The FireEye Labs Obfuscated String Solver (FLOSS) automatically extracts obfuscated strings from Windows executables and shellcode. The tool integrates with various reverse engineering tools including IDA Pro, radare2, and x64dbg. In this post, I will show how to leverage strings that FLOSS decoded when reverse engineering malware using IDA Pro and debugging it using x64dbg.
Continue reading “Integrating FLOSS deobfuscated strings into IDA Pro and x64dbg”
Tutorial: How to use remote_lookup to resolve remote symbols
Introduction
Reverse engineering and tool development expert David Zimmer (dzzie, http://sandsprite.com) recently released remote_lookup, “a small tool which can scan a 32bit process and build an export name/address map which can be queried”. The tool is available on FireEye’s GitHub page at https://github.com/fireeye/remote_lookup.
remote_lookup can significantly speed up the analysis of malware that obfuscates its access to Windows API functions. David covers common malware techniques for such obfuscations in the blog post available at https://www.fireeye.com/blog/threat-research/2017/06/remote-symbol-resolution.html. The post also talks about the motivation of remote_lookup, common analysis techniques (and their shortcomings), the tool’s functionalities and how it can accelerate reverse engineering of obfuscated malware. I highly recommend reading his post – especially if you are going to continue reading this tutorial.
Continue reading “Tutorial: How to use remote_lookup to resolve remote symbols”