The FireEye Labs Obfuscated String Solver (FLOSS) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.
Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility that we commonly use during basic static analysis.
Malware authors pack their software to resist reverse engineering and enable their operations to survive longer. However, many features of packing are easy to automatically identify during static or dynamic analysis. Therefore, some authors obfuscate only the most sensitive resources used by malware in an attempt to blend in. We call this “string obfuscation”. String obfuscation maintains some difficulty around extracting host or network based signatures (such as filenames, registry keys, or domain names), while structuring the executable file like legitimate programs. This is a technique that balances moderate anti-reverse engineering tricks with a moderate level of stealth.
As a reverse engineer, it takes significant effort to extract obfuscated strings from a malware sample. This is because there are a huge number of possible encoding functions, configurations, and control flows. For example, some malware uses a single-byte XOR operating with a static key for all obfuscated strings, while other malware uses RC4 encryption with a unique key per string. Its often difficult to figure out how encoded data is protected without opening IDA Pro or reviewing a debugger trace.
Manual extraction of obfuscated strings commonly involves thoroughly studying a decryption routine and reimplementing it in a scripting language. This is a tedious and error-prone process that is fun at first, and mind-numbing after a few iterations. Alternatively, an analyst may instrument a debugger to hop around hundreds of locations in hopes of forcing the malware to decode itself. This is also complex, tedious, and error-prone.
FLOSS combines and automates the best manual reverse engineering techniques for string decoding. First, it uses heuristics to identify decoding routines in a sample. Then FLOSS extracts cross references and arguments to decoders using control flow analysis. Next FLOSS emulates decoder functions using extracted arguments. Finally, FLOSS diffs the emulator memory states from before and after decoder emulation and extracts human readable strings.
Algorithm
- Analyze control flow of malware to identify functions, basic blocks, etc.
- Use heuristics to find potential decoding routines
- Brute force emulate all code paths among basic blocks and functions
- Snapshot emulator state (registers, memory) at appropriate points
- Extract arguments to decoder functions from emulator snapshots
- Emulate decoder functions using extracted arguments and emulator state
- Diff memory state from before and after decoder emulation
- Extract human-readable strings from memory state difference
Requirements
First, install a few required dependencies. Heres the easiest way:
vivisect– https://github.com/vivisect/vivisect, installable module from https://github.com/williballenthin/vivisect$ pip install https://github.com/williballenthin/vivisect/zipball/masterpytest– http://pytest.org$ pip install pytest
Usage
Extract obfuscated strings from a malware binary:
$ floss /path/to/malware/binary
Display the help/usage screen to see all available switches.
$ ./floss -h
For a detailed description of using FLOSS, review the documention here.
For a detailed description of testing FLOSS, review the documention here.
Obfuscated String Solver Output
$ ~/env/bin/floss -a malware.bin
Static ASCII strings
Offset String
---------- -------------------------------------
0x0000004D !This program cannot be run in DOS mode.
0x00000083 _YY
0x000000D0 RichYY
0x000000F0 MdfQ
0x000001E0 .text
0x00000207 `.rdata
0x0000022F @.data
0x00000258 .idata
0x00000280 .didat
0x000002A8 .reloc
0x000005B6 U F
0x000005F1 ?;}
0x000006D4 A@;E
0x000006E4 _^[
0x000008E0 HttHt-H
0x0000099A '9U
0x00007020 WS2_32.dll
0x00007C4E FreeLibrary
0x00007C5C GetProcAddress
0x00007C6E LoadLibraryA
0x00007C7E GetModuleHandleA
0x00007C92 GetVersionExA
0x00007CA2 MultiByteToWideChar
0x00007CB8 WideCharToMultiByte
0x00007CCE Sleep
0x00007CD6 GetLastError
0x00007CE6 DeleteFileA
0x00007CF4 WriteFile
[..snip...]
Static UTF-16 strings
Offset String
---------- -------------------------------------
0x00007614 ,%d
Most likely decoding functions in: malware.bin
address: score:
---------- -------
0x0040102D 0.71000
0x0040101E 0.23000
0x00401046 0.23000
0x00401005 0.21000
0x0040100F 0.21000
0x00401014 0.21000
0x00401023 0.21000
0x004069BF 0.21000
0x00401041 0.21000
0x00406736 0.21000
FLOSS decoded 10 strings
Offset Called At String
---------- ---------- -------------------------------------
0xBFB3B4E8 0x0040595F WinSta0\Default
0xBFB3B4A0 0x0040472E Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4A0 0x0040472E Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4EC 0x0040472E ProxyEnable
0xBFB3B4A0 0x0040472E Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4E0 0x0040472E ProxyServer
0xBFB3B4EC 0x0040472E ProxyEnable
0xBFB3B4A0 0x0040472E Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0xBFB3B4E0 0x0040472E ProxyServer
0xBFB3B4EC 0x0040472E ProxyEnable
[..snip...]
FLOSS extracted 81 stack strings
Function: Frame offset String:
---------- ------------ -------
0x00401005 0x001c WinSta0\Default
0x0040100f 0x0010 WinSta0\Default
0x0040100f 0x007f pVAD
0x0040100f 0x0034 '%s' executed.
0x0040100f 0x0038 ERR '%s' error[%d].
0x00401014 0x005c Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
0x00401014 0x0010 ProxyEnable
0x00401014 0x001c ProxyServer
0x00401019 0x000c wininet.dll
0x00401019 0x001c InternetOpenA
0x00401019 0x0107 0\A4
0x00401019 0x00c8 InternetSetOptionA
0x00401019 0x0064 InternetConnectA
0x00401019 0x00f7 pVAInternetQueryOptionA
0x0040100a 0x0080 Mozilla/4.0 (compatible; MSIE 7.0; Win32)
0x0040100a 0x004c -ERR
0x0040100a 0x0020 FILE(%s) wrote(%d).
0x0040100a 0x0038 Invalid ojbect.
0x0040100a 0x0040 SetFilepoint error[%d].
0x0040100a 0x003c b64_ntop error[%d].
0x0040100a 0x0024 GetFileSize error[%d].
0x0040100a 0x0024 Creates file error[%d].
0x00401041 0x0047 pVAKCeID5Y/96QTJc1pzi0ZhEBqVG83OnXaL+oxsRdymHS4bFgl7UrWfP2v=wtjNukM
[..snip...]
Source && Download
