Fnord is a sample extractor for obfuscated code
Fnord has two foremost capabilities:
- Extract byte sequences and create some statistics
- Use these statistics, mix size, variety of occurrences, similarity and key phrases to create a YARA rule
Fnord processes the file with a sliding window of various measurement to extract all sequences of with a minimal size
-m X (default: 4) as much as a most size
-x X (default: 40). For every size, Fnord will current essentially the most often occurring sequences
-t X (default: 3) in a desk.
Each line within the desk comprises:
- Number of occurrences
- Sequence (string)
- Formatted (ascii/huge/hex)
- Hex encoded kind
2. YARA Rule Creation
Fnord additionally generates an experimental YARA rule. During YARA rule creation it should calculate a rating primarily based within the size of the sequence and the variety of occurrences (size * occurrences). It will then course of every sequences by eradicating all non-letter characters and evaluating them with an inventory of key phrases (case-insensitive) to detect sequences which might be extra fascinating than others. Before writing every string to the rule Fnord calculates a Levenshtein distance and skips sequences which might be too much like sequences which have already been built-in within the rule.
[Experimental] Fnord was created a couple of days in the past and I’ve examined it with a handful of samples. My guess is that I’ll regulate the defaults within the coming weeks and add some extra key phrases, filters, scoring choices.
Improve the Results
If you’ve got discovered obfuscated code in a pattern, use a hex editor to extract the obfuscated part of the pattern and save to a brand new file. Use that new file for the evaluation.
Play with the flags
Please ship me samples that produce weak YARA guidelines that may very well be higher.
____ __ / __/__ ___ _______/ / / _// _ / _ / __/ _ / /_/ /_//_/___/_/ _,_/ Pattern Extractor for Obfuscated Code v0.6, Florian Roth utilization: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ] [-e min-entropy] [--strings] [--include-padding] [--debug] [--noyara] [-s similarity] [-k keywords-multiplier] [-r structure-multiplier] [-c count-limiter] [--yara-exact] [--yara-strings max] [--show-score] [--show-count] [--author author] Fnord - Pattern Extractor for Obfuscated Code elective arguments: -h, --help present this assist message and exit -f file File to course of -m min Minimum sequence size -x max Maximum sequence size -t prime Number of things within the Top x checklist -n min-occ Minimum variety of occurrences to point out -e min-entropy Minimum entropy --strings Show strings solely --include-padding Include 0x00 and 0x20 within the extracted strings --debug Debug output YARA Rule Creation: --noyara Do not generate an experimental YARA rule -s similarity Allowed similarity (use values between 0.1=low and 10=excessive, default=1.5) -k key phrases-multiplier Keywords multiplier (multiplies rating of sequences if key phrase is discovered) (greatest use values between 1 and 5, default=2.0) -r construction-multiplier Structure multiplier (multiplies rating of sequences if it's recognized as code construction and never payload) (greatest use values between 1 and 5, default=2.0) -c depend-limiter Count limiter (limts the impression of the depend by capping it at a certain quantity) (greatest use values between 5 and 100, default=20) --yara-precise Add magic header and magic footer limitations to the rule --yara-strings max Maximum sequence size --show-rating Show rating in feedback of YARA guidelines --show-depend Show depend in pattern in feedback of YARA guidelines --author writer YARA rule writer
git clone https://github.com/Neo23x0/Fnord.gitand
pip3 set up -r ./necessities.txt
python3 ./fnord.py --help
python3 fnord.py -f ./check/wraeop.sct --yara-strings 10
python3 fnord.py -f ./check/vbs.txt --show-rating --show-depend -t 1 -x 20
python3 fnord.py -f ./check/inv-obf.txt --show-rating --show-depend -t 1 --yara-strings 4 --yara-precise
Why did not you combine Fnord in yarGen?
yarGen makes use of a white-itemizing strategy to filter the strings which might be greatest for the creation of a YARA rule. yarGen applies some regular expressions to regulate scores of strings earlier than creating the YARA guidelines. But its strategy may be very completely different to the tactic utilized by Fnord, which calculates the rating of the byte sequences primarily based on statistics.
While yarGen is greatest used for un-obfuscated code. Fnord is for obfuscated code solely and may produce a lot better outcomes than yarGen.
Follow on Twitter for updates @cyb3rops