-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
vmray: remove FP strings from call arguments extractor #2432
Comments
@mike-hunhoff if you have some insight we may also close this before the next release edit: also @williballenthin for awareness :) |
I'm not sure what we can do besides going beyond the context that VMRay provides (e.g. basing capa's parsing on the corresponding API(s)) but that walks us towards OS/Arch/etc. dependency that we should avoid if possible. It also looks like the output that you linked is missing some arguments. Can you provide the input archive (PM me if internal)? |
maybe limit to |
see for example |
examples we can remove filtering by 93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795_min_archive.zip
¤ÿÿÀÅ¥
¢ÿÿÀÅ¥
$ÿÿÀÅ¥
£ÿÿÀÅ¥
¥ÿÿÀÅ¥
0ÿÿÀÅ¥
½ÿÿÀÅ¥
¼ÿÿÀÅ¥
1ÿÿÀÅ¥
¹ÿÿÀÅ¥
2ÿÿÀÅ¥
²ÿÿÀÅ¥
¾ÿÿÀÅ¥
3ÿÿÀÅ¥
³ÿÿÀÅ¥
4ÿÿÀÅ¥
5ÿÿÀÅ¥
6ÿÿÀÅ¥
7ÿÿÀÅ¥
8ÿÿÀÅ¥
9ÿÿÀÅ¥
æÿÿÀÅ¥
ÆÿÿÀÅ¥
aÿÿÀÅ¥
AÿÿÀÅ¥
ªÿÿÀÅ¥
áÿÿÀÅ¥
ÁÿÿÀÅ¥
àÿÿÀÅ¥
ÀÿÿÀÅ¥
âÿÿÀÅ¥
ÂÿÿÀÅ¥
åÿÿÀÅ¥
ÅÿÿÀÅ¥
äÿÿÀÅ¥
ÄÿÿÀÅ¥
ãÿÿÀÅ¥
ÃÿÿÀÅ¥
bÿÿÀÅ¥
BÿÿÀÅ¥
cÿÿÀÅ¥
CÿÿÀÅ¥
çÿÿÀÅ¥
ÇÿÿÀÅ¥
dÿÿÀÅ¥
DÿÿÀÅ¥
ðÿÿÀÅ¥
ÐÿÿÀÅ¥
eÿÿÀÅ¥
EÿÿÀÅ¥
éÿÿÀÅ¥
ÉÿÿÀÅ¥
èÿÿÀÅ¥
ÈÿÿÀÅ¥
êÿÿÀÅ¥
ÊÿÿÀÅ¥
ëÿÿÀÅ¥
ËÿÿÀÅ¥
fÿÿÀÅ¥
FÿÿÀÅ¥
gÿÿÀÅ¥
GÿÿÀÅ¥
hÿÿÀÅ¥
HÿÿÀÅ¥
iÿÿÀÅ¥
IÿÿÀÅ¥
íÿÿÀÅ¥
ÍÿÿÀÅ¥
ìÿÿÀÅ¥
ÌÿÿÀÅ¥
îÿÿÀÅ¥
ÎÿÿÀÅ¥
ïÿÿÀÅ¥
ÏÿÿÀÅ¥
jÿÿÀÅ¥
JÿÿÀÅ¥
kÿÿÀÅ¥
KÿÿÀÅ¥
lÿÿÀÅ¥
LÿÿÀÅ¥
mÿÿÀÅ¥
MÿÿÀÅ¥
nÿÿÀÅ¥
NÿÿÀÅ¥
ñÿÿÀÅ¥
ÑÿÿÀÅ¥
oÿÿÀÅ¥
OÿÿÀÅ¥
ºÿÿÀÅ¥
óÿÿÀÅ¥
ÓÿÿÀÅ¥
òÿÿÀÅ¥
ÒÿÿÀÅ¥
ôÿÿÀÅ¥
ÔÿÿÀÅ¥
öÿÿÀÅ¥
ÖÿÿÀÅ¥
õÿÿÀÅ¥
ÕÿÿÀÅ¥
øÿÿÀÅ¥
ØÿÿÀÅ¥
pÿÿÀÅ¥
PÿÿÀÅ¥
qÿÿÀÅ¥
QÿÿÀÅ¥
rÿÿÀÅ¥
RÿÿÀÅ¥
ßÿÿÀÅ¥
sÿÿÀÅ¥
SÿÿÀÅ¥
tÿÿÀÅ¥
TÿÿÀÅ¥
uÿÿÀÅ¥
UÿÿÀÅ¥
ÚÿÿÀÅ¥
ÙÿÿÀÅ¥
ÛÿÿÀÅ¥
ÜÿÿÀÅ¥
vÿÿÀÅ¥
VÿÿÀÅ¥
wÿÿÀÅ¥
WÿÿÀÅ¥
\x01ÿÿÀÅ¥
\x02ÿÿÀÅ¥
\x03ÿÿÀÅ¥
\x04ÿÿÀÅ¥
\x05ÿÿÀÅ¥
\x06ÿÿÀÅ¥
