GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → fireeye → Flare Floss

fireeye / Flare Floss

Licence: apache-2.0
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.

Programming Languages

python
139335 projects - #7 most used programming language

Labels

malwarestringsdeobfuscationfireeye-flare

Projects that are alternatives of or similar to Flare Floss

decrypticon
Java-layer Android Malware Simplifier
Stars: ✭ 17 (-99.16%)
Mutual labels:  malware, deobfuscation
flashmingo
Automatic analysis of SWF files based on some heuristics. Extensible via plugins.
Stars: ✭ 117 (-94.21%)
Mutual labels:  malware, fireeye-flare
Simplify
Android virtual machine and deobfuscator
Stars: ✭ 3,865 (+91.34%)
Mutual labels:  malware, deobfuscation
stringsifter
A machine learning tool that ranks strings based on their relevance for malware analysis.
Stars: ✭ 567 (-71.93%)
Mutual labels:  strings, fireeye-flare
Dex Oracle
A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis
Stars: ✭ 398 (-80.3%)
Mutual labels:  malware, deobfuscation
Mass Rat
Basic Multiplatform Remote Administration Tool - Xamarin
Stars: ✭ 127 (-93.71%)
Mutual labels:  malware
Ypsilon
Automated Use Case Testing
Stars: ✭ 135 (-93.32%)
Mutual labels:  malware
Awesome Hacking Resources
A collection of hacking / penetration testing resources to make you better!
Stars: ✭ 11,466 (+467.62%)
Mutual labels:  malware
Java Ds Algorithms
Data Structures and Algorithms in Java
Stars: ✭ 125 (-93.81%)
Mutual labels:  strings
Binsnitch
Detect silent (unwanted) changes to files on your system
Stars: ✭ 144 (-92.87%)
Mutual labels:  malware
Samsung Firmware Magic
Tool for decrypting the firmware files for Samsung SSDs
Stars: ✭ 138 (-93.17%)
Mutual labels:  deobfuscation
Uitkyk
Runtime memory analysis framework to identify Android malware
Stars: ✭ 133 (-93.42%)
Mutual labels:  malware
Kite
🪁 Android Resources Wrapper Library
Stars: ✭ 127 (-93.71%)
Mutual labels:  strings
Guide To Swift Strings Sample Code
Xcode Playground Sample Code for the Flight School Guide to Swift Strings
Stars: ✭ 136 (-93.27%)
Mutual labels:  strings
Deathransom
A ransomware developed in python, with bypass technics, for educational purposes.
Stars: ✭ 126 (-93.76%)
Mutual labels:  malware
Pafish
Pafish is a testing tool that uses different techniques to detect virtual machines and malware analysis environments in the same way that malware families do
Stars: ✭ 2,026 (+0.3%)
Mutual labels:  malware
Mba
Malware Behavior Analyzer
Stars: ✭ 125 (-93.81%)
Mutual labels:  malware
Threadboat
Program Uses Thread Execution Hijacking To Inject Native Shell-code Into a Standard Win32 Application
Stars: ✭ 132 (-93.47%)
Mutual labels:  malware
Sheep Wolf
Wolves Among the Sheep
Stars: ✭ 138 (-93.17%)
Mutual labels:  malware
Practicalmalwarelabs
Keep track of the labs from the book "Practical Malware Analysis"
Stars: ✭ 130 (-93.56%)
Mutual labels:  malware
View All Similar Projects ➔

PyPI - Python Version CI status License

FLARE Obfuscated String Solver

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in output of the strings.exe utility that we commonly use during basic static analysis.

The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries. You can use it just like strings.exe to enhance basic static analysis of unknown binaries.

Please review the theory behind FLOSS here. Our blog post talks more about the motivation behind FLOSS and details how the tool works.

Quick Run

To try FLOSS right away, download a standalone executable file from the releases page: https://github.com/mandiant/flare-floss/releases

For a detailed description of installing FLOSS, review the documentation here.

Usage

Extract obfuscated strings from a malware binary:

$ floss /path/to/malware/binary

Display the help/usage screen to see all available switches.

$ ./floss -h

For a detailed description of using FLOSS, review the documentation here.

For a detailed description of testing FLOSS, review the documentation here.

Sample Output

$ floss malware.bin
FLOSS static ASCII strings
!This program cannot be run in DOS mode.
_YY
RichYY
MdfQ
.text
`.rdata
@.data
.idata
.didat
.reloc
U  F
?;}
A@;E
_^[
HttHt-H
'9U
WS2_32.dll
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
Sleep
GetLastError
DeleteFileA
WriteFile
[..snip...]

FLOSS static UTF-16 strings
,%d

FLOSS decoded 4 strings
WinSta0\Default
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
ProxyEnable
ProxyServer

FLOSS extracted 81 stack strings
WinSta0\Default
'%s' executed.
ERR '%s' error[%d].
Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
ProxyEnable
ProxyServer
wininet.dll
InternetOpenA
0\A4
InternetSetOptionA
InternetConnectA
InternetQueryOptionA
Mozilla/4.0 (compatible; MSIE 7.0; Win32)
-ERR
FILE(%s) wrote(%d).
Invalid ojbect.
SetFilepoint error[%d].
b64_ntop error[%d].
GetFileSize error[%d].
Creates file error[%d].
KCeID5Y/96QTJc1pzi0ZhEBqVG83OnXaL+oxsRdymHS4bFgl7UrWfP2v=wtjNukM
[..snip...]
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].