GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mandiant → flashmingo

mandiant / flashmingo

Licence: other
Automatic analysis of SWF files based on some heuristics. Extensible via plugins.

Programming Languages

python
139335 projects - #7 most used programming language
Batchfile
5799 projects

Labels

flashanalysismalwareswfactionscript3fireeye-flare

Projects that are alternatives of or similar to flashmingo

Flashmingo
Automatic analysis of SWF files based on some heuristics. Extensible via plugins.
Stars: ✭ 115 (-1.71%)
Mutual labels:  flash, analysis, malware
guepard
flash to html5 converter, as3 to javascript translator
Stars: ✭ 58 (-50.43%)
Mutual labels:  flash, swf, actionscript3
Illuminatejs
IlluminateJS is a static JavaScript deobfuscator
Stars: ✭ 96 (-17.95%)
Mutual labels:  analysis, malware
Qiling
Qiling Advanced Binary Emulation Framework
Stars: ✭ 2,816 (+2306.84%)
Mutual labels:  analysis, malware
alternativa3d tools
Blender addon to import and export alternativa3d files. See http://alternativaplatform.com for more information on the file types and its uses.
Stars: ✭ 19 (-83.76%)
Mutual labels:  flash, actionscript3
Locky
Stars: ✭ 61 (-47.86%)
Mutual labels:  analysis, malware
Data
APTnotes data
Stars: ✭ 1,126 (+862.39%)
Mutual labels:  analysis, malware
yupi
🎲 open source gaming emulator for flash based games
Stars: ✭ 28 (-76.07%)
Mutual labels:  flash, swf
MalScan
A Simple PE File Heuristics Scanners
Stars: ✭ 41 (-64.96%)
Mutual labels:  analysis, malware
Jpexs Decompiler
JPEXS Free Flash Decompiler
Stars: ✭ 2,939 (+2411.97%)
Mutual labels:  flash, swf
rhino
Agile Sandbox for analyzing Windows, Linux and macOS malware and execution behaviors
Stars: ✭ 49 (-58.12%)
Mutual labels:  analysis, malware
Manalyze
A static analyzer for PE executables.
Stars: ✭ 701 (+499.15%)
Mutual labels:  analysis, malware
Binee
Binee: binary emulation environment
Stars: ✭ 408 (+248.72%)
Mutual labels:  analysis, malware
Php Malware Analysis
Deobfuscation and analysis of PHP malware captured by a WordPress honey pot
Stars: ✭ 82 (-29.91%)
Mutual labels:  analysis, malware
ips-bph-framework
BLACKPHENIX is an open source malware analysis automation framework composed of services, scripts, plug-ins, and tools and is based on a Command-and-Control (C&C) architecture
Stars: ✭ 21 (-82.05%)
Mutual labels:  analysis, malware
Elfparser
Cross Platform ELF analysis
Stars: ✭ 228 (+94.87%)
Mutual labels:  analysis, malware
cerberus research
Research tools for analysing Cerberus banking trojan.
Stars: ✭ 110 (-5.98%)
Mutual labels:  analysis, malware
Automated-Malware-Analysis-List
My personal Automated Malware Analysis Sandboxes and Services
Stars: ✭ 20 (-82.91%)
Mutual labels:  analysis, malware
Ruffle
A Flash Player emulator written in Rust
Stars: ✭ 9,128 (+7701.71%)
Mutual labels:  flash, swf
lvg
Lion Vector Graphics
Stars: ✭ 106 (-9.4%)
Mutual labels:  flash, swf
View All Similar Projects ➔

FLASHMINGO

Install

NOTE: The following instructions are for Python3.

If you need to install FLASHMINGO on Python2.7 you can checkout the release 1.0 under the releases tab. The installation steps are essentially the same.

Install the Python3 packages listed in requirements.txt.

You can use the following command: pip3 install -r requirements.txt

If you want to use the decompilation functionality you need to install Jython. Ubuntu/Debian users can issue apt install jython

Clone the project or download the zip file.

What

FLASHMINGO is an analysis framework for SWF files. The tool automatically triages suspicious Flash files and guides the further analysis process, freeing precious resources in your team. You can easily incorporate FLASHMINGO’s analysis modules into your workflow.

