def main():
# default to INFO, unless otherwise changed
logging.basicConfig(level=logging.WARNING)
parser = make_parser()
options, args = parser.parse_args()
set_logging_level(options.debug, options.verbose)
if options.list_plugins:
print_plugin_list()
sys.exit(0)
sample_file_path = parse_sample_file_path(parser, args)
min_length = parse_min_length_option(options.min_length)
if options.all_strings:
floss_logger.info("Extracting static strings...")
print_all_strings(sample_file_path, min_length=min_length, quiet=options.quiet)
with open(sample_file_path, "rb") as f:
magic = f.read(2)
if magic != "MZ":
floss_logger.error("FLOSS currently supports the following formats: PE")
return
floss_logger.info("Generating vivisect workspace")
vw = viv_utils.getWorkspace(sample_file_path)
selected_functions = select_functions(vw, options.functions)
floss_logger.debug("Selected the following functions: %s", ", ".join(map(hex, selected_functions)))
selected_plugin_names = select_plugins(options.plugins)
floss_logger.debug("Selected the following plugins: %s", ", ".join(map(str, selected_plugin_names)))
selected_plugins = filter(lambda p: str(p) in selected_plugin_names, get_all_plugins())
time0 = time()
floss_logger.info("Identifying decoding functions...")
decoding_functions_candidates = im.identify_decoding_functions(vw, selected_plugins, selected_functions)
if not options.quiet:
print_identification_results(sample_file_path, decoding_functions_candidates)
floss_logger.info("Decoding strings...")
function_index = viv_utils.InstructionFunctionIndex(vw)
decoded_strings = decode_strings(vw, function_index, decoding_functions_candidates)
print_decoding_results(decoded_strings, min_length, options.group_functions, quiet=options.quiet)
floss_logger.info("Extracting stackstrings...")
print_stack_strings(stackstrings.extract_stackstrings(vw, selected_functions), min_length, quiet=options.quiet)
if options.ida_python_file:
floss_logger.info("Creating IDA script...")
create_script(sample_file_path, options.ida_python_file, decoded_strings)
time1 = time()
if not options.quiet:
print("Finished execution after %f seconds" % (time1 - time0))
def main(argv=None):
"""
:param argv: optional command line arguments, like sys.argv[1:]
:return: 0 on success, non-zero on failure
"""
logging.basicConfig(level=logging.WARNING)
parser = make_parser()
if argv is not None:
options, args = parser.parse_args(argv[1:])
else:
options, args = parser.parse_args()
set_logging_level(options.debug, options.verbose)
if options.list_plugins:
print_plugin_list()
return 0
sample_file_path = parse_sample_file_path(parser, args)
min_length = parse_min_length_option(options.min_length)
# expert profile settings
if options.expert:
options.save_workspace = True
options.group_functions = True
options.quiet = False
if not is_workspace_file(sample_file_path):
if not options.no_static_strings and not options.functions:
floss_logger.info("Extracting static strings...")
print_static_strings(sample_file_path,
min_length=min_length,
quiet=options.quiet)
if options.no_decoded_strings and options.no_stack_strings and not options.should_show_metainfo:
# we are done
return 0
if os.path.getsize(sample_file_path) > MAX_FILE_SIZE:
floss_logger.error(
"FLOSS cannot extract obfuscated strings or stackstrings from files larger than"
" %d bytes" % MAX_FILE_SIZE)
return 1
try:
vw = load_vw(sample_file_path, options.save_workspace, options.verbose,
options.is_shellcode, options.shellcode_entry_point,
options.shellcode_base)
except WorkspaceLoadError:
return 1
try:
selected_functions = select_functions(vw, options.functions)
except Exception as e:
floss_logger.error(str(e))
return 1
floss_logger.debug("Selected the following functions: %s",
get_str_from_func_list(selected_functions))
selected_plugin_names = select_plugins(options.plugins)
floss_logger.debug("Selected the following plugins: %s",
", ".join(map(str, selected_plugin_names)))
selected_plugins = filter(lambda p: str(p) in selected_plugin_names,
get_all_plugins())
if options.should_show_metainfo:
meta_functions = None
if options.functions:
meta_functions = selected_functions
print_file_meta_info(vw, meta_functions)
time0 = time()
if not options.no_decoded_strings:
floss_logger.info("Identifying decoding functions...")
decoding_functions_candidates = im.identify_decoding_functions(
vw, selected_plugins, selected_functions)
if options.expert:
print_identification_results(sample_file_path,
decoding_functions_candidates)
floss_logger.info("Decoding strings...")
decoded_strings = decode_strings(vw, decoding_functions_candidates,
min_length, options.no_filter)
if not options.expert:
decoded_strings = filter_unique_decoded(decoded_strings)
print_decoding_results(decoded_strings,
options.group_functions,
quiet=options.quiet,
expert=options.expert)
else:
decoded_strings = []
if not options.no_stack_strings:
floss_logger.info("Extracting stackstrings...")
