def extract_stackstrings(vw, selected_functions, min_length, no_filter=False):
'''
Extracts the stackstrings from functions in the given workspace.
:param vw: The vivisect workspace from which to extract stackstrings.
:param selected_functions: list of selected functions
:param min_length: minimum string length
:param no_filter: do not filter deobfuscated stackstrings
:rtype: Generator[StackString]
'''
logger.debug('extracting stackstrings from %d functions',
len(selected_functions))
bb_ends = get_basic_block_ends(vw)
for fva in selected_functions:
logger.debug('extracting stackstrings from function: 0x%x', fva)
seen = set([])
for ctx in extract_call_contexts(vw, fva, bb_ends):
logger.debug(
'extracting stackstrings at checkpoint: 0x%x stacksize: 0x%x',
ctx.pc, ctx.init_sp - ctx.sp)
for s in strings.extract_ascii_strings(ctx.stack_memory):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if decoded_string not in seen and len(
decoded_string) >= min_length:
frame_offset = (ctx.init_sp -
ctx.sp) - s.offset - getPointerSize(vw)
yield (StackString(fva, decoded_string, ctx.pc, ctx.sp,
ctx.init_sp, s.offset, frame_offset))
seen.add(decoded_string)
for s in strings.extract_unicode_strings(ctx.stack_memory):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if decoded_string not in seen and len(
decoded_string) >= min_length:
frame_offset = (ctx.init_sp -
ctx.sp) - s.offset - getPointerSize(vw)
yield (StackString(fva, decoded_string, ctx.pc, ctx.sp,
ctx.init_sp, s.offset, frame_offset))
seen.add(decoded_string)
def extract_stackstrings(vw, selected_functions, min_length, no_filter=False):
'''
Extracts the stackstrings from functions in the given workspace.
:param vw: The vivisect workspace from which to extract stackstrings.
:param selected_functions: list of selected functions
:param min_length: minimum string length
:param no_filter: do not filter deobfuscated stackstrings
:rtype: Generator[StackString]
'''
logger.debug('extracting stackstrings from %d functions', len(selected_functions))
bb_ends = get_basic_block_ends(vw)
for fva in selected_functions:
logger.debug('extracting stackstrings from function: 0x%x', fva)
seen = set([])
for ctx in extract_call_contexts(vw, fva, bb_ends):
logger.debug('extracting stackstrings at checkpoint: 0x%x stacksize: 0x%x', ctx.pc, ctx.init_sp - ctx.sp)
for s in strings.extract_ascii_strings(ctx.stack_memory):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if decoded_string not in seen and len(decoded_string) >= min_length:
frame_offset = (ctx.init_sp - ctx.sp) - s.offset - getPointerSize(vw)
yield(StackString(fva, decoded_string, ctx.pc, ctx.sp, ctx.init_sp, s.offset, frame_offset))
seen.add(decoded_string)
for s in strings.extract_unicode_strings(ctx.stack_memory):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if decoded_string not in seen and len(decoded_string) >= min_length:
frame_offset = (ctx.init_sp - ctx.sp) - s.offset - getPointerSize(vw)
yield(StackString(fva, decoded_string, ctx.pc, ctx.sp, ctx.init_sp, s.offset, frame_offset))
seen.add(decoded_string)
def extract_strings(b, min_length, no_filter):
'''
Extract the ASCII and UTF-16 strings from a bytestring.
:type b: decoding_manager.DecodedString
:param b: The data from which to extract the strings. Note its a
DecodedString instance that tracks extra metadata beyond the
bytestring contents.
:param min_length: minimum string length
:param no_filter: do not filter decoded strings
:rtype: Sequence[decoding_manager.DecodedString]
'''
ret = []
for s in strings.extract_ascii_strings(b.s):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if len(decoded_string) >= min_length:
ret.append(
DecodedString(b.va + s.offset, decoded_string, b.decoded_at_va,
b.fva, b.characteristics))
for s in strings.extract_unicode_strings(b.s):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if len(decoded_string) >= min_length:
ret.append(
DecodedString(b.va + s.offset, decoded_string, b.decoded_at_va,
b.fva, b.characteristics))
return ret
def signature_key_for_post(cls, post):
m = hashlib.md5()
m.update(strip_string(
post["title"].encode("utf-8") +
post["source"]["link"].encode("utf-8") +
post["content"][0]["value"].encode("utf-8")))
logging.info(m.hexdigest())
return m.hexdigest()
def signature_key_for_post(cls, post):
m = hashlib.md5()
m.update(
strip_string(post["title"].encode("utf-8") +
post["source"]["link"].encode("utf-8") +
post["content"][0]["value"].encode("utf-8")))
logging.info(m.hexdigest())
return m.hexdigest()
def extract_strings(b, min_length, no_filter):
'''
Extract the ASCII and UTF-16 strings from a bytestring.
:type b: decoding_manager.DecodedString
:param b: The data from which to extract the strings. Note its a
DecodedString instance that tracks extra metadata beyond the
bytestring contents.
:param min_length: minimum string length
:param no_filter: do not filter decoded strings
:rtype: Sequence[decoding_manager.DecodedString]
'''
ret = []
for s in strings.extract_ascii_strings(b.s):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if len(decoded_string) >= min_length:
ret.append(DecodedString(b.va + s.offset, decoded_string, b.decoded_at_va, b.fva, b.characteristics))
for s in strings.extract_unicode_strings(b.s):
if len(s.s) > MAX_STRING_LENGTH:
continue
if no_filter:
decoded_string = s.s
elif not is_fp_string(s.s):
decoded_string = strip_string(s.s)
else:
continue
if len(decoded_string) >= min_length:
ret.append(DecodedString(b.va + s.offset, decoded_string, b.decoded_at_va, b.fva, b.characteristics))
return ret
def set_fname(self, fname, sub):
return strip_string("{}({})".format(fname, sub), "{}' ")