vhash%253A01703e0f7d60101011z11z47z1015z13z1fz)
Authentihash [d7a5d26ede1f10837aaff7925aafb4b73c272bd416da313d8a37536006cf7b75](https://www.virustotal.com/gui/search/authentihash%253Ad7a5d26ede1f10837aaff7925aafb4b73c272bd416da313d8a37536006cf7b75)
Imphash [38c0cbb9bf97b36d1b93444db348f0cf](https://www.virustotal.com/gui/search/imphash%253A38c0cbb9bf97b36d1b93444db348f0cf)
The analysis is slow and may be similar to #743 (sample is also packed).
If you disable all modes that require vivisect (--no decoded stack tight) no code analysis is performed and only static strings are extracted - which is fast. Can you please confirm the options or are really seeing this with your above provided arguments?
If you disable all modes that require vivisect (--no decoded stack tight) no code analysis is performed and only static strings are extracted - which is fast. Can you please confirm the options or are really seeing this with your above provided arguments?
Yes it runs relatively fast < 3 seconds, and yes these are themida packed binaries.
Looking at https://github.com/mandiant/flare-floss/issues/743: Yes these are definitely vivisect problems. I'll investigate another approach for the stack strings in these scenario. Thank you @mr-tz.