The FireEye Labs Obfuscated String Solver (FLOSS) is an open source
tool that automatically detects, extracts, and decodes obfuscated
strings in Windows Portable Executable (PE) files. Malware analysts,
forensic investigators, and incident responders can use FLOSS to
quickly extract sensitive strings to identify indicators of compromise (IOCs).
Malware authors encode strings in their programs to hide malicious
capabilities and impede reverse engineering. Even simple encoding
schemes defeat the ‘Strings’ tool and complicate static and dynamic
analysis. FLOSS uses advanced static analysis techniques, such as
emulation, to deobfuscate encoded strings.
Incident responders and forensic analysts that understand how to
interpret the strings found in a binary will understand FLOSS’s
output. FLOSS extracts higher value strings, as strings that are
obfuscated typically contain the most sensitive configuration
resources – including malicious domains, IP addresses, suspicious file
paths, and other IOCs.
Current Version: FLOSS 1.5
Release Date: May 8, 2017
FLOSS 1.5 introduces filtering of false positive deobfuscation
strings, improved heuristics and improved extraction of stackstrings,
additional API hooks, and improved emulation coverage.
- Supported Operating Systems: Windows, Linux, macOS