Fnord is a pattern extractor for obfuscated code. It has two main functions:
Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40).
For each length, Fnord will present the most frequently occurring sequences -t X (default: 3) in a table.
Each line in the table contains:
Also Read : ProcDump : A Linux Version of the ProcDump Sysinternals Tool
Usage
usage: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ]
[-e min-entropy] [–strings] [–include-padding] [–debug]
[–noyara] [-s similarity] [-k keywords-multiplier]
[-r structure-multiplier] [-c count-limiter] [–yara-exact]
[–yara-strings max] [–show-score] [–show-count]
[–author author]
Fnord – Pattern Extractor for Obfuscated Code
optional arguments:
-h, –help show this help message and exit
-f file File to process
-m min Minimum sequence length
-x max Maximum sequence length
-t top Number of items in the Top x list
-n min-occ Minimum number of occurrences to show
-e min-entropy Minimum entropy
–strings Show strings only
–include-padding Include 0x00 and 0x20 in the extracted strings
–debug Debug output
YARA Rule Creation:
–noyara Do not generate an experimental YARA rule
-s similarity Allowed similarity (use values between 0.1=low and
10=high, default=1.5)
-k keywords-multiplier
Keywords multiplier (multiplies score of sequences if
keyword is found) (best use values between 1 and 5,
default=2.0)
-r structure-multiplier
Structure multiplier (multiplies score of sequences if
it is identified as code structure and not payload)
(best use values between 1 and 5, default=2.0)
-c count-limiter Count limiter (limts the impact of the count by
capping it at a certain amount) (best use values
between 5 and 100, default=20)
–yara-exact Add magic header and magic footer limitations to the
rule
–yara-strings max Maximum sequence length
–show-score Show score in comments of YARA rules
–show-count Show count in sample in comments of YARA rules
–author author YARA rule author
Getting Started
git clone https://github.com/Neo23x0/Fnord.git and cd Fnord
pip3 install -r ./requirements.txt
python3 ./fnord.py –help
Examples
python3 fnord.py -f ./test/wraeop.sct –yara-strings 10
python3 fnord.py -f ./test/vbs.txt –show-score –show-count -t 1 -x 20
python3 fnord.py -f ./test/inv-obf.txt –show-score –show-count -t 1 –yara-strings 4 –yara-exact
Screenshots
Python 3.7 was a significant release for the language. It introduced data classes, a decorator that automatically…
Odoo is a popular open-source suite of business applications. A single platform covers CRM, e-commerce, accounting,…
Let's Encrypt is a free, automated certificate authority run by the Internet Security Research Group…
GCC (GNU Compiler Collection) is a set of compilers and development libraries for C, C++, Fortran,…
Python is one of the most widely used programming languages in the world. Its clean, readable…
Apache Tomcat is an open-source Java application server that implements the Java Servlet, JavaServer Pages, and…