QUANTUMSTRAND beta 1

Beta 1 Release of FLOSS QuantumStrand (qs)

We are excited to announce the beta release of QuantumStrand (qs), a new experimental tool within the FLOSS suite designed to revolutionize how analysts interact with strings in binary files. While traditional floss excels at deobfuscating and extracting all possible strings, qs focuses on providing deep context and structure to the strings it finds.

What is QuantumStrand?

QuantumStrand is a static string analysis tool that extracts, tags, and presents strings within the hierarchical context of a file's structure. It's built for analysts who need to quickly understand where strings are, what they might be, and how important they are, without getting lost in a sea of undifferentiated text.

It's particularly effective for triage, allowing you to rapidly identify interesting regions and ignore common noise.

Key Features

• Hierarchical Layout Analysis: qs doesn't just give you a flat list of strings. It parses PE files into a tree of structures - sections, headers, resources, overlays, and even embedded files - and shows you exactly where each string resides.

• Intelligent String Tagging: Strings are enriched with contextual tags from various databases, helping you to quickly filter signal from noise. Tags include:

  • #common: Identifies common, globally prevalent strings that can often be ignored.
  • #winapi: Highlights Windows API and DLL names.
  • #<library_name>: Recognizes strings from known open-source libraries (e.g., #openssl).
  • #expert: Marks strings based on expert-curated rules for malware analysis.
  • #decoded: Indicates the file was likely XOR-encoded and has been automatically decoded.
  • #code & #reloc: Flags strings that overlap with executable code or relocation table entries, which are often false positives.

• Automatic XOR Detection: qs can automatically detect and decode PE files that have been obfuscated with a single-byte XOR key.

• Rich, Structured Console UI: The default output is a color-coded view of the file's layout. It uses borders and indentation to visually group strings by their containing structure, making it easy to navigate and understand the file's composition.

• Detailed JSON Output: For tool integration and deeper analysis, qs produces a JSON document containing the full file layout, all extracted strings, their tags, offsets, and structural information.

Usage

To get started with QuantumStrand, simply run it against a binary file:

$ quantumstrand.exe /path/to/your/sample.exe

Command-Line Options

• -n, --minimum-length <len>: Set the minimum string length (default is 4).
• -j, --json: Output the results in JSON format instead of the rich console view.
• -l, --load: Load and display a previously saved JSON results file.
• -d, --debug: Enable verbose debugging output.

Try It Out!

QuantumStrand is still in beta, and we welcome your feedback! Please give it a try on your favorite samples and let us know what you think. Your input will be invaluable as we continue to develop and refine this new capability.

v3.1.1

The v3.1.1 release relaxes restrictions on dependencies, which enables you to use FLOSS with Python 3.12 and newer.

Full Changelog: v3.1.0...v3.1.1

v3.1.0

New Features

• updated Rust Version Database and Scripts by @Arker123 in #926
• fix: handle default prompt when stdout is redirected by @Arker123 in #938
• provide an option to install right click menu option for Windows by @lyc8503 in #970
• feat: added decoding functions calls by @RahulSankhla312 in #978

Other Updates

• fix typo in README.md by @sleeyax in #936
• updated various dependencies
  • including bump-pydantic from 1.10.9 to 2.6.0 by @Aayush-Goel-04 in #954
• changed deprecated pytest functionality by @Sylan-Padmakumar in #959
• migrate to pyproject toml by @s-ff in #967
• [CI] Update GitHub actions by @rimvydascivilis in #982

New Contributors

• @sleeyax made their first contribution in #936
• @Sylan-Padmakumar made their first contribution in #959
• @s-ff made their first contribution in #967
• @lyc8503 made their first contribution in #970
• @rimvydascivilis made their first contribution in #982
• @RahulSankhla312 made their first contribution in #978

Full Changelog: v3.0.1...v3.1.0

v3.0.1

This release fixes the missing language module in the v3.0.0 PyPI build.

v3.0.0

New Features

• identification of programs written in Go, Rust, and .NET
• extraction of strings embedded in Go programs
• extraction of strings embedded in Rust programs

Other Updates

• updates to the IDA plugin
• upgraded minimum required Python version to 3.8
• various bug fixes
• various code quality improvements

Google Summer of Code 2023

@Arker123 contributed the majority of features and improvements during the Google Summer of Code working closely with the Mandiant FLARE team. We'd like to thank him for the great collaboration and discussions before, during, and after the twelve week program.

Contributors

Thanks to all our contributors, including @symbolicvoid, @DiegoRomeo, @sara-rn and especially @Arker123

Full Changelog: v2.3.0...v3.0.0

QUANTUMSTRAND preview 7

fixes:

• PyInstaller build

QUANTUMSTRAND preview 6

changes:

• add column to show U to indicated UTF-16LE string (versus ASCII default)
• add database of common junk code strings
• add -n minimum string length CLI option

QUANTUMSTRAND preview 5

readme

changes:

• parse and display PE Authenticode signature region

fixes:

• handling of non-PE files
• various PE and code parsing fixes in lancelot

v2.3.0

New Features

• added false positive string filters
• use rich library for rendering of output and traceback
• initial detection of binaries compiled using Go
• updated dependencies

Other Updates

• various bug fixes

Contributors

Thanks to all our contributors, including @d01a, @Arker123, @Dobatymo, @Aayush-Goel-04, @symbolicvoid, @EmperialX, @ggold7046, @ooprathamm, @deepaksirohiwal, and @DeeyaSingh!

QUANTUMSTRAND preview 4

readme

changes:

• re-enable structure hints for strings found in known structures
• tweak color used to display string address