Logo
FLARE Obfuscated String Solver (FLOSS)

FLARE Obfuscated String Solver (FLOSS)

#Security Testing#Malware Analysis

Code to prevent a managed .NET debugger/profiler from working.

Visit Website

The FLARE Obfuscated String Solver: An Overview

The FLARE Obfuscated String Solver (FLOSS, previously known as FireEye Labs Obfuscated String Solver) employs advanced static analysis methods to automatically extract and deobfuscate all strings found within malware binaries. You can utilize it similarly to strings.exe, thereby enhancing the basic static analysis of unknown binaries. Obfuscated Strings Instead of relying on strong packers to heavily protect backdoors, many malware developers choose to avoid heuristic detections by obfuscating only critical sections of an executable. Frequently, these sections include strings and resources that are used to configure domains, files, and other elements involved in an infection.

These Key Features Will Not Appear in Output

These key features will not be displayed as plaintext in the output of the strings.exe utility, which we often use for basic static analysis. FLOSS extracts the following types of strings: - static strings: These are "regular" ASCII and UTF-16LE strings. - stack strings: These are strings that are created on the stack during run-time. - tight strings: This is a specific type of stack string that is decoded directly on the stack. - decoded strings: These are strings that have been decoded within a function. Please review the theory behind FLOSS [here](link). Our blog post goes into more detail about the motivation behind FLOSS and explains how the tool operates.