FLOSS[Fireeye Labs Obfuscated String Solver]: tool to retrieve stack strings.

 

Lets admit, stack strings sometimes could be a lot of pain. They are one of the favorite method of malware authors to hide static strings without going. The stack strings allows them to hide strings in plain sight[so to say] and avoids use of complicated obfuscation techniques. While authors can use packers instead but analysts can these days easily identify the packed malware based on entropy level. Indeed the knowledge that sample is packed itself can help analysts to take different approach instead of wasting time in reading packed code.

But stack strings leave no hints behind[mostly]. Thus analysts may loose critical source of information to create good Host or Network signatures of malware for early detection.

Let us take following piece of malicious file:

Unknwown.exe

If we use Strings utility from Sysinternals suite we get following output:

These are utter nonsensical strings that carry no information for us. This is not defect of Strings utility really. It is designed to look for contiguous blocks of memory that contain printable ASCII characters terminated with null. The important word here is contiguous. 

The malware authors exploit this, by storing parts of string separately. Then they construct the relevant string at run time by pushing these individual parts on stack and retrieving full string by pop. Look at the following code:

The code belongs to same file we ran Strings utility on. The parts of strings are separately stored and pushed on stack. Later a single pop would retrieve a pointer to whole string.

It is not that Strings utility entirely missed these strings. We may miss these due to one of following two reasons:

1. the length of individual string part is smaller than -n option set in Strings utility
2. the individual parts were nonsensical in themselves thus we may not be able to recognize them as part of larger sensible string

So, what is the solution:

For one, we can proceed with IDA or Ollydbg to go through code/execution to catch similar code snippet as shown above. Although not challenging, manually recovering stack strings in IDA Pro can be a cumbersome process. Besides at Static analysis phase, we really are in hurry to get some concrete evidences out of sample.

Second option is to use Floss tool, which is what topic of our post today.

FLOSS: Fireeye Labs Obfuscated String Solver

This tool by Fireeye has really reduced the usability of stack strings obfuscation technique considerably.

What sets FLOSS from Strings apart is that it utilizes heuristics and code path emulation to arrive at runtime construction of strings. We will not go into detail about how FLOSS works. You can read more here.

Lets dive right into use of FLOSS.

You can run FLOSS in similar way as you did Strings.exe. If we run FLOSS on earlier Unknown.exe malware we get following output:

The last string was is stack string extracted from file. You can cross check its content with individual parts shown in code snippet earlier.Such strings can be great malware signatures.

So there you go. Next time you come across a sample that seem to have no sensible strings whatsoever, be sure to run FLOSS.

Till next time, Cheers!