MCPcopy
hub / github.com/mandiant/flare-floss / get_string_blob_strings

Function get_string_blob_strings

floss/language/rust/extract.py:138–194  ·  view source on GitHub ↗
(pe: pefile.PE, min_length: int)

Source from the content-addressed store, hash-verified

136
137
138def get_string_blob_strings(pe: pefile.PE, min_length: int) -> Iterable[StaticString]:
139 image_base = pe.OPTIONAL_HEADER.ImageBase
140
141 try:
142 rdata_section = get_rdata_section(pe)
143 except ValueError as e:
144 logger.error("cannot extract rust strings: %s", e)
145 return []
146
147 start_rdata = rdata_section.PointerToRawData
148 end_rdata = start_rdata + rdata_section.SizeOfRawData
149 virtual_address = rdata_section.VirtualAddress
150 pointer_to_raw_data = rdata_section.PointerToRawData
151 buffer_rdata = rdata_section.get_data()
152
153 # extract utf-8 and wide strings, latter not needed here
154 strings = b2s.extract_all_strings(buffer_rdata, min_length)
155 fixed_strings = fix_b2s_wide_strings(strings, min_length, buffer_rdata)
156
157 # select only UTF-8 strings and adjust offset
158 static_strings = filter_and_transform_utf8_strings(fixed_strings, start_rdata)
159
160 # TODO(mr-tz) - handle miss in rust-hello64.exe
161 # .rdata:00000001400C1270 0A aPanickedAfterP db 0Ah ; DATA XREF: .rdata:00000001400C12B8↓o
162 # .rdata:00000001400C1271 70 61 6E 69 63 6B 65 64… db 'panicked after panic::always_abort(), aborting.',0Ah,0
163 # .rdata:00000001400C12A2 00 00 00 00 00 00 align 8
164
165 struct_string_addrs = map(lambda c: c.address, get_struct_string_candidates(pe))
166
167 if pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_I386"]:
168 xrefs_lea = find_lea_xrefs(pe)
169 xrefs_push = find_push_xrefs(pe)
170 xrefs_mov = find_mov_xrefs(pe)
171 xrefs = itertools.chain(struct_string_addrs, xrefs_lea, xrefs_push, xrefs_mov)
172
173 elif pe.FILE_HEADER.Machine == pefile.MACHINE_TYPE["IMAGE_FILE_MACHINE_AMD64"]:
174 xrefs_lea = find_lea_xrefs(pe)
175 xrefs = itertools.chain(struct_string_addrs, xrefs_lea)
176
177 # TODO(mr-tz) - handle movdqa rust-hello64.exe
178 # .text:0000000140026046 66 0F 6F 05 02 71 09 00 movdqa xmm0, cs:xmmword_1400BD150
179 # .text:000000014002604E 66 0F 6F 0D 0A 71 09 00 movdqa xmm1, cs:xmmword_1400BD160
180 # .text:0000000140026056 66 0F 6F 15 12 71 09 00 movdqa xmm2, cs:xmmword_1400BD170
181
182 else:
183 logger.error("unsupported architecture: %s", pe.FILE_HEADER.Machine)
184 return []
185
186 for addr in xrefs:
187 address = addr - image_base - virtual_address + pointer_to_raw_data
188
189 if not (start_rdata <= address < end_rdata):
190 continue
191
192 split_strings(static_strings, address, min_length)
193
194 return static_strings
195

Callers 1

extract_rust_stringsFunction · 0.70

Calls 9

get_rdata_sectionFunction · 0.90
find_lea_xrefsFunction · 0.90
find_push_xrefsFunction · 0.90
find_mov_xrefsFunction · 0.90
fix_b2s_wide_stringsFunction · 0.85
split_stringsFunction · 0.85
errorMethod · 0.80

Tested by

no test coverage detected