Willi Ballenthin
Willi Ballenthin
It looks like static strings are extracted from the raw file that hasn't been loaded into memory. The decoded string offset refers to a virtual address of an executable file...
Yup, that sounds about right! On Tue, Jul 10, 2018, 4:15 AM capnspacehook wrote: > That sounds good. So basically, I'll have to figure out from viv's memory > map...
periodic comment to demonstrate i'm still paying attention. however, i'm travelling this week, so haven't had a chance to reproduce and provide suggestions. sorry for the delay!
To help me understand where the static string collisions were I used the following snippet: ``` decoded_offsets = [] for dec_str in decoded_strings: for segstart, seglen, segname, fname in vw.getSegments():...
> maybe a good way to rule out decoded strings false positives would to check if the decoded strings found are in a PE segment. We're on the right track...
This is helpful. I'll triage a handful and see whats going on. Any chance you'll be out around Vegas this coming weekend? I'll be around through Tuesday for some training,...
hey @pmondon happy to triage this. would you be willing to share the .exe? we can also incorporate this scenario as a test case for the project, if you're ok...
with #301 merged, i think this issue is resolved. see the below terminal session building keystone on linux/python3: before patch: ``` localhost:python (master*) $ git checkout d19579217c0ac71e2d63deb389f29fb23e5a9118 Note: checking out...
the union seems intuitive and is my intuitive preference, but needs further thought and/or discussion
We could add regex/substring matching to API features, though I'd prefer to try to find another solution first, so that we don't get tempted to be lazy in the future...