Flashmingo - Automatic Analysis Of Swf Files Based On Or As Well As Hence Heuristics
Automatic Analysis Of SWF Files Based On Some Heuristics. Extensible Via Plugins.
Install
Install the Python (2.7) packages listed inwards
requirements.txt
.You tin usage the next command:
pip install -r requirements.txt
If you lot desire to usage the decompilation functionality you lot postulate to install Jython. Ubuntu/Debian users tin outcome
apt install jython
Clone the projection or download the null file.
What
FLASHMINGO is an analysis framework for SWF files. The tool automatically triages suspicious Flash files as well as guides the farther analysis process, freeing precious resources inwards your team. You tin easily contain FLASHMINGO’s analysis modules into your workflow.
Why
To this 24-hour interval forensic investigators as well as malware analysts must bargain amongst suspicious SWF files. If history repeats itself the safety threat may fifty-fifty dice bigger beyond Flash’s terminate of life inwards 2020. Systems volition proceed to back upward a legacy file format that is non going to hold out updated amongst safety patches anymore. Automation is the best way to bargain amongst this outcome as well as this is where FLASHMINGO tin assistance you. FLASHMINGO is an analysis framework to automatically procedure SWF files that enables you lot to flag suspicious Flash samples as well as analyze them amongst minimal effort. It integrates into diverse analysis workflows equally a stand-alone application or a powerful library. Users tin easily extend the tool’ s functionality via custom Python plugins.
How
Architecture
FLASHMINGO is designed amongst simplicity inwards mind. It reads a SWF file as well as creates an object (
SWFObject
) representing its contents as well as structure. Afterwards FLASHMINGO runs a serial of plugins acting on this SWFObject
as well as returning their values to the master copy program.Below a mandatory ASCII fine art menses diagram:
+----------+ | | +------------+----------->+ PLUGIN 1 +------------+ | | | | | | | +----------+ | | | | | | +----------+ | | | | | | +---------+ | +----------->+ PLUGIN 2 +--------+ | |SWF FILE +----------->+ FLASHMINGO | | | | | +---------+ | | +----------+ | | | | | | | | | | | | | | | | +-----v---v-+ | | | | | | | | +-----+------+------------------------->+ SWFOBJECT | ^ | | | | | | +-----+-----+ | | | | | | +---------------------------------------+
When using FLASHMINGO equally a library inwards your ain projects, you lot simply postulate to direct keep aid of 2 form of objects:- one or many
SWFObject
(s), representing the sample(s) - a
Flashmingo
object. This acts essentially equally a harness connecting plugins as well asSWFObject
(s).
Plugins!
FLASHMINGO plugins are stored inwards their ain directories under... you lot guessed it:
plugins
When a Flashmingo
object is instantiated, it goes through this directory as well as procedure all plugins' manifests. Should this dot that the plugin is active, this is registered for after use. At the code level, this agency that a minor plugin_info
lexicon is added to the plugins
list.Plugins are invoked via the
run_plugin
API amongst 2 arguments:- the plugin's name
- the
SWFObject
instance
SuspiciousNames
volition search all constant pools for strings containing suspicious substrings (for example: 'overflow', 'spray', 'shell', etc.) There is a listing of mutual substrings already hard-coded inwards the plugin as well as then that it tin hold out used as-is
. However, you lot may transcend a listing of your ain defined substrings, inwards this instance via the names
parameter.Code example:
fm = Flashmingo() impress fm.run_plugin('DangerousAPIs', swf=swf) impress fm.run_plugin('SuspiciousNames', swf=swf, names=['spooky'])
Default plugins
FLASHMINGO ships amongst unopen to useful plugins out of the box:
- binary_data
- dangerous_apis
- decompiler
- suspicious_constants
- suspicious_loops
- suspicious_names
- template :)
Extending FLASHMINGO
Influenza A virus subtype H5N1 template plugin is provided for tardily development. Extending FLASHMINGO is rather straightforward. Follow these unproblematic steps:
- Copy the template
- Edit the manifest
- Override the
run
method - Add your custom code
FLASHMINGO equally a library
API
- See the
docs
directory for autogenerated documentation - See FireEye's weblog post service for an example
Front-ends
- Console
Create Documentation
$ pip install sphinxcontrib-napoleon
After setting upward Sphinx to construct your docs, enable napoleon inwards the Sphinx conf.py file:
In
conf.py
, add together napoleon to the extensions listextensions = ['sphinxcontrib.napoleon']
Use sphinx-apidoc to construct your API documentation:
$ sphinx-apidoc -f -o docs/source projectdir
This creates
.rst
files for Sphinx to process$ brand html
That's it! :)