Extract Strings with FLOSS

Hi Guys,

Today, I would like to write about a simple technique in malware analysis by extracting strings from the malware binary.

Backgroud

The most common technique to analyse malware is to do the string extraction from the binary. The objective of this procedure is to gather some initial idea what is the malware would do. Sometimes we can find some interesting information such as the IOC IP or URL that the malware will contact to during the execution

When malware developer write their code, They will use some strings as part of the malware procedures such as http url, windows API name, file path or even process name.

Static String

Static string is the way the malware creator declare the strings in their code. Static here means the complete strings has been fully known even before it is compiled into binary.

#include <iostream>

int main()
{
    char MyString[] = "Rio Asmara Suryadi";
    printf("the result : %s", MyString);
}

So when the malware is compiled into binary, it is easy to extract this in the binary. Here below extract the string using PEStudio

When the malware use static string to their code procedure then it is very easy for the antimalware or analyst to detect this.

Stack Based String

Stack based string is different method on declaring the string, it involves the use of stack frame such as the use of arrays. Below is the sample

#include <iostream>

int main()
{
    char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};
    printf("the result : %s", MyString);
}

when this code is compiled into binary. The normal string parser will not be able to extract this from the binary

FireEye Labs Obfuscated String Solver (FLOSS)

FLOSS is an application developed by Fireeye to overcome the string extraction which related to the stack strings from the binary. It has also some features to automatically detect the encoded string for example code below

#include <iostream>

char* decodeMe(char* data, int len) {
    
    for (int i = 0; i < len; i++) {
        data[i] = data[i] + 1;
    }
    return data;
}

int main()
{
    char MyString[] = {'R','i','o','A','s','m','a','r','a','S','u','r','y','a','d','i','\n'};

    char MyString2[] = "Qhn.@rl`q`.Rtqx`ch";
    printf("the result : %s", decodeMe(MyString2,18));
}

Output

FLOSS enable to do the simulation of the decode function so that it can get the actual string after the decoding process

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s