Why

To this day forensic investigators and malware analysts must deal with suspicious SWF files. If history repeats itself the security threat may even become bigger beyond Flash’s end of life in 2020. Systems will continue to support a legacy file format that is not going to be updated with security patches anymore. Automation is the best way to deal with this issue and this is where FLASHMINGO can help you. FLASHMINGO is an analysis framework to automatically process SWF files that enables you to flag suspicious Flash samples and analyze them with minimal effort. It integrates into various analysis workflows as a stand-alone application or a powerful library. Users can easily extend the tool’s functionality via custom Python plugins.

How

Architecture

FLASHMINGO is designed with simplicity in mind. It reads a SWF file and creates an object (SWFObject) representing its contents and structure. Afterwards FLASHMINGO runs a series of plugins acting on this SWFObject and returning their values to the main program.

Below a mandatory ASCII art flow diagram:

                                                 +----------+
                                                 |          |
                       +------------+----------->+ PLUGIN 1 +------------+
                       |            |            |          |            |
                       |            |            +----------+            |
                       |            |                                    |
                       |            |            +----------+            |
                       |            |            |          |            |
+---------+            |            +----------->+ PLUGIN 2 +--------+   |
|SWF FILE +----------->+ FLASHMINGO |            |          |        |   |
+---------+            |            |            +----------+        |   |
                       |            |                                |   |
                       |            |                                |   |
                       |            |                                |   |
                       |            |                          +-----v---v-+
                       |            |                          |           |
                       |            |                          |           |
                       +-----+------+------------------------->+ SWFOBJECT |
                             ^                                 |           |
                             |                                 |           |
                             |                                 +-----+-----+
                             |                                       |
                             |                                       |
                             |                                       |
                             +---------------------------------------+

When using FLASHMINGO as a library in your own projects, you only need to take care of two kind of objects:

  • one or many SWFObject(s), representing the sample(s)
  • a Flashmingo object. This acts essentially as a harness connecting plugins and SWFObject(s).

Plugins!

FLASHMINGO plugins are stored in their own directories under... you guessed it: plugins When a Flashmingo object is instantiated, it goes through this directory and process all plugins' manifests. Should this indicate that the plugin is active, this is registered for later use. At the code level, this means that a small plugin_info dictionary is added to the plugins list.

Plugins are invoked via the run_plugin API with two arguments:

  • the plugin's name
  • the SWFObject instance

Optionally, most of the plugins allow you to pass your own user data. This is plugin dependent (read the documentation) and it can be more easily be explained with an example. The default plugin SuspiciousNames will search all constant pools for strings containing suspicious substrings (for example: 'overflow', 'spray', 'shell', etc.) There is a list of common substrings already hard-coded in the plugin so that it can be used as-is. However, you may pass a list of your own defined substrings, in this case via the names parameter.

Code example:

fm = Flashmingo()
print fm.run_plugin('DangerousAPIs', swf=swf)
print fm.run_plugin('SuspiciousNames', swf=swf, names=['spooky'])

Default plugins

FLASHMINGO ships with some useful plugins out of the box:

  • binary_data
  • dangerous_apis
  • decompiler
  • suspicious_constants
  • suspicious_loops
  • suspicious_names
  • template :)

Extending FLASHMINGO

A template plugin is provided for easy development. Extending FLASHMINGO is rather straightforward. Follow these simple steps:

  • Copy the template
  • Edit the manifest
  • Override the run method
  • Add your custom code

You are ready to go :)

FLASHMINGO as a library

API

  • See the docs directory for autogenerated documentation
  • See FireEye's blog post for an example

Front-ends

  • Console

Create Documentation

$ pip install sphinxcontrib-napoleon

After setting up Sphinx to build your docs, enable napoleon in the Sphinx conf.py file:

In conf.py, add napoleon to the extensions list

extensions = ['sphinxcontrib.napoleon']

Use sphinx-apidoc to build your API documentation:

$ sphinx-apidoc -f -o docs/source projectdir

This creates .rst files for Sphinx to process

$ make html

That's it! :)

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].