search

mandiant / flare-floss

FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Apache License 2.0
3.22k stars 447 forks source link

Improve b2s or replace with custom code (unneded wide strings support) #867

Open mr-tz opened 1 year ago

mr-tz commented 1 year ago

binary2strings reads utf8 and wide strings (we don't expect or require the latter for Rust strings extraction).

In rust-hello64.exe we see

2023-08-28_15-09-13_ida64

Which parsed as wide string starting at offset 0x1400BD04F, b2s sees as:

2023-08-28_15-11-07_pycharm64

We then filter out the wide string and end up with args in the final Rust strings output.

Bumping the min_string length to 6 also mitigates this, but we could then miss shorter strings.

Arker123 commented 1 year ago

So, should we work on implementing something similar to b2s using Python?

mr-tz commented 1 year ago

Yes, currently we only require a function to find UTF-8 strings though.