- Joined
- May 15, 2017
- Messages
- 981
- Likes
- 760
- Points
- 1,045
Fnord is a pattern extractor for obfuscated code
Description
Fnord has two main functions:
Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40). For each length, Fnord will present the most frequently occurring sequences -t X(default: 3) in a table.
Each line in the table contains:
2. YARA Rule Creation
Fnord also generates an experimental YARA rule. During YARA rule creation it will calculate a score based in the length of the sequence and the number of occurrences (length * occurrences). It will then process each sequences by removing all non-letter characters and comparing them with a list of keywords (case-insensitive) to detect sequences that are more interesting than others. Before writing each string to the rule Fnord calculates a Levenshtein distance and skips sequences that are too similar to sequences that have already been integrated in the rule.
Status
[Experimental] Fnord was created a few days ago and I have tested it with a handful of samples. My guess is that I'll adjust the defaults in the coming weeks and add some more keywords, filters, scoring options.
Improve the Results
If you've found obfuscated code in a sample, use a hex editor to extract the obfuscated section of the sample and save to a new file. Use that new file for the analysis.
Play with the flags -s, -k, -r, --yara-strings, -mand-e`.
Please send me samples that produce weak YARA rules that could be better.
Getting Started
Description
Fnord has two main functions:
- Extract byte sequences and create some statistics
- Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule
Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40). For each length, Fnord will present the most frequently occurring sequences -t X(default: 3) in a table.
Each line in the table contains:
- Length
- Number of occurrences
- Sequence (string)
- Formatted (ascii/wide/hex)
- Hex encoded form
- Entropy
2. YARA Rule Creation
Fnord also generates an experimental YARA rule. During YARA rule creation it will calculate a score based in the length of the sequence and the number of occurrences (length * occurrences). It will then process each sequences by removing all non-letter characters and comparing them with a list of keywords (case-insensitive) to detect sequences that are more interesting than others. Before writing each string to the rule Fnord calculates a Levenshtein distance and skips sequences that are too similar to sequences that have already been integrated in the rule.
Status
[Experimental] Fnord was created a few days ago and I have tested it with a handful of samples. My guess is that I'll adjust the defaults in the coming weeks and add some more keywords, filters, scoring options.
Improve the Results
If you've found obfuscated code in a sample, use a hex editor to extract the obfuscated section of the sample and save to a new file. Use that new file for the analysis.
Play with the flags -s, -k, -r, --yara-strings, -mand-e`.
Please send me samples that produce weak YARA rules that could be better.
Getting Started
Download Fnord