FLARE Obfuscated String Solver
Project description
FireEye Labs Obfuscated String Solver
Rather than heavily protecting backdoors with hardcore packers, many
malware authors evade heuristic detections by obfuscating only key
portions of an executable. Often, these portions are strings and resources
used to configure domains, files, and other artifacts of an infection.
These key features will not show up as plaintext in output of the strings.exe utility
that we commonly use during basic static analysis.
The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced
static analysis techniques to automatically deobfuscate strings from
malware binaries. You can use it just like strings.exe to enhance
basic static analysis of unknown binaries.
Please review the theory behind FLOSS here. Our blog post talks more about the motivation behind FLOSS and details how the tool works.
Quick Run
To try FLOSS right away, download a standalone executable file from the releases page: https://github.com/fireeye/flare-floss/releases
For a detailed description of installing FLOSS, review the documentation here.
Usage
Extract obfuscated strings from a malware binary:
$ floss /path/to/malware/binary
Display the help/usage screen to see all available switches.
$ ./floss -h
For a detailed description of using FLOSS, review the documentation here.
For a detailed description of testing FLOSS, review the documentation here.
Sample Output
$ floss malware.bin
FLOSS static ASCII strings
!This program cannot be run in DOS mode.
_YY
RichYY
MdfQ
.text
`.rdata
@.data
.idata
.didat
.reloc
U F
?;}
A@;E
_^[
HttHt-H
'9U
WS2_32.dll
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
Sleep
GetLastError
DeleteFileA
WriteFile
[..snip...]
FLOSS static UTF-16 strings
,%d
FLOSS decoded 4 strings
WinSta0\Default
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
ProxyEnable
ProxyServer
FLOSS extracted 81 stack strings
WinSta0\Default
'%s' executed.
ERR '%s' error[%d].
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
ProxyEnable
ProxyServer
wininet.dll
InternetOpenA
0\A4
InternetSetOptionA
InternetConnectA
InternetQueryOptionA
Mozilla/4.0 (compatible; MSIE 7.0; Win32)
-ERR
FILE(%s) wrote(%d).
Invalid ojbect.
SetFilepoint error[%d].
b64_ntop error[%d].
GetFileSize error[%d].
Creates file error[%d].
KCeID5Y/96QTJc1pzi0ZhEBqVG83OnXaL+oxsRdymHS4bFgl7UrWfP2v=wtjNukM
[..snip...]
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file flare-floss-1.7.0a1.tar.gz.
File metadata
- Download URL: flare-floss-1.7.0a1.tar.gz
- Upload date:
- Size: 32.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.15.0 pkginfo/1.7.0 requests/2.25.1 setuptools/41.2.0 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/2.7.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2b7fc48e9ecdbee099520f8ae5081bea8371965d26f1d09678ea1ae3ecb5f619
|
|
| MD5 |
d135c5cd98cedfeb735cc4cef46bc8dc
|
|
| BLAKE2b-256 |
9a1bf0f2fcbcfe8c6b457b2a70c82b0cae03c51561533c1f8b931aa28bab6bcb
|
File details
Details for the file flare_floss-1.7.0a1-py2-none-any.whl.
File metadata
- Download URL: flare_floss-1.7.0a1-py2-none-any.whl
- Upload date:
- Size: 41.6 kB
- Tags: Python 2
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/1.15.0 pkginfo/1.7.0 requests/2.25.1 setuptools/41.2.0 requests-toolbelt/0.9.1 tqdm/4.56.0 CPython/2.7.18
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b9c72b917ba4db2a0762ef4a48633360bdbbe7bea9d58d686f5ac9591e66620e
|
|
| MD5 |
ba89d60a99172bc731bc347c67fe35d3
|
|
| BLAKE2b-256 |
9ec6bb6e49c4ce64cfa9c23433d13862c4464fe82cce19d9164aef2b9a9363e3
|
