flare-floss
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
APACHE-2.0 License
Bot releases are hidden (Show)
New Features
- updated Rust Version Database and Scripts by @Arker123 in https://github.com/mandiant/flare-floss/pull/926
- fix: handle default prompt when stdout is redirected by @Arker123 in https://github.com/mandiant/flare-floss/pull/938
- provide an option to install right click menu option for Windows by @lyc8503 in https://github.com/mandiant/flare-floss/pull/970
- feat: added decoding functions calls by @RahulSankhla312 in https://github.com/mandiant/flare-floss/pull/978
Other Updates
- fix typo in README.md by @sleeyax in https://github.com/mandiant/flare-floss/pull/936
- updated various dependencies
- including bump-pydantic from 1.10.9 to 2.6.0 by @Aayush-Goel-04 in https://github.com/mandiant/flare-floss/pull/954
- changed deprecated pytest functionality by @Sylan-Padmakumar in https://github.com/mandiant/flare-floss/pull/959
- migrate to pyproject toml by @s-ff in https://github.com/mandiant/flare-floss/pull/967
- [CI] Update GitHub actions by @rimvydascivilis in https://github.com/mandiant/flare-floss/pull/982
New Contributors
- @sleeyax made their first contribution in https://github.com/mandiant/flare-floss/pull/936
- @Sylan-Padmakumar made their first contribution in https://github.com/mandiant/flare-floss/pull/959
- @s-ff made their first contribution in https://github.com/mandiant/flare-floss/pull/967
- @lyc8503 made their first contribution in https://github.com/mandiant/flare-floss/pull/970
- @rimvydascivilis made their first contribution in https://github.com/mandiant/flare-floss/pull/982
- @RahulSankhla312 made their first contribution in https://github.com/mandiant/flare-floss/pull/978
Full Changelog: https://github.com/mandiant/flare-floss/compare/v3.0.1...v3.1.0
Published by mr-tz 10 months ago
This release fixes the missing language module in the v3.0.0 PyPI build.
Published by mr-tz 10 months ago
New Features
- identification of programs written in Go, Rust, and .NET
- extraction of strings embedded in Go programs
- extraction of strings embedded in Rust programs
Other Updates
- updates to the IDA plugin
- upgraded minimum required Python version to 3.8
- various bug fixes
- various code quality improvements
Google Summer of Code 2023
@Arker123 contributed the majority of features and improvements during the Google Summer of Code working closely with the Mandiant FLARE team. We'd like to thank him for the great collaboration and discussions before, during, and after the twelve week program.
Contributors
Thanks to all our contributors, including @symbolicvoid, @DiegoRomeo, @sara-rn and especially @Arker123
Full Changelog: https://github.com/mandiant/flare-floss/compare/v2.3.0...v3.0.0
Published by williballenthin over 1 year ago
fixes:
- PyInstaller build
Published by williballenthin over 1 year ago
changes:
- add column to show
Uto indicated UTF-16LE string (versus ASCII default) - add database of common junk code strings
- add -n minimum string length CLI option
Published by williballenthin over 1 year ago
changes:
- parse and display PE Authenticode signature region
fixes:
- handling of non-PE files
- various PE and code parsing fixes in lancelot
Published by williballenthin over 1 year ago
changes:
- re-enable structure hints for strings found in known structures
- tweak color used to display string address
Published by mr-tz over 1 year ago
New Features
- added false positive string filters
- use rich library for rendering of output and traceback
- initial detection of binaries compiled using Go
- updated dependencies
Other Updates
- various bug fixes
Contributors
Thanks to all our contributors, including @d01a, @Arker123, @Dobatymo, @Aayush-Goel-04, @symbolicvoid, @EmperialX, @ggold7046, @ooprathamm, @deepaksirohiwal, and @DeeyaSingh!
Published by williballenthin over 1 year ago
changes:
- recursively parse PE files, such as those found with resources
- add additional global prevalence database derived from 7 days of VT downloads
- render regions with borders to better show groupings
- don't show library tags when there are less than five matches to avoid false positives
- hide strings that overlap with code
Published by williballenthin over 1 year ago
Published by mr-tz almost 2 years ago
New Features
- ignore stackstrings and decoded strings that functions reference before analysis/decoding
- updated dependencies, FLOSS now supports Python 3.11
Other Updates
- macOS builds and tests now use
macos-11
Published by mr-tz about 2 years ago
New Features
- add
--large-fileargument to process larger files - Python package now contains the signature files to identify library functions
Other Updates
- updated IDA Pro integration and annotation scripts
Published by mr-tz over 2 years ago
This major update brings many new features and improvements. FLOSS now handles an additional string obfuscation technique that we call "tight strings". For details on tight strings and the additional changes please see our FLOSS Version 2.0 release blog post.
New Features
- extract tight strings
- library function recognition via FLIRT signatures
- improved logging and results output
- enhanced decoding and extraction of stackstrings and encoded strings
- shortcut emulation if no results identified
- reduce false positive strings output
- load and render existing results document
Breaking Changes
- simplified usage via improved command-line arguments
- changed many internal functions and the FLOSS API
- FLOSS supports Python 3 only now
- all output is based on JSON results document now
- revamped function identification mechanism and removed old plugin system
- more and enhanced API emulation hooks
Other Updates
- new logo and icon
- updated CI to use GitHub Actions
Published by williballenthin over 3 years ago
adds:
- static string json output format @mr-tz
- test case invoking main @mr-tz
- tests via GH actions @mr-tz
- builds via GH actions, uploads to releases page @williballenthin
- pushed to pypi via GH actions @williballenthin
changes:
- package relative imports @b0urb0n
- register tests in setup.py @b0urb0n
- vivisect version @r0ny123
- code style via black, isort @mr-tz
- test files in sub repo @mr-tz
fixes:
- vivisect pyinstaller @williballenthin
- IDA 7.4+ support @Ana06
- strings algorithm via bytes @jedimasterbot
changes: v1.6.1...v1.7.0
Published by williballenthin over 3 years ago
preparing CI for release
Published by williballenthin over 3 years ago
preparing CI for release
Published by williballenthin over 3 years ago
preparing CI for release v1.7.0
Published by williballenthin over 4 years ago
fixes the version embedded within the binary
Published by williballenthin over 4 years ago
fixes:
- logging levels
- some api function hooks
- code style
adds:
- additional scripts for ida and binja
- cli option to configure max emulation instruction count
- option to emit json file with results
contributors:
- @capnspacehook
- @BenjaminSoelberg
- @fevral
- @Ana06
- @b0urb0n
Thanks, all!
Published by mr-tz over 7 years ago
Major changes:
- filtering of false positive deobfuscated strings
- new
--no-filteroption to disable filtering - improved heuristics to find stackstrings
- enhanced stackstrings extraction
- additional API hooks, improving emulation coverage
Please be aware that some of the APIs, e.g. decode_strings and extract_stackstrings, changed.
