irt/docker_file_analysis
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
e62a14dafcfc5b5d8fea1babc97fea756f17f76e
docker_file_analysis/data/generated/workflows/string-deobfuscation-workflow.txt
T
tobias f3ccc09c3d Add FOR610 tool/workflow knowledge base and data pipeline 
Build comprehensive malware analysis knowledge base from 3 sources:
- SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes
- REMnux salt-states: 340 packages parsed from GitHub
- REMnux docs: 280+ tools scraped from docs.remnux.org

Master inventory merges all sources into 447 tools with help tiers
(rich/standard/basic). Pipeline generates: tools.db (397 entries),
397 cheatsheets with multi-tool recipes, 15 workflow guides, 224
TLDR pages, and coverage reports.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 17:38:15 +01:00

67 lines
2.4 KiB
Plaintext
Raw Blame History

============================================================
String & Data Deobfuscation
============================================================
Decode obfuscated strings and data in malware. Covers XOR, Base64, stack strings, custom algorithms, and multi-layer encoding.
Related FOR610 Labs: 1.5, 5.2
────────────────────────────────────────────────────────────
Step 1: Automated Extraction
Tools: floss, strings
Start with FLOSS for automatic deobfuscation (static +
stack + decoded strings). Compare against plain
strings output. FLOSS --no-static for only decoded
strings.
$ floss specimen.exe
$ strings binary.exe
Step 2: Encoding Detection
Tools: xorsearch, bbcrack
Identify encoding algorithm. XORSearch: detect XOR
with known plaintext (http:, MZ, This program).
bbcrack: brute-force XOR, ROL, ADD at multiple levels.
$ XORSearch -W -d 3 file.bin
$ bbcrack -l 1 specimen.dll
Step 3: Single-Byte XOR Recovery
Tools: brxor-py, xortool
For single-byte XOR: brxor.py <file> finds English
words. xortool <file> guesses key length and probable
key. xortool-xor -s <key> -i <file> -o decoded.bin to
decode.
$ brxor.py specimen.dll
$ xortool <encoded_file>
Step 4: Multi-Byte / Custom Decoding
Tools: translate-py, cyberchef
For custom algorithms: translate.py 'byte ^ key' or
complex expressions. CyberChef for visual recipe
building (XOR → Base64 → Gunzip chains). Document the
recipe.
$ translate.py "byte ^ 35" < input.bin > output.bin
$ cyberchef
Step 5: Stack String Recovery
Tools: strdeob-pl, floss
For strings built on the stack (MOV byte-by-byte):
strdeob.pl <file> or FLOSS stack string detection.
Common in evasive malware to avoid string extraction.
$ strdeob.pl specimen.exe
$ floss specimen.exe
Step 6: Validation & IOC Extraction
Review decoded strings. Extract IOCs: C2 addresses,
registry keys, file paths, API names, credentials.
Compare against known malware family patterns.
────────────────────────────────────────────────────────────
Tip: 'fhelp cheat <tool>' for full examples
'Ctrl+G' for interactive cheatsheet browser
Reference in New Issue View Git Blame Copy Permalink