vmray: remove FP strings from call arguments extractor

[mr-tz]

VMRay may indicate that arguments are strings, but they are not really, things like

call 579: MultiByteToWideChar(0, 8, \x01ÿÿÀÅ¥, 1, 1)

call 287: WideCharToMultiByte(1252, 0,  \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌, 256, 256

what's a good strategy here? the data is a "string" (unicode) but obviously not always what we want

[mr-tz]

@mike-hunhoff if you have some insight we may also close this before the next release

edit: also @williballenthin for awareness :)

[mike-hunhoff]

I'm not sure what we can do besides going beyond the context that VMRay provides (e.g. basing capa's parsing on the corresponding API(s)) but that walks us towards OS/Arch/etc. dependency that we should avoid if possible. It also looks like the output that you linked is missing some arguments. Can you provide the input archive (PM me if internal)?

[williballenthin]

maybe limit to string.printable? or assert all characters are ASCII (or if other character set, all in the same set? not sure how to do this today).

[mr-tz]

see for example
$ python scripts/show-features.py tests/data/dynamic/vmray/93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795_min_archive.zip | grep -iE "\x0" and other existing test archives

[mr-tz]

examples we can remove filtering by string.printable:

93b2d1840566f45fab674ebc79a9d19c88993bcb645e0357f3cb584d16e7c795_min_archive.zip

¤ÿÿÀÅ¥ ¢ÿÿÀÅ¥ $ÿÿÀÅ¥ £ÿÿÀÅ¥ ¥ÿÿÀÅ¥ 0ÿÿÀÅ¥ ½ÿÿÀÅ¥ ¼ÿÿÀÅ¥ 1ÿÿÀÅ¥ ¹ÿÿÀÅ¥ 2ÿÿÀÅ¥ ²ÿÿÀÅ¥ ¾ÿÿÀÅ¥ 3ÿÿÀÅ¥ ³ÿÿÀÅ¥ 4ÿÿÀÅ¥ 5ÿÿÀÅ¥ 6ÿÿÀÅ¥ 7ÿÿÀÅ¥ 8ÿÿÀÅ¥ 9ÿÿÀÅ¥ æÿÿÀÅ¥ ÆÿÿÀÅ¥ aÿÿÀÅ¥ AÿÿÀÅ¥ ªÿÿÀÅ¥ áÿÿÀÅ¥ ÁÿÿÀÅ¥ àÿÿÀÅ¥ ÀÿÿÀÅ¥ âÿÿÀÅ¥ ÂÿÿÀÅ¥ åÿÿÀÅ¥ ÅÿÿÀÅ¥ äÿÿÀÅ¥ ÄÿÿÀÅ¥ ãÿÿÀÅ¥ ÃÿÿÀÅ¥ bÿÿÀÅ¥ BÿÿÀÅ¥ cÿÿÀÅ¥ CÿÿÀÅ¥ çÿÿÀÅ¥ ÇÿÿÀÅ¥ dÿÿÀÅ¥ DÿÿÀÅ¥ ðÿÿÀÅ¥ ÐÿÿÀÅ¥ eÿÿÀÅ¥ EÿÿÀÅ¥ éÿÿÀÅ¥ ÉÿÿÀÅ¥ èÿÿÀÅ¥ ÈÿÿÀÅ¥ êÿÿÀÅ¥ ÊÿÿÀÅ¥ ëÿÿÀÅ¥ ËÿÿÀÅ¥ fÿÿÀÅ¥ FÿÿÀÅ¥ gÿÿÀÅ¥ GÿÿÀÅ¥ hÿÿÀÅ¥ HÿÿÀÅ¥ iÿÿÀÅ¥ IÿÿÀÅ¥ íÿÿÀÅ¥ ÍÿÿÀÅ¥ ìÿÿÀÅ¥ ÌÿÿÀÅ¥ îÿÿÀÅ¥ ÎÿÿÀÅ¥ ïÿÿÀÅ¥ ÏÿÿÀÅ¥ jÿÿÀÅ¥ JÿÿÀÅ¥ kÿÿÀÅ¥ KÿÿÀÅ¥ lÿÿÀÅ¥ LÿÿÀÅ¥ mÿÿÀÅ¥ MÿÿÀÅ¥ nÿÿÀÅ¥ NÿÿÀÅ¥ ñÿÿÀÅ¥ ÑÿÿÀÅ¥ oÿÿÀÅ¥ OÿÿÀÅ¥ ºÿÿÀÅ¥ óÿÿÀÅ¥ ÓÿÿÀÅ¥ òÿÿÀÅ¥ ÒÿÿÀÅ¥ ôÿÿÀÅ¥ ÔÿÿÀÅ¥ öÿÿÀÅ¥ ÖÿÿÀÅ¥ õÿÿÀÅ¥ ÕÿÿÀÅ¥ øÿÿÀÅ¥ ØÿÿÀÅ¥ pÿÿÀÅ¥ PÿÿÀÅ¥ qÿÿÀÅ¥ QÿÿÀÅ¥ rÿÿÀÅ¥ RÿÿÀÅ¥ ßÿÿÀÅ¥ sÿÿÀÅ¥ SÿÿÀÅ¥ tÿÿÀÅ¥ TÿÿÀÅ¥ uÿÿÀÅ¥ UÿÿÀÅ¥ ÚÿÿÀÅ¥ ÙÿÿÀÅ¥ ÛÿÿÀÅ¥ ÜÿÿÀÅ¥ vÿÿÀÅ¥ VÿÿÀÅ¥ wÿÿÀÅ¥ WÿÿÀÅ¥ \x01ÿÿÀÅ¥ \x02ÿÿÀÅ¥ \x03ÿÿÀÅ¥ \x04ÿÿÀÅ¥ \x05ÿÿÀÅ¥ \x06ÿÿÀÅ¥ \x07ÿÿÀÅ¥ \x08ÿÿÀÅ¥ \x09ÿÿÀÅ¥ \x0aÿÿÀÅ¥ \x0bÿÿÀÅ¥ \x0cÿÿÀÅ¥ \x0dÿÿÀÅ¥ \x0eÿÿÀÅ¥ \x0fÿÿÀÅ¥ \x10ÿÿÀÅ¥ \x11ÿÿÀÅ¥ \x12ÿÿÀÅ¥ \x13ÿÿÀÅ¥ \x14ÿÿÀÅ¥ \x15ÿÿÀÅ¥ \x16ÿÿÀÅ¥ \x17ÿÿÀÅ¥ \x18ÿÿÀÅ¥ \x19ÿÿÀÅ¥ \x1aÿÿÀÅ¥ \x1bÿÿÀÅ¥ \x1cÿÿÀÅ¥ \x1dÿÿÀÅ¥ \x1eÿÿÀÅ¥ \x1fÿÿÀÅ¥ \x7fÿÿÀÅ¥ \x80ÿÿÀÅ¥ \x81ÿÿÀÅ¥ \x82ÿÿÀÅ¥ \x83ÿÿÀÅ¥ \x84ÿÿÀÅ¥ \x86ÿÿÀÅ¥ \x87ÿÿÀÅ¥ \x88ÿÿÀÅ¥ \x89ÿÿÀÅ¥ \x8aÿÿÀÅ¥ \x8bÿÿÀÅ¥ \x8cÿÿÀÅ¥ \x8dÿÿÀÅ¥ \x8eÿÿÀÅ¥ \x8fÿÿÀÅ¥ \x90ÿÿÀÅ¥ \x91ÿÿÀÅ¥ \x92ÿÿÀÅ¥ \x93ÿÿÀÅ¥ \x94ÿÿÀÅ¥ \x95ÿÿÀÅ¥ \x96ÿÿÀÅ¥ \x97ÿÿÀÅ¥ \x98ÿÿÀÅ¥ \x99ÿÿÀÅ¥ \x9aÿÿÀÅ¥ \x9bÿÿÀÅ¥ \x9cÿÿÀÅ¥ \x9dÿÿÀÅ¥ \x9eÿÿÀÅ¥ \x9fÿÿÀÅ¥ xÿÿÀÅ¥ XÿÿÀÅ¥ ­ÿÿÀÅ¥ !ÿÿÀÅ¥ "ÿÿÀÅ¥ #ÿÿÀÅ¥ %ÿÿÀÅ¥ &ÿÿÀÅ¥ 'ÿÿÀÅ¥ (ÿÿÀÅ¥ )ÿÿÀÅ¥ *ÿÿÀÅ¥ +ÿÿÀÅ¥ ,ÿÿÀÅ¥ -ÿÿÀÅ¥ .ÿÿÀÅ¥ /ÿÿÀÅ¥ :ÿÿÀÅ¥ ;ÿÿÀÅ¥ <ÿÿÀÅ¥ =ÿÿÀÅ¥ ?ÿÿÀÅ¥ @ÿÿÀÅ¥ [ÿÿÀÅ¥ \ÿÿÀÅ¥ ]ÿÿÀÅ¥ ^ÿÿÀÅ¥ _ÿÿÀÅ¥ `ÿÿÀÅ¥ {ÿÿÀÅ¥ |ÿÿÀÅ¥ }ÿÿÀÅ¥ ~ÿÿÀÅ¥

ÿÿÀÅ¥
 ÿÿÀÅ¥
¡ÿÿÀÅ¥
¦ÿÿÀÅ¥
§ÿÿÀÅ¥
¨ÿÿÀÅ¥
©ÿÿÀÅ¥
«ÿÿÀÅ¥
¬ÿÿÀÅ¥
®ÿÿÀÅ¥
¯ÿÿÀÅ¥
°ÿÿÀÅ¥
±ÿÿÀÅ¥
´ÿÿÀÅ¥
¶ÿÿÀÅ¥
·ÿÿÀÅ¥
¸ÿÿÀÅ¥
»ÿÿÀÅ¥
¿ÿÿÀÅ¥
×ÿÿÀÅ¥
÷ÿÿÀÅ¥
ÿÿÀÅ¥
yÿÿÀÅ¥
YÿÿÀÅ¥
ÝÿÿÀÅ¥
zÿÿÀÅ¥
ZÿÿÀÅ¥
ÞÿÿÀÅ¥
µÿÿÀÅ¥

86d8257ae56e5d8220a4e3f8396d944b5e9e41732b58ad7472276d78aea232fa_min_archive.zip

\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌 \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌 \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿÐÑÒÓ\xddb6虣뙮 \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ꜠ളū \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84 \x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84 \x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f!"#$%&'()*+,-./0123456789:;<=?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84 \x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x90w3\x0dk\x01

2f8a79b12a7a989ac7e5f6ec65050036588a92e65aeb6841e08dc228ff0e21b4_min_archive.zip

à\x93\x04  \x86\x01 अ 疘翸

seems to be good enough?!