Description
The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like `strings.exe` to enhance basic static analysis of unknown binaries.
| Platform | Windows, Mac, Linux |
| Author | FireEye Labs |
| License | Apache License 2.0 |
| URL | https://github.com/fireeye/flare-floss/releases |
Usage
Usage: floss [options] FILEPATH
Options:
--version show program's version number and exit
-h, --help show this help message and exit
-n MIN_LENGTH, --minimum-length=MIN_LENGTH
minimum string length (default is 4)
-f FUNCTIONS, --functions=FUNCTIONS
only analyze the specified functions (comma-separated)
--save-workspace save vivisect .viv workspace file in current directory
Extraction options:
Specify which string types FLOSS shows from a file, by default all
types are shown
--no-static-strings
do not show static ASCII and UTF-16 strings
--no-decoded-strings
do not show decoded strings
--no-stack-strings do not show stackstrings
Format Options:
-g, --group group output by virtual address of decoding functions
-q, --quiet suppress headers and formatting to print only
extracted strings
Logging Options:
-v, --verbose show verbose messages and warnings
-d, --debug show all trace messages
Script output options:
-i IDA_PYTHON_FILE, --ida=IDA_PYTHON_FILE
create an IDAPython script to annotate the decoded
strings in an IDB file
-r RADARE2_SCRIPT_FILE, --radare=RADARE2_SCRIPT_FILE
create a radare2 script to annotate the decoded
strings in an .r2 file
Identification Options:
-p PLUGINS, --plugins=PLUGINS
apply the specified identification plugins only
(comma-separated)
-l, --list-plugins list all available identification plugins and exit
FLOSS Profiles:
-x, --expert show duplicate offset/string combinations, save
workspace, group function outputExamples
floss –no-static-strings file.exe
The following example shows decoded and stack strings found in 9.exe. Although floss has the ability to show regular static strings as well, you’re typically only interested in seeing the encoded strings by the time you run floss.
remnux@remnux:~$ floss --no-static-strings file.exe
FLOSS decoded 16 strings
\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Files\\Program Files\Common Fil
\system32\
.ocx
whh27018
WinSta0\Default
WinSta0\Default
WinSta0\Default
user32.dll
syst<
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
user32.dll
systH
@\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
syst
\system32\AA
\system32\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
FLOSS extracted 4 stackstrings
WinSta0\Default
user32.dll
\Program Files\Common Files\
rundll32.exe
Finished execution after 3.978650 secondsBlog Posts