flare-floss

flare-floss copied to clipboard

use the recognized function/bb boundaries as a filter for junk strings

williballenthin

Indicate .NET, packed or other binaries FLOSS doesn't handle well

1

Warn users similar to capa. Arose in issue #346

mr-tz

are "global stackstrings" seen in the wild?

3

malware that uses a stackstrings-like technique to initialize a global string will not be detected by the stackstrings extractor, since we currently inspect only the active stack frame. the decoding...

williballenthin

Heuristic to identify calls to LoadLibrary and GetProcAddress

1

Might be a good way to catch more (inlined) decoding routines. Sample: 02b2d905a72c4bb2abfc278b8ca7f722.

mr-tz

Failed decoding due to max. instruction limit being set too low

1

Related to #98. For example 4894...ad9a, VA 0x100114A1 decodes no strings with an instruction limit of 2000, but about 200 strings with a limit of 30000. This sample is decoding...

mr-tz

williballenthin

williballenthin

FLOSS API hooks

1

FLOSS hooks comparably few APIs. We should: * identify the most relevant APIs for our use case * come up with an easy way to implement / extend these Also...

mr-tz

Emulate more functions

1

Currently FLOSS only emulates the top 10 or so decoding function candidates. Improvement ideas on this: - increase function count - emulate all user functions (needs library ID, likely slow,...

mr-tz

https://github.com/fireeye/speakeasy/

williballenthin