Quick Overview: Static Analysis Tool Floss for Malware Analysis

Floss (FLARE Obfuscated Stringer Solver) is a static analysis tool for malware analysis. This tool was developed by Mandiant.

This tool basically helps security researchers extract strings from malware samples.

This blog provides you with a brief functionality and usage of the tool Floss.

Overview of tool Floss

Malware authors use different obfuscation techniques to hide sensitive resources to extend the life of malware. Floss tool helps in extracting obfuscated strings from malware samples.

Floss is an automation tool that combines manual reverse engineering techniques for string decoding.

Algorithm of tool Floss

1) Identify decoding functions in a malware sample by using heuristics
2) Extract cross reference and arguments of decoding functions
3) Emulation of decoder functions using extracted arguments
4) Compare (Diff) memory state before and after emulation of decoder
5) Print human-readable strings

Installation - Method 1 - Using Python

Floss tool can be installed on both Windows and Linux-based systems. Please ensure the system has Python >=3.8

Step 1: Install Floss

$ pip install flare-floss

Step 2: Use Floss from a Python script

#!/usr/env/python
import floss
print(dir(floss))

Installation - Method 2 - Standalone

Just download from the link: https://github.com/mandiant/flare-floss/releases/tag/v2.3.0

After downloading, you can use Floss without any installation as all required source code, Python interpreter and other resources are available.

Usage of Floss

To extract all strings from a malware sample
floss malware-sample.exe
to extract specific types of strings
floss malware-sample.exe --only tight decoded
To highlight obfuscated strings
floss malware-sample.exe --no static
Verbose output
floss -v malware-sample.exe
Load results of Floss
floss -l results.json
Quiet mode - to suppress the output
floss -q malware-sample.exe
Shellcode option
floss -f sc32 malware-sample.raw32
floss -f sc64 malware-sample.raw64

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

10 Blockchain Security Vulnerabilities OWASP API Top 10 - 2023 7 Facts You Should Know About WormGPT OWASP Top 10 for Large Language Models (LLMs) Applications Top 10 Blockchain Security Issues