[Analyzer] Debloat

[AnshSinghal]

Closes #2521

Description

Added a new analyzer Debloat - tool to remove excess garbage from bloated executables.

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality).

Checklist

• I have read and understood the rules about how to Contribute to this project
• The pull request is for the branch develop
• A new plugin (analyzer, connector, visualizer, playbook, pivot or ingestor) was added or changed, in which case:
  • I strictly followed the documentation "How to create a Plugin"
  • Usage file was updated. A link to the PR to the docs repo has been added as a comment here.
  • Advanced-Usage was updated (in case the plugin provides additional optional configuration). A link to the PR to the docs repo has been added as a comment here.
  • I have dumped the configuration from Django Admin using the dumpplugin command and added it in the project as a data migration. ("How to share a plugin with the community")
  • If a File analyzer was added and it supports a mimetype which is not already supported, you added a sample of that type inside the archive test_files.zip and you added the default tests for that mimetype in test_classes.py.
  • If you created a new analyzer and it is free (does not require any API key), please add it in the FREE_TO_USE_ANALYZERS playbook by following this guide.
  • Check if it could make sense to add that analyzer/connector to other freely available playbooks.
  • I have provided the resulting raw JSON of a finished analysis and a screenshot of the results.
  • If the plugin interacts with an external service, I have created an attribute called precisely url that contains this information. This is required for Health Checks.
  • If the plugin requires mocked testing, _monkeypatch() was used in its class to apply the necessary decorators.
  • I have added that raw JSON sample to the MockUpResponse of the _monkeypatch() method. This serves us to provide a valid sample for testing.
• I have inserted the copyright banner at the start of the file: # This file is a part of IntelOwl https://github.com/intelowlproject/IntelOwl # See the file 'LICENSE' for copying permission.
• If external libraries/packages with restrictive licenses were used, they were added in the Legal Notice section.
• Linters (Black, Flake, Isort) gave 0 errors. If you have correctly installed pre-commit, it does these checks and adjustments on your behalf.
• I have added tests for the feature/bug I solved (see tests folder). All the tests (new and old ones) gave 0 errors.
• If the GUI has been modified:
  • I have a provided a screenshot of the result in the PR.
  • I have created new frontend tests for the new component or updated existing ones.
• After you had submitted the PR, if DeepSource, Django Doctors or other third-party linters have triggered any alerts during the CI checks, I have solved those alerts.

Important Rules

• If you miss to compile the Checklist properly, your PR won't be reviewed by the maintainers.
• Everytime you make changes to the PR and you think the work is done, you should explicitly ask for a review by using GitHub's reviewing system detailed here.

[AnshSinghal]

Hi @mlodic
Wanted your advice in this thing. Actually even after encoding, for large files it return a very very long string. Is it necessary to return the bloated file? or if you can suggest any other alternative for the same?

[fgibertoni]

Imho it's necessary to return the entire file in the report because it can then be used with pivots to start file analysis with other playbooks

[AnshSinghal]

@fgibertoni the thing is that debloat cannot debloat all the files. it sometimes do not debloat the file. and the issue with debloat library is that it does not return an error for the same instead it does not generate any output file. this is the reason the test are failing. Any suggestions what I can do in this case?

[fgibertoni]

Why does not debloat everytime ? Because it's already debloated or because it's not able to do it?
In the first case there is nothing to do imo, just return the already clean file.
In the second case maybe there are some known limitation to the tool or bugs ? We can compare the input file with output to see if cleaning has been performed.

[AnshSinghal]

because its not able to do it.
INFO:main:No automated method for reducing the size worked. Please consider sharing the
sample for additional analysis.
Email: [email protected]
Twitter: @SquiblydooBlog.

So what I will do is. after debloating i will check with the code and if its 0 (No solution found) I will return the json.

[AnshSinghal]

@fgibertoni please review

[fgibertoni]

Please do not catch generic Exception

[fgibertoni]

Can you provide an example for this behavior ? So we can evaluate other option for parsing

[AnshSinghal]

---

TypeError Traceback (most recent call last)
in <cell line: 0>()
40 output_path = "tempR.exe"
41
---> 42 debloat_code = process_pe(
43 pe,
44 out_path=output_path,

2 frames
/usr/lib/python3.11/logging/init.py in info(self, msg, *args, **kwargs)
1487 """
1488 if self.isEnabledFor(INFO):
-> 1489 self._log(INFO, msg, args, **kwargs)
1490
1491 def warning(self, msg, *args, **kwargs):

TypeError: Logger._log() got an unexpected keyword argument 'end'

[fgibertoni]

I don't understand how BBOT logger is related to this one, but I understand the problem now.
Is there any way to emulate the flush parameter behavior instead of just dropping it?

[AnshSinghal]

sure

[fgibertoni]

Any reason for RED ?

[fgibertoni]

Just a small change and we're good to go

[AnshSinghal]

@fgibertoni can we merge this now?

[fgibertoni]

Merging, thank you for the contribution!