Fnord : Pattern Extractor for Obfuscated Code

Fnord is a pattern extractor for obfuscated code. It has two main functions:

  • Extract byte sequences and create some statistics
  • Use these statistics, combine length, number of occurrences, similarity and keywords to create a YARA rule.

Fnord processes the file with a sliding window of varying size to extract all sequences of with a minimum length -m X (default: 4) up to a maximum length -x X (default: 40).

For each length, Fnord will present the most frequently occurring sequences -t X (default: 3) in a table.

Each line in the table contains:

  • Length
  • Number of occurrences
  • Sequence (string)
  • Formatted (ascii/wide/hex)
  • Hex encoded form
  • Entropy

Also Read : ProcDump : A Linux Version of the ProcDump Sysinternals Tool

Usage

usage: fnord.py [-h] [-f file] [-m min] [-x max] [-t top] [-n min-occ]
[-e min-entropy] [–strings] [–include-padding] [–debug]
[–noyara] [-s similarity] [-k keywords-multiplier]
[-r structure-multiplier] [-c count-limiter] [–yara-exact]
[–yara-strings max] [–show-score] [–show-count]
[–author author]

Fnord – Pattern Extractor for Obfuscated Code
optional arguments:
-h, –help show this help message and exit
-f file File to process
-m min Minimum sequence length
-x max Maximum sequence length
-t top Number of items in the Top x list
-n min-occ Minimum number of occurrences to show
-e min-entropy Minimum entropy
–strings Show strings only
–include-padding Include 0x00 and 0x20 in the extracted strings
–debug Debug output

YARA Rule Creation:
–noyara Do not generate an experimental YARA rule
-s similarity Allowed similarity (use values between 0.1=low and
10=high, default=1.5)
-k keywords-multiplier
Keywords multiplier (multiplies score of sequences if
keyword is found) (best use values between 1 and 5,
default=2.0)
-r structure-multiplier
Structure multiplier (multiplies score of sequences if
it is identified as code structure and not payload)
(best use values between 1 and 5, default=2.0)
-c count-limiter Count limiter (limts the impact of the count by
capping it at a certain amount) (best use values
between 5 and 100, default=20)
–yara-exact Add magic header and magic footer limitations to the
rule
–yara-strings max Maximum sequence length
–show-score Show score in comments of YARA rules
–show-count Show count in sample in comments of YARA rules
–author author YARA rule author

Getting Started

git clone https://github.com/Neo23x0/Fnord.git and cd Fnord
pip3 install -r ./requirements.txt
python3 ./fnord.py –help

Examples

python3 fnord.py -f ./test/wraeop.sct –yara-strings 10
python3 fnord.py -f ./test/vbs.txt –show-score –show-count -t 1 -x 20
python3 fnord.py -f ./test/inv-obf.txt –show-score –show-count -t 1 –yara-strings 4 –yara-exact

Screenshots

R K

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

3 days ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

3 days ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

4 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

1 week ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago