flare-floss v1.7.0 releases: Automatically extract obfuscated strings from malware
FireEye Labs Obfuscated String Solver
Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plain text in the output of the strings.exe utility that we commonly use during basic static analysis.
The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.
Please review the theory behind FLOSS here.
- static string json output format @mr-tz
- test case invoking main @mr-tz
- tests via GH actions @mr-tz
- builds via GH actions, uploads to releases page @williballenthin
- pushed to pypi via GH actions @williballenthin
- package relative imports @b0urb0n
- register tests in setup.py @b0urb0n
- vivisect version @r0ny123
- code style via black, isort @mr-tz
- test files in sub repo @mr-tz
- vivisect pyinstaller @williballenthin
- IDA 7.4+ support @Ana06
- strings algorithm via bytes @jedimasterbot
Extract obfuscated strings from a malware binary:
$ floss /path/to/malware/binary
Display the help/usage screen to see all available switches.
$ ./floss -h
For a detailed description of using FLOSS, review the documentation here.
For a detailed description of testing FLOSS, review the documentation here.
You can use FLOSS just like you’d use strings.exe: to extract human-readable strings from binary data. The enhancement that FLOSS provides is that it statically analyzes executable files and decodes obfuscated strings. These include strings encrypted in global memory, deobfuscated onto the heap, or manually created on the stack (stackstrings). Since FLOSS also extracts static strings (like strings.exe), you should consider replacing strings.exe with FLOSS within your analysis workflow.