(argv)
| 94 | |
| 95 | |
| 96 | def make_parser(argv): |
| 97 | desc = ( |
| 98 | "The FLARE team's open-source tool to extract ALL strings from malware.\n" |
| 99 | f" %(prog)s {__version__} - https://github.com/mandiant/flare-floss/\n\n" |
| 100 | "FLOSS extracts the following string types:\n" |
| 101 | ' 1. static strings: "regular" ASCII and UTF-16LE strings\n' |
| 102 | " 2. stack strings: strings constructed on the stack at run-time\n" |
| 103 | " 3. tight strings: special form of stack strings, decoded on the stack\n" |
| 104 | " 4. decoded strings: strings decoded in a function\n\n" |
| 105 | "Language-specific strings:\n" |
| 106 | " 1. Go: strings from binaries written in Go\n" |
| 107 | " 2. Rust: strings from binaries written in Rust\n" |
| 108 | ) |
| 109 | epilog = textwrap.dedent( |
| 110 | """ |
| 111 | only displaying core arguments, run `floss -H` to see all supported options |
| 112 | |
| 113 | examples: |
| 114 | extract all strings from an executable |
| 115 | floss suspicious.exe |
| 116 | |
| 117 | do not extract static strings |
| 118 | floss --no static -- suspicious.exe |
| 119 | |
| 120 | only extract stack and tight strings |
| 121 | floss --only stack tight -- suspicious.exe |
| 122 | """ |
| 123 | ) |
| 124 | epilog_advanced = textwrap.dedent( |
| 125 | """ |
| 126 | examples: |
| 127 | extract all strings from 32-bit shellcode |
| 128 | floss -f sc32 shellcode.bin |
| 129 | |
| 130 | only decode strings from the specified functions |
| 131 | floss --functions 0x401000 0x401100 suspicious.exe |
| 132 | |
| 133 | extract strings from a binary written in Go (if automatic language identification fails) |
| 134 | floss --language go program.exe |
| 135 | """ |
| 136 | ) |
| 137 | |
| 138 | show_all_options = "-H" in argv |
| 139 | |
| 140 | parser = ArgumentParser( |
| 141 | description=desc, |
| 142 | epilog=epilog_advanced if show_all_options else epilog, |
| 143 | formatter_class=argparse.RawDescriptionHelpFormatter, |
| 144 | ) |
| 145 | parser.register("action", "extend", floss.utils.ExtendAction) |
| 146 | parser.add_argument("-H", action="help", help="show advanced options and exit") |
| 147 | parser.add_argument( |
| 148 | "-n", |
| 149 | "--minimum-length", |
| 150 | dest="min_length", |
| 151 | type=int, |
| 152 | default=MIN_STRING_LENGTH, |
| 153 | help="minimum string length", |
no test coverage detected