Fnord – Pattern Extractor For Obfuscated Code

0
4
Fnord - Pattern Extractor For Obfuscated Code

Fnord is a sample extractor for obfuscated code

Description
Fnord has two foremost capabilities:

  1. Extract byte sequences and create some statistics
  2. Use these statistics, mix size, variety of occurrences, similarity and key phrases to create a YARA rule


1. Statistics
Fnord processes the file with a sliding window of various measurement to extract all sequences of with a minimal size -m X (default: 4) as much as a most size -x X (default: 40). For every size, Fnord will current essentially the most often occurring sequences -t X (default: 3) in a desk.
Each line within the desk comprises:

  • Length
  • Number of occurrences
  • Sequence (string)
  • Formatted (ascii/huge/hex)
  • Hex encoded kind
  • Entropy

2. YARA Rule Creation
Fnord additionally generates an experimental YARA rule. During YARA rule creation it should calculate a rating primarily based within the size of the sequence and the variety of occurrences (size * occurrences). It will then course of every sequences by eradicating all non-letter characters and evaluating them with an inventory of key phrases (case-insensitive) to detect sequences which might be extra fascinating than others. Before writing every string to the rule Fnord calculates a Levenshtein distance and skips sequences which might be too much like sequences which have already been built-in within the rule.

Status
[Experimental] Fnord was created a couple of days in the past and I’ve examined it with a handful of samples. My guess is that I’ll regulate the defaults within the coming weeks and add some extra key phrases, filters, scoring choices.

Improve the Results
If you’ve got discovered obfuscated code in a pattern, use a
hex editor to extract the obfuscated part of the pattern and save to a brand new file. Use that new file for the evaluation.
Play with the flags -s, -k, -r, –yara-strings, -mand-e`.
Please ship me samples that produce weak YARA guidelines that may very well be higher.

Usage

        ____                 __
       / __/__  ___  _______/ /
      / _// _ / _ / __/ _  /
     /_/ /_//_/___/_/  _,_/ Pattern Extractor for Obfuscated Code
     v0.6, Florian Roth

    utilization: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ]
                    [-e min-entropy] [--strings] [--include-padding] [--debug]
                    [--noyara] [-s similarity] [-k keywords-multiplier]
                    [-r structure-multiplier] [-c count-limiter] [--yara-exact]
                    [--yara-strings max] [--show-score] [--show-count]
                    [--author author]

    Fnord - Pattern Extractor for Obfuscated Code

    elective arguments:
      -h, --help            present this assist message and exit
      -f file               File to course of
      -m min                Minimum sequence size
      -x max                Maximum sequence size
      -t prime                Number of things within the Top x checklist
      -n min-occ            Minimum variety of occurrences to point out
      -e min-entropy        Minimum entropy
      --strings             Show strings solely
      --include-padding     Include 0x00 and 0x20 within the extracted strings
      --debug               Debug output

    YARA Rule Creation:
      --noyara              Do not generate an experimental YARA rule
      -s similarity         Allowed similarity (use values between 0.1=low and
                            10=excessive, default=1.5)
      -k key phrases-multiplier
                            Keywords multiplier (multiplies rating of sequences if
                            key phrase is discovered) (greatest use values between 1 and 5,
                            default=2.0)
      -r construction-multiplier
                            Structure multiplier (multiplies rating of sequences if
                            it's recognized as code construction and never payload)
                            (greatest use values between 1 and 5, default=2.0)
      -c depend-limiter      Count limiter (limts the impression of the depend by
                            capping it at a certain quantity) (greatest use values
                            between 5 and 100, default=20)
      --yara-precise          Add magic header and magic footer limitations to the
                            rule
      --yara-strings max    Maximum sequence size
      --show-rating          Show rating in feedback of YARA guidelines
      --show-depend          Show depend in pattern in feedback of YARA guidelines
      --author writer       YARA rule writer

Getting Started

  1. git clone https://github.com/Neo23x0/Fnord.git and cd Fnord
  2. pip3 set up -r ./necessities.txt
  3. python3 ./fnord.py --help

Examples

python3 fnord.py -f ./check/wraeop.sct --yara-strings 10
python3 fnord.py -f ./check/vbs.txt --show-rating --show-depend -t 1 -x 20
python3 fnord.py -f ./check/inv-obf.txt --show-rating --show-depend -t 1 --yara-strings 4 --yara-precise

Screenshots

FAQs

Why did not you combine Fnord in yarGen?
yarGen makes use of a white-itemizing strategy to filter the strings which might be greatest for the creation of a YARA rule. yarGen applies some regular expressions to regulate scores of strings earlier than creating the YARA guidelines. But its strategy may be very completely different to the tactic utilized by Fnord, which calculates the rating of the byte sequences primarily based on statistics.
While yarGen is greatest used for un-obfuscated code. Fnord is for obfuscated code solely and may produce a lot better outcomes than yarGen.

Contact
Follow on Twitter for updates @cyb3rops

MoreTip.com MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.