FLARE Obfuscated String Solver
Rather than heavily protecting backdoors with hardcore packers, many
malware authors evade heuristic detections by obfuscating only key
portions of an executable. Often, these portions are strings and resources
used to configure domains, files, and other artifacts of an infection.
These key features will not show up as plaintext in output of the
that we commonly use during basic static analysis.
The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced
static analysis techniques to automatically deobfuscate strings from
malware binaries. You can use it just like
strings.exe to enhance
basic static analysis of unknown binaries.
FLOSS extracts all the following string types:
- static strings: "regular" ASCII and UTF-16LE strings
- decoded strings: strings decoded in a function
- stack strings: strings constructed on the stack at run-time
- tight strings: special form of stack strings, decoded on the stack
To try FLOSS right away, download a standalone executable file from the releases page: https://github.com/mandiant/flare-floss/releases
For a detailed description of installing FLOSS, review the documentation here.
Extract obfuscated strings from a malware binary:
$ floss /path/to/malware/binary
Display the help/usage screen to see all available switches.
$ floss -h
For a detailed description of using FLOSS, review the documentation here.
For a detailed description of testing FLOSS, review the documentation here.