\x07ÿÿÀÅ¥
\x08ÿÿÀÅ¥
\x09ÿÿÀÅ¥
\x0aÿÿÀÅ¥
\x0bÿÿÀÅ¥
\x0cÿÿÀÅ¥
\x0dÿÿÀÅ¥
\x0eÿÿÀÅ¥
\x0fÿÿÀÅ¥
\x10ÿÿÀÅ¥
\x11ÿÿÀÅ¥
\x12ÿÿÀÅ¥
\x13ÿÿÀÅ¥
\x14ÿÿÀÅ¥
\x15ÿÿÀÅ¥
\x16ÿÿÀÅ¥
\x17ÿÿÀÅ¥
\x18ÿÿÀÅ¥
\x19ÿÿÀÅ¥
\x1aÿÿÀÅ¥
\x1bÿÿÀÅ¥
\x1cÿÿÀÅ¥
\x1dÿÿÀÅ¥
\x1eÿÿÀÅ¥
\x1fÿÿÀÅ¥
\x7fÿÿÀÅ¥
\x80ÿÿÀÅ¥
\x81ÿÿÀÅ¥
\x82ÿÿÀÅ¥
\x83ÿÿÀÅ¥
\x84ÿÿÀÅ¥
\x86ÿÿÀÅ¥
\x87ÿÿÀÅ¥
\x88ÿÿÀÅ¥
\x89ÿÿÀÅ¥
\x8aÿÿÀÅ¥
\x8bÿÿÀÅ¥
\x8cÿÿÀÅ¥
\x8dÿÿÀÅ¥
\x8eÿÿÀÅ¥
\x8fÿÿÀÅ¥
\x90ÿÿÀÅ¥
\x91ÿÿÀÅ¥
\x92ÿÿÀÅ¥
\x93ÿÿÀÅ¥
\x94ÿÿÀÅ¥
\x95ÿÿÀÅ¥
\x96ÿÿÀÅ¥
\x97ÿÿÀÅ¥
\x98ÿÿÀÅ¥
\x99ÿÿÀÅ¥
\x9aÿÿÀÅ¥
\x9bÿÿÀÅ¥
\x9cÿÿÀÅ¥
\x9dÿÿÀÅ¥
\x9eÿÿÀÅ¥
\x9fÿÿÀÅ¥
xÿÿÀÅ¥
XÿÿÀÅ¥
ÿÿÀÅ¥
!ÿÿÀÅ¥
"ÿÿÀÅ¥
#ÿÿÀÅ¥
%ÿÿÀÅ¥
&ÿÿÀÅ¥
'ÿÿÀÅ¥
(ÿÿÀÅ¥
)ÿÿÀÅ¥
*ÿÿÀÅ¥
+ÿÿÀÅ¥
,ÿÿÀÅ¥
-ÿÿÀÅ¥
.ÿÿÀÅ¥
/ÿÿÀÅ¥
:ÿÿÀÅ¥
;ÿÿÀÅ¥
<ÿÿÀÅ¥
=ÿÿÀÅ¥
?ÿÿÀÅ¥
@ÿÿÀÅ¥
[ÿÿÀÅ¥
\ÿÿÀÅ¥
]ÿÿÀÅ¥
^ÿÿÀÅ¥
_ÿÿÀÅ¥
`ÿÿÀÅ¥
{ÿÿÀÅ¥
|ÿÿÀÅ¥
}ÿÿÀÅ¥
~ÿÿÀÅ¥
ÿÿÀÅ¥ 86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa_min_archive.zip
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÐÑÒÓ\xddb6虣뙮
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꜠ളū
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84
\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ
\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84
\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84
\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90w3\x0dk\x01
2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4_min_archive.zip
à\x93\x04
\x86\x01
अ
疘翸
seems to be good enough?! |
VMRay may indicate that arguments are strings, but they are not really, things like
what's a good strategy here? the data is a "string" (unicode) but obviously not always what we want
The text was updated successfully, but these errors were encountered: