initial import

README.md

@@ -0,0 +1,128 @@
+<img src="resources/logo.png?raw=true " width="350"/>
+# FireEye Labs Obfuscated String Solver
+
+Malware authors encode data in binary files to hide malicious activity and
+impede reverse engineering.
+
+The goal of this project is to develop a tool that can automatically detect,
+extract, and decode obfuscated strings in PE executable files.
+
+
+# Quick Installation
+- Install vivisect:
+
+    `$ pip install https://github.com/williballenthin/vivisect/zipball/master`
+
+- Install FLOSS:
+
+    `$ pip install https://github.com/fireeye/flare-floss/zipball/master`
+
+
+# Usage
+Extract obfuscated strings from a malware binary:
+
+    $ floss /path/to/malware/binary
+
+Invoke the string decoder on a file.
+
+    $ floss /path/to/malware/binary
+
+Test individual functions (or a list of functions) using the `-f` switch.
+
+    $ floss /path/to/malware/binary -f 0x40166C,0x402647
+
+Display the help/usage screen to see all available switches.
+
+    $ ./floss -h
+
+
+
+# Setup
+## Requirements
+- `vivisect` - https://github.com/vivisect/vivisect, installable module from https://github.com/williballenthin/vivisect.git
+
+    $ pip install https://github.com/williballenthin/vivisect/zipball/master
+
+- `viv-utils` - https://www.github.com/williballenthin/viv-utils
+
+    $ pip install viv-utils
+
+- `pytest` - http://pytest.org
+
+    $ pip install pytest
+
+
+## Installation from Github
+This technique installs FLOSS to your local Python environment,
+but does not keep editable source files around for you to hack on.
+
+
+- Install vivisect:
+
+    `$ pip install https://github.com/williballenthin/vivisect/zipball/master`
+
+- Install FLOSS:
+
+    `$ pip install https://github.com/fireeye/flare-floss/zipball/master`
+
+
+## Installation from source
+Use this technique to install FLOSS, yet also keep source files in
+the `flare-floss` directory for you to hack on.
+
+- Install vivisect:
+
+    `$ pip install https://github.com/williballenthin/vivisect/zipball/master`
+
+- Clone this git repository:
+
+    `$ git clone https://github.com/fireeye/flare-floss`
+
+- Install FLOSS:
+
+    `$ pip install -e flare-floss`
+
+- (optional) Install pytest:
+
+    `$ pip install pytest`
+
+## Building standalone executables
+
+- Install pyinstaller:
+
+    `$ pip install pyinstaller`
+
+- Build standalone executable:
+
+    `$ pyinstaller floss.spec`
+
+- Distribute standalone executable:
+
+    `$ cp ./dist/floss.exe /the/internet`
+
+
+## Test
+Individual plugins and the whole program can be tested using `py.test` (http://pytest.org/latest/usage.html).
+The `--sp` option is required to configure the filesystem path of the directory containing sample files.
+
+## Examples
+Run all tests:
+
+    py.test --sp samples/malicious/ tests/
+
+Run all tests from file:
+
+    py.test --sp samples/malicious/ tests/test_floss.py
+
+Run test from file
+
+    py.test --sp samples/malicious/ tests/test_floss.py::test_plugins
+
+# Known Decoding Functions
+| Sample Hash | Function Offset |
+| --- | --- |
+|6ee35da59f92f71e757d4d5b964ecf00|0x40166C|
+|6ee35da59f92f71e757d4d5b964ecf00|0x402647|
+|8c713117af4ca6bbd69292a78069e75b|0x40104F|
+|8c713117af4ca6bbd69292a78069e75b|0x401718|
+|bf8616bbed6d804a3dea09b230c2ab0c|0x4010BB|

