spender-sandbox
commented
8 years ago Ran against wmp.dll, it took 35 minutes. Would need additional tooling so it can be used against process dumps, and we'd need to enforce a limit on how long it can run. Definitely not in a state where it can be a drop-in replacement for the existing strings processing.
-Brad
Have you ever run strings on a malware executable and its output provided you with IP addresses, file names, registry keys, and other indicators of compromise (IOCs)?
https://www.fireeye.com/blog/threat-research/2016/06/automatically-extracting-obfuscated-strings.html https://github.com/fireeye/flare-floss
Algorithm: Analyze control flow of malware to identify functions, basic blocks, etc. Use heuristics to find potential decoding routines Brute force emulate all code paths among basic blocks and functions Snapshot emulator state (registers, memory) at appropriate points Extract arguments to decoder functions from emulator snapshots Emulate decoder functions using extracted arguments and emulator state Diff memory state from before and after decoder emulation Extract human-readable strings from memory state difference
Tool is released under Apache License 2.0 What do you think?