Willi Ballenthin

It looks like static strings are extracted from the raw file that hasn't been loaded into memory. The decoded string offset refers to a virtual address of an executable file...

Yup, that sounds about right! On Tue, Jul 10, 2018, 4:15 AM capnspacehook wrote: > That sounds good. So basically, I'll have to figure out from viv's memory > map...

periodic comment to demonstrate i'm still paying attention. however, i'm travelling this week, so haven't had a chance to reproduce and provide suggestions. sorry for the delay!

To help me understand where the static string collisions were I used the following snippet: ``` decoded_offsets = [] for dec_str in decoded_strings: for segstart, seglen, segname, fname in vw.getSegments():...

> maybe a good way to rule out decoded strings false positives would to check if the decoded strings found are in a PE segment. We're on the right track...

This is helpful. I'll triage a handful and see whats going on. Any chance you'll be out around Vegas this coming weekend? I'll be around through Tuesday for some training,...

hey @pmondon happy to triage this. would you be willing to share the .exe? we can also incorporate this scenario as a test case for the project, if you're ok...

with #301 merged, i think this issue is resolved. see the below terminal session building keystone on linux/python3: before patch: ``` localhost:python (master*) $ git checkout d19579217c0ac71e2d63deb389f29fb23e5a9118 Note: checking out...

the union seems intuitive and is my intuitive preference, but needs further thought and/or discussion

We could add regex/substring matching to API features, though I'd prefer to try to find another solution first, so that we don't get tempted to be lazy in the future...