Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding ELF support for floss. #932

Closed
wants to merge 1 commit into from
Closed

Adding ELF support for floss. #932

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion floss/const.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
KILOBYTE = 1024
MEGABYTE = 1024 * KILOBYTE
MAX_FILE_SIZE = 16 * MEGABYTE
SUPPORTED_FILE_MAGIC = {b"MZ"}
SUPPORTED_FILE_MAGIC = {b"MZ",b"\x7fELF"}
MIN_STRING_LENGTH = 4
MAX_STRING_LENGTH = 2048

Expand Down
4 changes: 2 additions & 2 deletions floss/language/identify.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,11 +36,11 @@ def identify_language_and_version(sample: Path, static_strings: Iterable[StaticS
try:
pe = pefile.PE(str(sample))
except pefile.PEFormatError as err:
logger.debug(
logger.error(
f"FLOSS currently only detects if Windows PE files were written in Go or .NET. "
f"This is not a valid PE file: {err}"
)
return Language.UNKNOWN, VERSION_UNKNOWN_OR_NA
exit(err)

is_go, version = get_if_go_and_version(pe)
if is_go:
Expand Down
14 changes: 11 additions & 3 deletions floss/main.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -356,13 +356,20 @@ def is_supported_file_type(sample_file_path: Path):
:return: True if file type is supported, False otherwise
"""
with sample_file_path.open("rb") as f:
magic = f.read(2)
magic = f.read(4)

if magic in SUPPORTED_FILE_MAGIC:
return True
elif magic[:2] in SUPPORTED_FILE_MAGIC:
return True
else:
return False

def get_file_type(sample_file_path: Path):
with sample_file_path.open("rb") as f:
magic = f.read(4)

return magic

def load_vw(
sample_path: Path,
Expand All @@ -373,7 +380,7 @@ def load_vw(
if format not in ("sc32", "sc64"):
if not is_supported_file_type(sample_path):
raise WorkspaceLoadError(
"FLOSS currently supports the following formats for string decoding and stackstrings: PE\n"
"FLOSS currently supports the following formats for string decoding and stackstrings: PE, ELF\n"
"You can analyze shellcode using the --format sc32|sc64 switch. See the help (-h) for more information."
)

Expand All @@ -390,7 +397,8 @@ def load_vw(
else:
vw = viv_utils.getWorkspace(str(sample_path), analyze=False, should_save=False)

viv_utils.flirt.register_flirt_signature_analyzers(vw, list(map(str, sigpaths)))
if get_file_type(sample_path) != b'\x7fELF':
viv_utils.flirt.register_flirt_signature_analyzers(vw, list(map(str, sigpaths)))

vw.analyze()

Expand Down