Fnord : Pattern Extractor for Obfuscated Code

Fnord is a pattern extractor for obfuscated code. It has two main functions:

  • Extract byte sequences and create some statistics
  • Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule.

Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40).

For each length, Fnord will present the most frequently occurring sequences -t X (default: 3) in a table.

Each line in the table contains:

  • Length
  • Number of occurrences
  • Sequence (string)
  • Formatted (ascii/wide/hex)
  • Hex encoded form
  • Entropy

Also Read : ProcDump : A Linux Version of the ProcDump Sysinternals Tool

Usage

usage: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ]
[-e min-entropy] [–strings] [–include-padding] [–debug]
[–noyara] [-s similarity] [-k keywords-multiplier]
[-r structure-multiplier] [-c count-limiter] [–yara-exact]
[–yara-strings max] [–show-score] [–show-count]
[–author author]

Fnord – Pattern Extractor for Obfuscated Code
optional arguments:
-h, –help show this help message and exit
-f file File to process
-m min Minimum sequence length
-x max Maximum sequence length
-t top Number of items in the Top x list
-n min-occ Minimum number of occurrences to show
-e min-entropy Minimum entropy
–strings Show strings only
–include-padding Include 0x00 and 0x20 in the extracted strings
–debug Debug output

YARA Rule Creation:
–noyara Do not generate an experimental YARA rule
-s similarity Allowed similarity (use values between 0.1=low and
10=high, default=1.5)
-k keywords-multiplier
Keywords multiplier (multiplies score of sequences if
keyword is found) (best use values between 1 and 5,
default=2.0)
-r structure-multiplier
Structure multiplier (multiplies score of sequences if
it is identified as code structure and not payload)
(best use values between 1 and 5, default=2.0)
-c count-limiter Count limiter (limts the impact of the count by
capping it at a certain amount) (best use values
between 5 and 100, default=20)
–yara-exact Add magic header and magic footer limitations to the
rule
–yara-strings max Maximum sequence length
–show-score Show score in comments of YARA rules
–show-count Show count in sample in comments of YARA rules
–author author YARA rule author

Getting Started

git clone https://github.com/Neo23x0/Fnord.git and cd Fnord
pip3 install -r ./requirements.txt
python3 ./fnord.py –help

Examples

python3 fnord.py -f ./test/wraeop.sct –yara-strings 10
python3 fnord.py -f ./test/vbs.txt –show-score –show-count -t 1 -x 20
python3 fnord.py -f ./test/inv-obf.txt –show-score –show-count -t 1 –yara-strings 4 –yara-exact

Screenshots

R K

Recent Posts

Install Python 3.7 on Ubuntu 18.04: apt and Source Build Methods

Python 3.7 was a significant release for the language. It introduced data classes, a decorator that automatically…

5 hours ago

Install Odoo 13 on Ubuntu 18.04: Python Venv and Nginx Guide

Odoo is a popular open-source suite of business applications. A single platform covers CRM, e-commerce, accounting,…

5 hours ago

Secure Apache with Let’s Encrypt on Ubuntu 18.04: Free SSL Guide

Let's Encrypt is a free, automated certificate authority run by the Internet Security Research Group…

5 hours ago

Install GCC on Ubuntu 18.04: C and C++ Compiler Setup Guide

GCC (GNU Compiler Collection) is a set of compilers and development libraries for C, C++, Fortran,…

6 hours ago

Install Python 3.8 on Ubuntu 18.04: apt and Source Build Methods

Python is one of the most widely used programming languages in the world. Its clean, readable…

6 hours ago

Install Tomcat 9 on Ubuntu 18.04: Systemd Service Setup Guide

Apache Tomcat is an open-source Java application server that implements the Java Servlet, JavaServer Pages, and…

1 day ago