Floss not throwing error on ELF go binaries.
c-urly opened this issue · 3 comments
I don't know if this is an issue but floss is trying to analyze a GO ELF binary, using vivisect.
Is this expected? If yes, I am not able to understand the output.
$ floss --debug go_elf_files/string1
DEBUG: floss: --------------------------------------------------------------------------------
DEBUG: floss: Using default embedded signatures.
DEBUG: floss: To provide your own signatures, use the form floss.exe --signature ./path/to/signatures/ /path/to/mal.exe.
DEBUG: floss: --------------------------------------------------------------------------------
DEBUG: floss.language.identify: FLOSS currently only detects if Windows PE files were written in Go or .NET. This is not a valid PE file: 'DOS Header magic not found.'
INFO: floss: extracting static strings
RISHI:True
DEBUG: floss: reading signatures from directory /mnt/e/Github/flare-floss/floss/sigs
DEBUG: floss: found signature file: /mnt/e/Github/flare-floss/floss/sigs/1_flare_msvc_rtf_32_64.sig
DEBUG: floss: found signature file: /mnt/e/Github/flare-floss/floss/sigs/2_flare_msvc_atlmfc_32_64.sig
DEBUG: floss: found signature file: /mnt/e/Github/flare-floss/floss/sigs/3_flare_common_libs.sig
DEBUG: viv_utils.flirt: perf: flirt: parsing .sig: /mnt/e/Github/flare-floss/floss/sigs/1_flare_msvc_rtf_32_64.sig: 0.55s
DEBUG: viv_utils.flirt: flirt: sig count: 210632
analyzing programDEBUG: viv_utils.flirt: perf: flirt: compiling sigs: 0.99s
DEBUG: viv_utils.flirt: registering viv function analyzer: FlirtFunctionAnalyzer (/mnt/e/Github/flare-floss/floss/sigs/1_flare_msvc_rtf_32_64.sig)
DEBUG: viv_utils.flirt: perf: flirt: parsing .sig: /mnt/e/Github/flare-floss/floss/sigs/2_flare_msvc_atlmfc_32_64.sig: 1.02s
. analyzing programDEBUG: viv_utils.flirt: flirt: sig count: 381783
DEBUG: viv_utils.flirt: perf: flirt: compiling sigs: 2.22s
DEBUG: viv_utils.flirt: registering viv function analyzer: FlirtFunctionAnalyzer (/mnt/e/Github/flare-floss/floss/sigs/2_flare_msvc_atlmfc_32_64.sig)
.. analyzing programDEBUG: viv_utils.flirt: perf: flirt: parsing .sig: /mnt/e/Github/flare-floss/floss/sigs/3_flare_common_libs.sig: 0.36s
DEBUG: viv_utils.flirt: flirt: sig count: 119337
DEBUG: viv_utils.flirt: perf: flirt: compiling sigs: 0.51s
... analyzing programDEBUG: viv_utils.flirt: registering viv function analyzer: FlirtFunctionAnalyzer (/mnt/e/Github/flare-floss/floss/sigs/3_flare_common_libs.sig)
.. analyzing programDEBUG: viv_utils.flirt: found library function: 0x402b00: ?
... analyzing programDEBUG: viv_utils.flirt: found library function: 0x4038e0: ?
. analyzing programDEBUG: viv_utils.flirt: found library function: 0x45f280: ?
.. analyzing programDEBUG: viv_utils.flirt: found library function: 0x45f6c0: ?
.. analyzing programDEBUG: floss: not saving workspace
DEBUG: floss: selected ALL functions
DEBUG: floss.identify: analyzed function 0x401000 - total score: 0.662
DEBUG: floss.identify: analyzed function 0x401060 - total score: 0.220
DEBUG: floss.identify: analyzed function 0x401080 - total score: 0.341
DEBUG: floss.identify: analyzed function 0x4010b0 - total score: 0.460
DEBUG: floss.identify: analyzed function 0x4010b6 - total score: 0.460
DEBUG: floss.identify: analyzed function 0x4010bc - total score: 0.460
DEBUG: floss.identify: analyzed function 0x4010c2 - total score: 0.460
DEBUG: floss.identify: analyzed function 0x4010c8 - total score: 0.460
DEBUG: floss.identify: analyzed function 0x4010ce - total score: 0.460
Is that with your modifications to handle ELF or using a release/master code?
Oh yes this is after my elf changes. My bad, i shouldve mentioned that.
When FLOSS supports ELFs we would like vivisect analysis to decode obfuscated strings.