stack_strings = stackstrings.extract_stackstrings(
vw, selected_functions, min_length, options.no_filter)
if not options.expert:
stack_strings = set(stack_strings)
print_stack_strings(stack_strings,
quiet=options.quiet,
expert=options.expert)
else:
stack_strings = []
if options.x64dbg_database_file:
imagebase = vw.filemeta.values()[0]['imagebase']
floss_logger.info("Creating x64dbg database...")
create_x64dbg_database(sample_file_path, options.x64dbg_database_file,
imagebase, decoded_strings)
if options.ida_python_file:
floss_logger.info("Creating IDA script...")
create_ida_script(sample_file_path, options.ida_python_file,
decoded_strings, stack_strings)
if options.radare2_script_file:
floss_logger.info("Creating r2script...")
create_r2_script(sample_file_path, options.radare2_script_file,
decoded_strings, stack_strings)
time1 = time()
if not options.quiet:
print("\nFinished execution after %f seconds" % (time1 - time0))
return 0
selected_functions = select_functions(vw, options.functions)
floss_logger.debug("Selected the following functions: %s",
", ".join(map(hex, selected_functions)))
selected_plugin_names = select_plugins(options.plugins)
floss_logger.debug("Selected the following plugins: %s",
", ".join(map(str, selected_plugin_names)))
selected_plugins = filter(lambda p: str(p) in selected_plugin_names,
get_all_plugins())
time0 = time()
if not options.no_decoded_strings:
floss_logger.info("Identifying decoding functions...")
decoding_functions_candidates = im.identify_decoding_functions(
vw, selected_plugins, selected_functions)
if options.expert:
print_identification_results(sample_file_path,
decoding_functions_candidates)
floss_logger.info("Decoding strings...")
function_index = viv_utils.InstructionFunctionIndex(vw)
decoded_strings = decode_strings(vw, function_index,
decoding_functions_candidates)
if not options.expert:
decoded_strings = filter_unique_decoded(decoded_strings)
print_decoding_results(decoded_strings,
min_length,
options.group_functions,
quiet=options.quiet,
expert=options.expert)
except Exception, e:
floss_logger.error("Vivisect failed to load the input file: {0}".format(e.message), exc_info=options.verbose)
return 1
selected_functions = select_functions(vw, options.functions)
floss_logger.debug("Selected the following functions: %s", ", ".join(map(hex, selected_functions)))
selected_plugin_names = select_plugins(options.plugins)
floss_logger.debug("Selected the following plugins: %s", ", ".join(map(str, selected_plugin_names)))
selected_plugins = filter(lambda p: str(p) in selected_plugin_names, get_all_plugins())
time0 = time()
if not options.no_decoded_strings:
floss_logger.info("Identifying decoding functions...")
decoding_functions_candidates = im.identify_decoding_functions(vw, selected_plugins, selected_functions)
if options.expert:
print_identification_results(sample_file_path, decoding_functions_candidates)
floss_logger.info("Decoding strings...")
function_index = viv_utils.InstructionFunctionIndex(vw)
decoded_strings = decode_strings(vw, function_index, decoding_functions_candidates)
if not options.expert:
decoded_strings = filter_unique_decoded(decoded_strings)
print_decoding_results(decoded_strings, min_length, options.group_functions, quiet=options.quiet, expert=options.expert)
else:
decoded_strings = []
if not options.no_stack_strings:
floss_logger.info("Extracting stackstrings...")
stack_strings = stackstrings.extract_stackstrings(vw, selected_functions)
def main(argv=None):
"""
:param argv: optional command line arguments, like sys.argv[1:]
:return: 0 on success, non-zero on failure
"""
logging.basicConfig(level=logging.WARNING)
parser = make_parser()
if argv is not None:
options, args = parser.parse_args(argv[1:])
else:
options, args = parser.parse_args()
set_logging_level(options.debug, options.verbose)
if options.list_plugins:
print_plugin_list()
return 0
sample_file_path = parse_sample_file_path(parser, args)
min_length = parse_min_length_option(options.min_length)
# expert profile settings
if options.expert:
options.save_workspace = True
options.group_functions = True
options.quiet = False
if not is_workspace_file(sample_file_path):
if not options.no_static_strings and not options.functions:
floss_logger.info("Extracting static strings...")
print_static_strings(sample_file_path, min_length=min_length, quiet=options.quiet)
if options.no_decoded_strings and options.no_stack_strings and not options.should_show_metainfo:
# we are done
return 0
if os.path.getsize(sample_file_path) > MAX_FILE_SIZE:
floss_logger.error("FLOSS cannot extract obfuscated strings or stackstrings from files larger than"
" %d bytes" % MAX_FILE_SIZE)
return 1
try:
vw = load_vw(sample_file_path, options.save_workspace, options.verbose, options.is_shellcode,
options.shellcode_entry_point, options.shellcode_base)
except WorkspaceLoadError:
return 1
try:
selected_functions = select_functions(vw, options.functions)
except Exception as e:
floss_logger.error(str(e))
return 1
floss_logger.debug("Selected the following functions: %s", get_str_from_func_list(selected_functions))
selected_plugin_names = select_plugins(options.plugins)
floss_logger.debug("Selected the following plugins: %s", ", ".join(map(str, selected_plugin_names)))
selected_plugins = filter(lambda p: str(p) in selected_plugin_names, get_all_plugins())
if options.should_show_metainfo:
meta_functions = None
if options.functions:
meta_functions = selected_functions
print_file_meta_info(vw, meta_functions)
time0 = time()
if not options.no_decoded_strings:
floss_logger.info("Identifying decoding functions...")
