MCPcopy
hub / github.com/mandiant/flare-floss

github.com/mandiant/flare-floss @v3.1.1 sqlite

repository ↗ · DeepWiki ↗ · release v3.1.1 ↗
402 symbols 1,421 edges 56 files 102 documented · 25%
README

PyPI - Python Version Last release CI status Downloads License

FLOSS logo

FLARE Obfuscated String Solver

The FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced static analysis techniques to automatically extract and deobfuscate all strings from malware binaries. You can use it just like strings.exe to enhance the basic static analysis of unknown binaries.

Obfuscated Strings

Rather than heavily protecting backdoors with hardcore packers, many malware authors evade heuristic detections by obfuscating only key portions of an executable. Often, these portions are strings and resources used to configure domains, files, and other artifacts of an infection. These key features will not show up as plaintext in the output of the strings.exe utility that we commonly use during basic static analysis.

FLOSS extracts all the following string types: 1. static strings: "regular" ASCII and UTF-16LE strings 2. stack strings: strings constructed on the stack at run-time 3. tight strings: a special form of stack strings, decoded on the stack 4. decoded strings: strings decoded in a function

Please review the theory behind FLOSS here.

Our blog post talks more about the motivation behind FLOSS and details how the tool works.

FLOSS version 2.0 updates are detailed in this blog post.

Language-specific Strings

Not all compilers use string formats that the classic strings.exe algorithm supports. For example, if strings are UTF-8 encoded or stored without a NULL-terminator. FLOSS can identify and extract strings from programs compiled from the following languages: 1. Go 2. Rust

The strings FLOSS extracts specific to a compiler are much easier to inspect by humans.

Please consult the documentation to learn more about the language-specific string extraction.

Installation

To use FLOSS, download a standalone executable file from the releases page: https://github.com/mandiant/flare-floss/releases

See the installation documentation for a detailed description of all methods to install FLOSS.

Usage Examples

Extract obfuscated strings from a malware binary:

$ floss malware.exe

Only extract stack and tight strings:

$ floss --only stack tight -- suspicious.exe

Do not extract static strings:

$ floss --no static -- backdoor.exe

Display the help/usage screens:

$ floss -h  # show core arguments
$ floss -H  # show all supported arguments

For a detailed description of using FLOSS, review the documentation here.

Scripts

FLOSS also contains additional Python scripts in the scripts directory which can be used to load its output into other tools such as Binary Ninja or IDA Pro. For detailed description of these scripts review the documentation here.

Core symbols most depended-on inside this repo

trace
called by 30
floss/logging_.py
sanitize
called by 12
floss/render/sanitize.py
hex
called by 11
floss/utils.py
get_runtime_diff
called by 9
floss/utils.py
error
called by 9
floss/main.py
format
called by 8
floss/logging_.py
render
called by 8
floss/render/default.py
extract_rust_strings
called by 7
floss/language/rust/extract.py

Shape

Function 233
Method 90
Class 78
Route 1

Languages

Python100%

Modules by API surface

floss/api_hooks.py49 symbols
floss/features/features.py41 symbols
floss/utils.py39 symbols
floss/results.py22 symbols
floss/language/utils.py19 symbols
floss/features/extract.py17 symbols
tests/conftest.py16 symbols
floss/render/default.py16 symbols
floss/main.py14 symbols
floss/stackstrings.py12 symbols
floss/identify.py12 symbols
floss/language/go/extract.py11 symbols

Dependencies from manifests, versioned

annotated-types0.7.0 · 1×
binary2strings0.1.13 · 1×
black24.4.2 · 1×
cfgv3.4.0 · 1×
click8.1.7 · 1×
colorama0.4.6 · 1×
coverage7.6.1 · 1×
cxxfilt0.3.0 · 1×
distlib0.3.8 · 1×
dncil1.0.2 · 1×
filelock3.16.1 · 1×
funcy2.0 · 1×

For agents

$ claude mcp add flare-floss \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact