Fnord : Pattern Extractor for Obfuscated Code

Fnord is a pattern extractor for obfuscated code. It has two main functions:

• Extract byte sequences and create some statistics
• Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule.

Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40).

For each length, Fnord will present the most frequently occurring sequences -t X (default: 3) in a table.

Each line in the table contains:

• Length
• Number of occurrences
• Sequence (string)
• Formatted (ascii/wide/hex)
• Hex encoded form
• Entropy

Also Read : ProcDump : A Linux Version of the ProcDump Sysinternals Tool

Usage

usage: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ]
[-e min-entropy] [–strings] [–include-padding] [–debug]
[–noyara] [-s similarity] [-k keywords-multiplier]
[-r structure-multiplier] [-c count-limiter] [–yara-exact]
[–yara-strings max] [–show-score] [–show-count]
[–author author]

Fnord – Pattern Extractor for Obfuscated Code
optional arguments:
-h, –help show this help message and exit
-f file File to process
-m min Minimum sequence length
-x max Maximum sequence length
-t top Number of items in the Top x list
-n min-occ Minimum number of occurrences to show
-e min-entropy Minimum entropy
–strings Show strings only
–include-padding Include 0x00 and 0x20 in the extracted strings
–debug Debug output

YARA Rule Creation:
–noyara Do not generate an experimental YARA rule
-s similarity Allowed similarity (use values between 0.1=low and
10=high, default=1.5)
-k keywords-multiplier
Keywords multiplier (multiplies score of sequences if
keyword is found) (best use values between 1 and 5,
default=2.0)
-r structure-multiplier
Structure multiplier (multiplies score of sequences if
it is identified as code structure and not payload)
(best use values between 1 and 5, default=2.0)
-c count-limiter Count limiter (limts the impact of the count by
capping it at a certain amount) (best use values
between 5 and 100, default=20)
–yara-exact Add magic header and magic footer limitations to the
rule
–yara-strings max Maximum sequence length
–show-score Show score in comments of YARA rules
–show-count Show count in sample in comments of YARA rules
–author author YARA rule author

Getting Started

git clone https://github.com/Neo23x0/Fnord.git and cd Fnord
pip3 install -r ./requirements.txt
python3 ./fnord.py –help

Examples

python3 fnord.py -f ./test/wraeop.sct –yara-strings 10
python3 fnord.py -f ./test/vbs.txt –show-score –show-count -t 1 -x 20
python3 fnord.py -f ./test/inv-obf.txt –show-score –show-count -t 1 –yara-strings 4 –yara-exact

Screenshots