decoding_functions_candidates = im.identify_decoding_functions(vw, selected_plugins, selected_functions)
if options.expert:
print_identification_results(sample_file_path, decoding_functions_candidates)
floss_logger.info("Decoding strings...")
decoded_strings = decode_strings(vw, decoding_functions_candidates, min_length, options.no_filter)
if not options.expert:
decoded_strings = filter_unique_decoded(decoded_strings)
print_decoding_results(decoded_strings, options.group_functions, quiet=options.quiet, expert=options.expert)
else:
decoded_strings = []
if not options.no_stack_strings:
floss_logger.info("Extracting stackstrings...")
stack_strings = stackstrings.extract_stackstrings(vw, selected_functions, min_length, options.no_filter)
stack_strings = list(stack_strings)
if not options.expert:
# remove duplicate entries
stack_strings = set(stack_strings)
print_stack_strings(stack_strings, quiet=options.quiet, expert=options.expert)
else:
stack_strings = []
if options.x64dbg_database_file:
imagebase = vw.filemeta.values()[0]['imagebase']
floss_logger.info("Creating x64dbg database...")
create_x64dbg_database(sample_file_path, options.x64dbg_database_file, imagebase, decoded_strings)
if options.ida_python_file:
floss_logger.info("Creating IDA script...")
create_ida_script(sample_file_path, options.ida_python_file, decoded_strings, stack_strings)
if options.radare2_script_file:
floss_logger.info("Creating r2script...")
create_r2_script(sample_file_path, options.radare2_script_file, decoded_strings, stack_strings)
time1 = time()
if not options.quiet:
print("\nFinished execution after %f seconds" % (time1 - time0))
return 0
def main(argv=None):
"""
:param argv: optional command line arguments, like sys.argv[1:]
"""
logging.basicConfig(level=logging.WARNING)
parser = make_parser()
if argv is not None:
options, args = parser.parse_args(argv)
else:
options, args = parser.parse_args()
set_logging_level(options.debug, options.verbose)
if options.list_plugins:
print_plugin_list()
sys.exit(0)
sample_file_path = parse_sample_file_path(parser, args)
min_length = parse_min_length_option(options.min_length)
with open(sample_file_path, "rb") as f:
magic = f.read(2)
if options.all_strings:
floss_logger.info("Extracting static strings...")
print_static_strings(sample_file_path, min_length=min_length, quiet=options.quiet)
if magic not in SUPPORTED_FILE_MAGIC:
floss_logger.error("FLOSS currently supports the following formats: PE")
if not options.all_strings:
floss_logger.error("Recommend passing flag `-a` to extract static strings from any file type.")
return
if os.path.getsize(sample_file_path) > MAX_FILE_SIZE:
floss_logger.error("FLOSS cannot emulate files larger than %d bytes" % (MAX_FILE_SIZE))
if not options.all_strings:
floss_logger.error("Recommend passing flag `-a` to extract static strings from any sized file.")
return
floss_logger.info("Generating vivisect workspace")
vw = viv_utils.getWorkspace(sample_file_path)
selected_functions = select_functions(vw, options.functions)
floss_logger.debug("Selected the following functions: %s", ", ".join(map(hex, selected_functions)))
selected_plugin_names = select_plugins(options.plugins)
floss_logger.debug("Selected the following plugins: %s", ", ".join(map(str, selected_plugin_names)))
selected_plugins = filter(lambda p: str(p) in selected_plugin_names, get_all_plugins())
time0 = time()
floss_logger.info("Identifying decoding functions...")
decoding_functions_candidates = im.identify_decoding_functions(vw, selected_plugins, selected_functions)
if not options.quiet:
print_identification_results(sample_file_path, decoding_functions_candidates)
floss_logger.info("Decoding strings...")
function_index = viv_utils.InstructionFunctionIndex(vw)
decoded_strings = decode_strings(vw, function_index, decoding_functions_candidates)
print_decoding_results(decoded_strings, min_length, options.group_functions, quiet=options.quiet)
floss_logger.info("Extracting stackstrings...")
print_stack_strings(stackstrings.extract_stackstrings(vw, selected_functions), min_length, quiet=options.quiet)
if options.ida_python_file:
floss_logger.info("Creating IDA script...")
create_script(sample_file_path, options.ida_python_file, decoded_strings)
time1 = time()
if not options.quiet:
print("Finished execution after %f seconds" % (time1 - time0))