flare-floss
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Top Related Projects
IDA Pro utilities from FLARE team
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Quick Overview
FLARE Obfuscated String Solver (FLOSS) is an open-source tool developed by Mandiant's FLARE team for automatically extracting obfuscated strings from malware. It uses advanced static analysis techniques to identify and deobfuscate strings, making it an invaluable resource for malware analysts and reverse engineers.
Pros
- Automates the process of extracting obfuscated strings, saving time for analysts
- Supports multiple obfuscation techniques, including XOR, ROT, and custom algorithms
- Integrates well with other reverse engineering tools and workflows
- Regularly updated and maintained by security professionals
Cons
- May produce false positives or miss some obfuscated strings in complex malware
- Requires some technical knowledge to interpret and use the results effectively
- Can be resource-intensive for large or complex binaries
- Limited to static analysis, which may not catch all dynamically generated strings
Getting Started
To get started with FLOSS:
-
Install FLOSS:
pip install flare-floss
-
Run FLOSS on a suspicious file:
floss suspicious_file.exe
-
For more options and advanced usage, refer to the help menu:
floss --help
Note: FLOSS is primarily a command-line tool, so there are no code examples in the traditional sense. The tool is used by running it against suspicious files from the command line or integrating it into other analysis workflows.
Competitor Comparisons
IDA Pro utilities from FLARE team
Pros of flare-ida
- Integrates directly with IDA Pro, providing a seamless workflow for reverse engineers
- Offers a wide range of scripts and plugins specifically designed for malware analysis
- Provides advanced features like function identification and code analysis within the IDA environment
Cons of flare-ida
- Requires IDA Pro, which is a commercial and expensive tool
- Has a steeper learning curve due to its integration with IDA and more advanced features
- May be overkill for simpler reverse engineering tasks that don't require IDA's full capabilities
Code Comparison
flare-ida (Python script example):
import idaapi
import idc
def analyze_function():
ea = idc.get_screen_ea()
func = idaapi.get_func(ea)
if func:
print(f"Analyzing function at {hex(func.start_ea)}")
flare-floss (Python usage example):
import floss
strings = floss.main(["--no-static-strings", "malware_sample.exe"])
for s in strings:
print(s)
While flare-ida is more tightly integrated with IDA Pro and offers advanced analysis capabilities, flare-floss is a standalone tool focused on string extraction and can be more easily incorporated into automated workflows without requiring IDA Pro.
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
Pros of pe-sieve
- Focused specifically on detecting and analyzing process hollowing and other in-memory malware techniques
- Lightweight and fast, designed for real-time scanning of running processes
- Provides detailed reports on detected anomalies and modifications in PE files
Cons of pe-sieve
- More limited in scope compared to FLOSS's broader static analysis capabilities
- Requires the analyzed process to be running, unlike FLOSS which can work with static files
- Less extensive documentation and community support compared to FLOSS
Code Comparison
pe-sieve (scanning a process):
pesieve::scan_report* scan_report = pesieve::scan_process(pid, args);
if (scan_report->suspicious) {
// Handle suspicious process
}
FLOSS (extracting strings):
import floss
strings = floss.main(["--no-static-strings", binary_path])
for s in strings:
print(s)
Both tools serve different purposes in malware analysis. pe-sieve excels at detecting runtime modifications and in-memory malware, while FLOSS focuses on static analysis and string extraction from binaries. The choice between them depends on the specific analysis requirements and the type of malware being investigated.
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
Pros of flare-vm
- Comprehensive malware analysis environment with pre-installed tools
- Easy setup and configuration for Windows-based analysis
- Regular updates and community support
Cons of flare-vm
- Larger resource footprint due to full VM environment
- Limited to Windows platform
- Requires more setup time compared to standalone tools
Code comparison
While a direct code comparison isn't applicable due to the different nature of these projects, we can look at how they're typically used:
flare-vm:
cinst -y flarevm
flare-floss:
floss suspicious_file.exe
Summary
flare-vm is a comprehensive malware analysis environment, while flare-floss is a specialized tool for string extraction. flare-vm provides a full suite of tools but requires more resources, while flare-floss is lightweight and focused on a specific task. The choice between them depends on the analyst's needs and available resources.
FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Pros of flare-fakenet-ng
- Simulates network services to analyze malware behavior
- Provides a more comprehensive network environment simulation
- Useful for dynamic analysis of network-dependent malware
Cons of flare-fakenet-ng
- More complex setup and configuration required
- Limited to network-related analysis
- May not be as effective for static analysis of binaries
Code comparison
flare-fakenet-ng:
def start_listener(listener):
thread = threading.Thread(target=listener.start, args=())
thread.daemon = True
thread.start()
flare-floss:
def extract_strings(vw, function_address):
strings = []
for s in extract_ascii_strings(vw, function_address):
strings.append(s)
return strings
Summary
flare-fakenet-ng focuses on network simulation for malware analysis, while flare-floss is primarily used for static analysis and string extraction from binaries. flare-fakenet-ng offers a more comprehensive environment for analyzing network-dependent malware but requires more setup. flare-floss is simpler to use and better suited for quick string analysis of executables. The choice between the two depends on the specific analysis needs and the type of malware being investigated.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
FLARE Obfuscated String Solver
The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced
static analysis techniques to automatically extract and deobfuscate all strings from
malware binaries. You can use it just like strings.exe
to enhance the
basic static analysis of unknown binaries.
Obfuscated Strings
Rather than heavily protecting backdoors with hardcore packers, many
malware authors evade heuristic detections by obfuscating only key
portions of an executable. Often, these portions are strings and resources
used to configure domains, files, and other artifacts of an infection.
These key features will not show up as plaintext in the output of the strings.exe
utility
that we commonly use during basic static analysis.
FLOSS extracts all the following string types:
- static strings: "regular" ASCII and UTF-16LE strings
- stack strings: strings constructed on the stack at run-time
- tight strings: a special form of stack strings, decoded on the stack
- decoded strings: strings decoded in a function
Please review the theory behind FLOSS here.
Our blog post talks more about the motivation behind FLOSS and details how the tool works.
FLOSS version 2.0 updates are detailed in this blog post.
Language-specific Strings
Not all compilers use string formats that the classic strings.exe
algorithm supports. For example, if strings are UTF-8 encoded or stored without a NULL-terminator. FLOSS can identify and extract strings from programs compiled from the following languages:
- Go
- Rust
The strings FLOSS extracts specific to a compiler are much easier to inspect by humans.
Please consult the documentation to learn more about the language-specific string extraction.
Installation
To use FLOSS, download a standalone executable file from the releases page: https://github.com/mandiant/flare-floss/releases
See the installation documentation for a detailed description of all methods to install FLOSS.
Usage Examples
Extract obfuscated strings from a malware binary:
$ floss malware.exe
Only extract stack and tight strings:
$ floss --only stack tight -- suspicious.exe
Do not extract static strings:
$ floss --no static -- backdoor.exe
Display the help/usage screens:
$ floss -h # show core arguments
$ floss -H # show all supported arguments
For a detailed description of using FLOSS, review the documentation here.
Scripts
FLOSS also contains additional Python scripts in the scripts directory which can be used to load its output into other tools such as Binary Ninja or IDA Pro. For detailed description of these scripts review the documentation here.
Top Related Projects
IDA Pro utilities from FLARE team
Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
FakeNet-NG - Next Generation Dynamic Network Analysis Tool
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot