Integrating FLOSS deobfuscated strings into IDA Pro and x64dbg

The FireEye Labs Obfuscated String Solver (FLOSS) automatically extracts obfuscated strings from Windows executables and shellcode. The tool integrates with various reverse engineering tools including IDA Pro, radare2, and x64dbg. In this post, I will show how to leverage strings that FLOSS decoded when reverse engineering malware using IDA Pro and debugging it using x64dbg.

For this analysis, I use a backdoor linked to APT28 and commonly referred to as Gamefish, Sednit, Seduploader, Jhuhugit, and Sofacy. The hash values of the file are:

I performed my analysis on a Windows 7 64-bit system setup with FLARE VM. If you haven’t heard about the project yet, you should really check out this malware analysis distribution at https://github.com/fireeye/flare-vm. Peter also describes the project in a blog post at https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html. FLARE VM already includes a wide variety of tools, including FLOSS and x64dbg.

FLOSS analysis

First, we run FLOSS on the sample to see the provided string deobfuscation results. As we are not interested in regular strings here, we disable showing them using the --no-static-strings command-line option. Listing 1 shows that FLOSS could deobfuscate 36 encoded strings and 14 stackstrings. The warning at the top of the output is related to vivisect’s vtrace module. It does not affect FLOSS’ analysis and can be ignored. Note, that updated FLOSS versions do no longer display the warning.


C:\Users\user\Desktop>floss --no-static-strings 211b7100fd799e9eaabeb13cfa446231.exe
WARNING:vtrace.platforms.win32:LoadLibrary c:\program files\python27\lib\site-packages\vtrace\platforms\windll\amd64\symsrv.dll: [Error 126] The specified module could not be found
WARNING:vtrace.platforms.win32:LoadLibrary c:\program files\python27\lib\site-packages\vtrace\platforms\windll\amd64\dbghelp.dll: [Error 126] The specified module could not be found

FLOSS decoded 36 strings
[file]
Execute
Delete
[/file]
www.google.com
192.111.146.185
192.111.146.185
w2f434g5Dt
.xml
rundll32.exe
FileName
PathToSave
Rundll
POST
Content-Type: application/x-www-form-urlencoded
0`AP
www.google.com
SYSTEM\CurrentControlSet\Services\Disk\Enum
POST
Content-Type: application/x-www-form-urlencoded
disk=
build=
POST
Content-Type: application/x-www-form-urlencoded
POST
Content-Type: application/x-www-form-urlencoded
CreateToolhelp32Snapshot
GetProcessHeap
GetProcessHeap
GetProcessHeap
GetProcessHeap
GetProcessHeap
GetProcessHeap
GetProcessHeap
GetProcessHeap
GetProcessHeap

FLOSS extracted 14 stackstrings
\profiles.ini
wininet.dll
InternetReadFile
network.proxy.http
Profile0
Basic
http=http://%s:%s
InternetCloseHandle
Path
network.proxy.http_port
WeelScrInit
Control Panel\Desktop
\Mozilla\Firefox
prefs.js

Finished execution after 15.682000 seconds
Listing 1: FLOSS analysis results

x64dbg integration

Let’s pull the analysis results into x64dbg. We can create a x64dbg database file using the --x64db command-line option. This will create a JSON file containing the decoded strings and their offsets. Figure 1 shows a screenshot of running the following command:

C:\Users\user\Desktop>floss --no-static-strings --x64dbg=211b7100fd799e9eaabeb13cfa446231_floss.json 211b7100fd799e9eaabeb13cfa446231.exe
Running FLOSS and writing x64dbg database file
Figure 1: Running FLOSS and writing x64dbg database file

Now we can open the sample in x64dbg and load the FLOSS analysis results.

Malware sample opened in x64dbg
Figure 2: Malware sample opened in x64dbg

In x64dbg’s main menu use File – Import database to load the created database file (see Figure 3).

Import FLOSS database file to add the decoded strings
Figure 3: Import FLOSS database file to add the decoded strings

x64dbg will indicate that the file has been loaded in its status bar at the bottom of the window (see Figure 4).

x64dbg status bar after loading the database file
Figure 4: x64dbg status bar after loading the database file

In this example decoded strings are added as comments to the decoding function calls, e.g. the function at offset 0x10003FD4 (see Figure 5). If FLOSS detects obfuscated data at a global memory location, the decoded strings are added at the respective global offset. FLOSS does currently not support stackstring annotations for x64dbg.

FLOSS decoded strings in x64dbg
Figure 5: FLOSS decoded strings in x64dbg

IDA Pro integration

Provide the --i/--ida command-line option to FLOSS to create an IDAPython script that annotates IDA Pro’s disassembly. Here is an example command:

C:\Users\user\Desktop>floss --no-static-strings --ida=211b7100fd799e9eaabeb13cfa446231_floss.py 211b7100fd799e9eaabeb13cfa446231.exe

The tool indicates that the file has been written successfully:

[...]
Wrote IDAPython script file to C:\Users\user\Desktop\211b7100fd799e9eaabeb13cfa446231_floss.py
[...]

After opening the sample in IDA Pro, we can execute the created IDAPython script to annotate the disassembly. Select File – Script File (Shortcut Alt+F7) and load the script (see Figure 6).

Executing FLOSS created IDAPython file in IDA Pro
Figure 6: Executing FLOSS created IDAPython file in IDA Pro

Figure 7 shows the script’s execution status information displayed in IDA Pro’s output window.

FLOSS IDAPython script status output
Figure 7: FLOSS IDAPython script status output

Figure 8 shows calls to the decoding routine at offset 0x10003FD4 that have been annotated with the decoded strings.

FLOSS decoded strings as comments in IDA Pro
Figure 8: FLOSS decoded strings as comments in IDA Pro

Figure 9 shows the FLOSS annotations from deobfuscated stackstrings. Each decoded stackstring is added as repeatable comment to the respective local variable. Hence, IDA Pro displays them whenever the local variable is referenced (see Figure 10).

FLOSS decoded stackstrings as repeatable comments on local variables
Figure 9: FLOSS decoded stackstrings as repeatable comments on local variables
Referenced deobfuscated stackstrings
Figure 10: Referenced deobfuscated stackstrings

Conclusion

This post discussed how the analysis of FLOSS can augment the analysis of malware in IDA Pro and x64dbg. Hopefully, I could show the benefit of pulling FLOSS results into both tools. While the process is straight-forward in either case, I am sure this step-by-step tutorial can be helpful – especially when you are doing it for the first time.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.