strings.exe
utility that we commonly use during basic static analysis.strings.exe
to enhance basic static analysis of unknown binaries.Quick Run
To try FLOSS right away, download a standalone executable file from the releases page: https://github.com/fireeye/flare-floss/releases
For a detailed description of installing FLOSS, review the documention here.
Standalone nightly builds:
Usage
Extract obfuscated strings from a malware binary:
$ floss /path/to/malware/binary
Display the help/usage screen to see all available switches.
$ ./floss -h
For a detailed description of using FLOSS, review the documention here.
For a detailed description of testing FLOSS, review the documention here.
Sample Output
$ floss malware.bin
FLOSS static ASCII strings
!This program cannot be run in DOS mode.
_YY
RichYY
MdfQ
.text
`.rdata
@.data
.idata
.didat
.reloc
U F
?;}
[email protected];E
_^[
HttHt-H
'9U
WS2_32.dll
FreeLibrary
GetProcAddress
LoadLibraryA
GetModuleHandleA
GetVersionExA
MultiByteToWideChar
WideCharToMultiByte
Sleep
GetLastError
DeleteFileA
WriteFile
[..snip...]
FLOSS static UTF-16 strings
,%d
FLOSS decoded 4 strings
WinSta0Default
Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
ProxyServer
FLOSS extracted 81 stack strings
WinSta0Default
'%s' executed.
ERR '%s' error[%d].
Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
ProxyServer
wininet.dll
InternetOpenA
0A4
InternetSetOptionA
InternetConnectA
InternetQueryOptionA
Mozilla/4.0 (compatible; MSIE 7.0; Win32)
-ERR
FILE(%s) wrote(%d).
Invalid ojbect.
SetFilepoint error[%d].
b64_ntop error[%d].
GetFileSize error[%d].
Creates file error[%d].
KCeID5Y/96QTJc1pzi0ZhEBqVG83OnXaL+oxsRdymHS4bFgl7UrWfP2v=wtjNukM
[..snip...]