floss.spec

@@ -0,0 +1,152 @@
+# -*- mode: python -*-
+
+block_cipher = None
+
+a = Analysis(
+    ['floss/main.py'],
+             pathex=['floss'],
+             binaries=None,
+             datas=None,
+             hiddenimports=[
+              "plugnplay",
+              "viv_utils",
+
+              # vivisect stuff
+              "pycparser",
+              "vivisect.analysis",
+              "vivisect.analysis.amd64",
+              "vivisect.analysis.amd64.emulation",
+              "vivisect.analysis.crypto",
+              "vivisect.analysis.crypto.constants",
+              "vivisect.analysis.elf",
+              "vivisect.analysis.elf.elfplt",
+              "vivisect.analysis.generic",
+              "vivisect.analysis.generic.codeblocks",
+              "vivisect.analysis.generic.emucode",
+              "vivisect.analysis.generic.funcentries",
+              "vivisect.analysis.generic.impapi",
+              "vivisect.analysis.generic.mkpointers",
+              "vivisect.analysis.generic.pointers",
+              "vivisect.analysis.generic.pointertables",
+              "vivisect.analysis.generic.relocations",
+              "vivisect.analysis.generic.strconst",
+              "vivisect.analysis.generic.switchcase",
+              "vivisect.analysis.generic.thunks",
+              "vivisect.analysis.i386",
+              "vivisect.analysis.i386.calling",
+              "vivisect.analysis.i386.importcalls",
+              "vivisect.analysis.i386.thunk_bx",
+              "vivisect.analysis.ms",
+              "vivisect.analysis.ms.hotpatch",
+              "vivisect.analysis.ms.localhints",
+              "vivisect.analysis.ms.msvc",
+              "vivisect.analysis.ms.msvcfunc",
+              "vivisect.analysis.ms.vftables",
+              "vivisect.analysis.pe",
+              "vivisect.storage",
+              "vivisect.storage.basicfile",
+              "vivisect.parsers.blob",
+              "vivisect.parsers.elf",
+              "vivisect.parsers.ihex",
+              "vivisect.parsers.macho",
+              "vivisect.parsers.pe",
+              "vivisect.parsers.utils",
+              "vivisect.analysis.amd64",
+              "vivisect.analysis.crypto",
+              "vivisect.analysis.elf",
+              "vivisect.analysis.generic",
+              "vivisect.analysis.i386",
+              "vivisect.analysis.ms",
+              "vivisect.impapi.windows",
+              "vivisect.impapi.windows.amd64",
+              "vivisect.impapi.windows.i386",
+              "vstruct.constants",
+              "vstruct.constants.ntstatus",
+              "vstruct.defs",
+              "vstruct.defs.arm7",
+              "vstruct.defs.bmp",
+              "vstruct.defs.dns",
+              "vstruct.defs.elf",
+              "vstruct.defs.gif",
+              "vstruct.defs.ihex",
+              "vstruct.defs.inet",
+              "vstruct.defs.java",
+              "vstruct.defs.kdcom",
+              "vstruct.defs.macho",
+              "vstruct.defs.macho.const",
+              "vstruct.defs.macho.fat",
+              "vstruct.defs.macho.loader",
+              "vstruct.defs.macho.stabs",
+              "vstruct.defs.minidump",
+              "vstruct.defs.pcap",
+              "vstruct.defs.pe",
+              "vstruct.defs.pptp",
+              "vstruct.defs.rar",
+              "vstruct.defs.swf",
+              "vstruct.defs.win32",
+              "vstruct.defs.windows",
+              "vstruct.defs.windows.win_5_1_i386",
+              "vstruct.defs.windows.win_5_1_i386.ntdll",
+              "vstruct.defs.windows.win_5_1_i386.ntoskrnl",
+              "vstruct.defs.windows.win_5_1_i386.win32k",
+              "vstruct.defs.windows.win_5_2_i386",
+              "vstruct.defs.windows.win_5_2_i386.ntdll",
+              "vstruct.defs.windows.win_5_2_i386.ntoskrnl",
+              "vstruct.defs.windows.win_5_2_i386.win32k",
+              "vstruct.defs.windows.win_6_1_amd64",
+              "vstruct.defs.windows.win_6_1_amd64.ntdll",
+              "vstruct.defs.windows.win_6_1_amd64.ntoskrnl",
+              "vstruct.defs.windows.win_6_1_amd64.win32k",
+              "vstruct.defs.windows.win_6_1_i386",
+              "vstruct.defs.windows.win_6_1_i386.ntdll",
+              "vstruct.defs.windows.win_6_1_i386.ntoskrnl",
+              "vstruct.defs.windows.win_6_1_i386.win32k",
+              "vstruct.defs.windows.win_6_1_wow64",
+              "vstruct.defs.windows.win_6_1_wow64.ntdll",
+              "vstruct.defs.windows.win_6_2_amd64",
+              "vstruct.defs.windows.win_6_2_amd64.ntdll",
+              "vstruct.defs.windows.win_6_2_amd64.ntoskrnl",
+              "vstruct.defs.windows.win_6_2_amd64.win32k",
+              "vstruct.defs.windows.win_6_2_i386",
+              "vstruct.defs.windows.win_6_2_i386.ntdll",
+              "vstruct.defs.windows.win_6_2_i386.ntoskrnl",
+              "vstruct.defs.windows.win_6_2_i386.win32k",
+              "vstruct.defs.windows.win_6_2_wow64",
+              "vstruct.defs.windows.win_6_2_wow64.ntdll",
+              "vstruct.defs.windows.win_6_3_amd64",
+              "vstruct.defs.windows.win_6_3_amd64.ntdll",
+              "vstruct.defs.windows.win_6_3_amd64.ntoskrnl",
+              "vstruct.defs.windows.win_6_3_i386",
+              "vstruct.defs.windows.win_6_3_i386.ntdll",
+              "vstruct.defs.windows.win_6_3_i386.ntoskrnl",
+              "vstruct.defs.windows.win_6_3_wow64",
+              "vstruct.defs.windows.win_6_3_wow64.ntdll",
+             ],
+             hookspath=None,
+             runtime_hooks=None,
+             excludes=None,
+             win_no_prefer_redirects=None,
+             win_private_assemblies=None,
+             cipher=block_cipher)
+
+pyz = PYZ(a.pure, a.zipped_data,
+             cipher=block_cipher)
+
+exe = EXE(pyz,
+          a.scripts,
+          a.binaries,
+          exclude_binaries=False,
+          name='floss',
+          icon='resources/icon.ico',
+          debug=False,
+          strip=None,
+          upx=True,
+          console=True )
+
+coll = COLLECT(exe,
+               a.binaries,
+               a.zipfiles,
+               a.datas,
+               strip=None,
+               upx=True,
+               name='floss-dat')

floss/ArgumentMonitor.py

@@ -0,0 +1,12 @@
+import viv_utils
+
+
+class ArgumentMonitor(viv_utils.emulator_drivers.Monitor):
+    def __init__(self, vw):
+        viv_utils.emulator_drivers.Monitor.__init__(self, vw)
+
+    def prehook(self, emu, op, starteip):
+        self._logger.debug("prehook: %s: %s", hex(starteip), op)
+
+    def apicall(self, emu, op, pc, api, argv):
+        self._logger.debug("apicall: %s %s %s %s", op, pc, api, argv)