Home Unlabelled Flashmingo - Automatic Analysis Of Swf Files Based On Or As Well As Hence Heuristics

Flashmingo - Automatic Analysis Of Swf Files Based On Or As Well As Hence Heuristics

By
Wednesday, September 11, 2019
Read
Add Comment

Automatic Analysis Of SWF Files Based On Some Heuristics. Extensible Via Plugins.

Install
Install the Python (2.7) packages listed inwards requirements.txt.
You tin usage the next command: pip install -r requirements.txt
If you lot desire to usage the decompilation functionality you lot postulate to install Jython. Ubuntu/Debian users tin outcome apt install jython
Clone the projection or download the null file.

What
FLASHMINGO is an analysis framework for SWF files. The tool automatically triages suspicious Flash files as well as guides the farther analysis process, freeing precious resources inwards your team. You tin easily contain FLASHMINGO’s analysis modules into your workflow.

Why
To this 24-hour interval forensic investigators as well as malware analysts must bargain amongst suspicious SWF files. If history repeats itself the safety threat may fifty-fifty dice bigger beyond Flash’s terminate of life inwards 2020. Systems volition proceed to back upward a legacy file format that is non going to hold out updated amongst safety patches anymore. Automation is the best way to bargain amongst this outcome as well as this is where FLASHMINGO tin assistance you. FLASHMINGO is an analysis framework to automatically procedure SWF files that enables you lot to flag suspicious Flash samples as well as analyze them amongst minimal effort. It integrates into diverse analysis workflows equally a stand-alone application or a powerful library. Users tin easily extend the tool’ s functionality via custom Python plugins.

How

Architecture
FLASHMINGO is designed amongst simplicity inwards mind. It reads a SWF file as well as creates an object (SWFObject) representing its contents as well as structure. Afterwards FLASHMINGO runs a serial of plugins acting on this SWFObject as well as returning their values to the master copy program.
Below a mandatory ASCII fine art menses diagram:
                                                 +----------+                                                  |          |                        +------------+----------->+ PLUGIN 1 +------------+                        |            |            |          |            |                        |            |            +----------+            |                        |            |                                    |                        |            |            +----------+            |                        |            |            |          |            | +---------+            |            +----------->+ PLUGIN 2 +--------+   | |SWF FILE +----------->+ FLASHMINGO |            |          |        |   | +---------+            |            |            +----------+        |   |                        |            |                                |   |                        |            |                                   |   |                        |            |                                |   |                        |            |                          +-----v---v-+                        |            |                          |           |                        |            |                          |           |                        +-----+------+------------------------->+ SWFOBJECT |                              ^                                 |           |                              |                                 |           |                              |                                 +-----+-----+                              |                                       |                              |                                       |                              |                                       |                              +---------------------------------------+
When using FLASHMINGO equally a library inwards your ain projects, you lot simply postulate to direct keep aid of 2 form of objects:
  • one or many SWFObject(s), representing the sample(s)
  • a Flashmingo object. This acts essentially equally a harness connecting plugins as well as SWFObject(s).

Plugins!
FLASHMINGO plugins are stored inwards their ain directories under... you lot guessed it: plugins When a Flashmingo object is instantiated, it goes through this directory as well as procedure all plugins' manifests. Should this dot that the plugin is active, this is registered for after use. At the code level, this agency that a minor plugin_info lexicon is added to the plugins list.
Plugins are invoked via the run_plugin API amongst 2 arguments:
  • the plugin's name
  • the SWFObject instance
Optionally, virtually of the plugins permit you lot to transcend your ain user data. This is plugin subject (read the documentation) as well as it tin hold out to a greater extent than easily hold out explained amongst an example. The default plugin SuspiciousNames volition search all constant pools for strings containing suspicious substrings (for example: 'overflow', 'spray', 'shell', etc.) There is a listing of mutual substrings already hard-coded inwards the plugin as well as then that it tin hold out used as-is. However, you lot may transcend a listing of your ain defined substrings, inwards this instance via the names parameter.
Code example:
fm = Flashmingo() impress fm.run_plugin('DangerousAPIs', swf=swf) impress fm.run_plugin('SuspiciousNames', swf=swf, names=['spooky'])

Default plugins
FLASHMINGO ships amongst unopen to useful plugins out of the box:
  • binary_data
  • dangerous_apis
  • decompiler
  • suspicious_constants
  • suspicious_loops
  • suspicious_names
  • template :)

Extending FLASHMINGO
Influenza A virus subtype H5N1 template plugin is provided for tardily development. Extending FLASHMINGO is rather straightforward. Follow these unproblematic steps:
  • Copy the template
  • Edit the manifest
  • Override the run method
  • Add your custom code
You are hit to dice :)

FLASHMINGO equally a library

API
  • See the docs directory for autogenerated documentation
  • See FireEye's weblog post service for an example

Front-ends
  • Console

Create Documentation
$ pip install sphinxcontrib-napoleon
After setting upward Sphinx to construct your docs, enable napoleon inwards the Sphinx conf.py file:
In conf.py, add together napoleon to the extensions list
extensions = ['sphinxcontrib.napoleon']
Use sphinx-apidoc to construct your API documentation:
$ sphinx-apidoc -f -o docs/source projectdir
This creates .rst files for Sphinx to process
$ brand html
That's it! :)


Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us