flare-floss
flare-floss copied to clipboard
mandiant
are "global stackstrings" seen in the wild?
malware that uses a stackstrings-like technique to initialize a global string will not be detected by the stackstrings extractor, since we currently inspect only the active stack frame. the decoding routine plugins also probably won't consider it suspicious.
so, is this something that's seen in the wild and worth supporting? leave examples of sample with this behavior as comments to this issue.
jay's script supports this type of decoding, since he heavily uses the vivisect emulator writelog to reconstruct strings. we could also enable the writelog and inspect memory regions written during a function's execution. part of me worries about performance, but i don't think it will be serious enough to matter.
todo:
- [x] dev/find test case, then
- [ ] track global stackstrings
yes. example attached.
a single byte XOR routine is inlined by the compiler into a constant number of DWORD and BYTE-wise XOR operations against global data. this is difficult to detect (no loops) using the "floss" algorithms, but global stackstrings would catch this.
