irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
1d2427415eac4f4681d32dc6397b7a145ac5a958
docker_file_analysis/data/generated/wiki/workflows/string-deobfuscation-workflow.md
T
tobias e62a14dafc Add markdown wiki with 473 pages and zk browser 
Generate interlinked wiki from master inventory: 397 tool pages,
15 workflow pages, 27 recipe pages, 33 category pages, plus index.
All pages use [[wiki-links]] for cross-navigation between tools,
workflows, recipes, and categories (1782 links total).

Install zk for interactive browsing with fzf search, tag filtering,
and backlink discovery. Add 'fhelp wiki' command and Makefile target.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 19:50:36 +01:00

2.0 KiB
Raw Blame History

String & Data Deobfuscation

Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding.

FOR610 Labs: 1.5, 5.2

Steps

Step 1: Automated Extraction

Tools: tools/floss, tools/strings

Start with FLOSS for automatic deobfuscation (static + stack + decoded strings). Compare against plain strings output. FLOSS --no-static for only decoded strings.

floss specimen.exe
strings binary.exe

Step 2: Encoding Detection

Tools: tools/xorsearch, tools/bbcrack

Identify encoding algorithm. XORSearch: detect XOR with known plaintext (http:, MZ, This program). bbcrack: brute-force XOR, ROL, ADD at multiple levels.

XORSearch -W -d 3 file.bin
bbcrack -l 1 specimen.dll

Step 3: Single-Byte XOR Recovery

Tools: tools/brxor-py, tools/xortool

For single-byte XOR: brxor.py finds English words. xortool guesses key length and probable key. xortool-xor -s -i -o decoded.bin to decode.

brxor.py specimen.dll
xortool <encoded_file>

Step 4: Multi-Byte / Custom Decoding

Tools: tools/translate-py, tools/cyberchef

For custom algorithms: translate.py 'byte ^ key' or complex expressions. CyberChef for visual recipe building (XOR → Base64 → Gunzip chains). Document the recipe.

translate.py "byte ^ 35" < input.bin > output.bin
cyberchef

Step 5: Stack String Recovery

Tools: tools/strdeob-pl, tools/floss

For strings built on the stack (MOV byte-by-byte): strdeob.pl or FLOSS stack string detection. Common in evasive malware to avoid string extraction.

strdeob.pl specimen.exe
floss specimen.exe

Step 6: Validation & IOC Extraction

Review decoded strings. Extract IOCs: C2 addresses, registry keys, file paths, API names, credentials. Compare against known malware family patterns.

#strings #xor #deobfuscation #floss #cyberchef #encoding #workflow

Reference in New Issue View Git Blame Copy Permalink