usage.md

FLARE Obfuscated String Solver

Usage

You can use FLOSS just like you'd use strings.exe to extract human-readable strings from binary data. The enhancement that FLOSS provides is that it statically analyzes executable files and decodes obfuscated strings. These include:

• strings encrypted in global memory or deobfuscated onto the heap
• strings manually created on the stack (stackstrings)
• strings created on the stack and then further modified (tight strings)

Since FLOSS also extracts static strings (like strings.exe), you should consider replacing strings.exe with FLOSS within your analysis workflow.

Here's a summary of the command line flags and options you can provide to FLOSS to modify its behavior.

See floss -h for all supported arguments and usage examples. This displays the most used arguments only.

To see all supported arguments run floss -H.

Extract static, obfuscated, and stack strings (default mode)

floss.exe malware.exe

The default mode for FLOSS is to extract the following string types from an executable file:

• static ASCII and UTF-16LE strings
• stack strings
• tight strings
• obfuscated strings

See the section on Shellcode analysis below on how to analyze raw binary files containing shellcode.

By default, FLOSS uses a minimum string length of four (4).

Language-specific strings

FLOSS can identify programs compiled from selected programming languages and extract strings that are easier to inspect by humans.

By default, this process is automatic. However, you can use the --language argument to manually select or disable this feature.

Disable string type extraction (--no {static,decoded,stack,tight})

When FLOSS searches for static strings, it looks for human-readable ASCII and UTF-16 strings across the entire binary contents of the file. This means you may be able to replace strings.exe with FLOSS in your analysis workflow. However, you may disable the extraction of static strings via the --no static switch.

floss.exe --no static -- malware.exe

Since --no supports multiple arguments, end the command options with a double dash --.

Analogous, you can disable the extraction of obfuscated strings, stackstrings or any combination.

floss.exe --no decoded -- malware.exe
floss.exe --no stack tight -- malware.exe

Enable string type extraction (--only {static,decoded,stack,tight})

Sometimes it's easier to specify only the string type(s) you want to extract. Use the --only option for that.

floss.exe --only decoded -- malware.exe

Please note that --no and --only cannot be used at the same time.

Write output as JSON (-j/--json)

Write FLOSS results to stdout structured in JSON to make it easy to ingest by a script.

floss.exe -j malware.exe > malware_strings.json

Load FLOSS results (-l/--load)

Load a FLOSS results JSON document. This allows to explore FLOSS results without re-running the analysis.

floss.exe -l malware_floss_results.json

Verbose results (-v)

Enable verbose results output, e.g. including function offsets and string encoding. This does not affect the JSON output.

floss.exe -v malware.exe

Quiet mode (-q/--quiet)

You can suppress the formatting of FLOSS output by providing the flags -q or --quiet. These flags are appropriate if you will pipe the results of FLOSS into a filtering or searching program such as grep, and want to avoid matches on the section headers. In quiet mode, each recovered string is printed on its own line. The "type" of the string (static, decoded, stackstring, tightstring) is not included.

 floss.exe -q malware.exe

Minimum string length (-n/--minimum-length)

By default, FLOSS searches for human-readable strings with a length of at least four characters. You can use the -n or --minimum-length options to specific a different minimum length. Supplying a larger minimum length reduces the chances of identifying random data that appears to be ASCII; however, FLOSS may then pass over short legitimate human-readable strings

floss.exe -n 10 malware.exe

Decoding function specification (--functions)

You can instruct FLOSS to decode the strings provided to specific functions by using the --functions option. By default, FLOSS uses heuristics to identify decoding routines in malware. This mode circumvents the identification phase and skips directly to the decoding phase. If you've previously done analysis on an executable program and manually identified the decoding routines, use this mode. This can improve performance as FLOSS by perhaps one-third (on the order of seconds, so it is usually not worth it to always manually identify decoding routines). Specify functions by using their hex-encoded virtual address.

floss.exe --functions 0x401000 0x402000 malware.exe

Install/Uninstall right click menu option for Windows (--install-right-click-menu/--uninstall-right-click-menu)

You can use the --install-right-click-menu and --uninstall-right-click-menu options to install/remove the Open with FLOSS option from the right-click menu of the Windows file explorer.

After this option is installed, you can right-click on any file and select Open with FLOSS to quickly open the target file with FLOSS for analysis.

Shellcode analysis options

Malicious shellcode often times contains obfuscated strings or stackstrings. FLOSS can analyze raw binary files containing shellcode via the -f/--format switch. All options mentioned above can also be applied when analyzing shellcode.

floss.exe -f sc32 malware.raw32
floss.exe -f sc64 malware.raw64