{"id":13414938,"url":"https://github.com/mandiant/flare-floss","last_synced_at":"2025-05-12T13:22:51.814Z","repository":{"id":37433575,"uuid":"52993349","full_name":"mandiant/flare-floss","owner":"mandiant","description":"FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.","archived":false,"fork":false,"pushed_at":"2025-05-05T15:01:58.000Z","size":24728,"stargazers_count":3523,"open_issues_count":109,"forks_count":479,"subscribers_count":131,"default_branch":"master","last_synced_at":"2025-05-10T07:05:07.476Z","etag":null,"topics":["deobfuscation","flare","gsoc-2025","malware","malware-analysis","strings"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mandiant.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2016-03-02T20:16:10.000Z","updated_at":"2025-05-07T13:38:17.000Z","dependencies_parsed_at":"2023-02-10T04:00:41.468Z","dependency_job_id":"a9949bc1-ef8e-4946-bf6e-d9772d6df62f","html_url":"https://github.com/mandiant/flare-floss","commit_stats":{"total_commits":856,"total_committers":35,"mean_commits":"24.457142857142856","dds":0.7021028037383177,"last_synced_commit":"8b137f97190d351108478c0e1188fbee638d908c"},"previous_names":["fireeye/flare-floss"],"tags_count":30,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-floss","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-floss/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-floss/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mandiant%2Fflare-floss/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mandiant","download_url":"https://codeload.github.com/mandiant/flare-floss/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253377267,"owners_count":21898938,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["deobfuscation","flare","gsoc-2025","malware","malware-analysis","strings"],"created_at":"2024-07-30T21:00:40.095Z","updated_at":"2025-05-12T13:22:51.791Z","avatar_url":"https://github.com/mandiant.png","language":"Python","readme":"![PyPI - Python Version](https://img.shields.io/pypi/pyversions/flare-floss)\n[![Last release](https://img.shields.io/github/v/release/mandiant/flare-floss)](https://github.com/mandiant/flare-floss/releases)\n[![CI status](https://github.com/mandiant/flare-floss/actions/workflows/tests.yml/badge.svg)](https://github.com/mandiant/flare-floss/actions/workflows/tests.yml)\n[![Downloads](https://img.shields.io/github/downloads/mandiant/flare-floss/total)](https://github.com/mandiant/flare-floss/releases)\n[![License](https://img.shields.io/badge/license-Apache--2.0-green.svg)](LICENSE.txt)\n\n![FLOSS logo](https://github.com/mandiant/flare-floss/blob/master/resources/floss-logo.png)\n\n# FLARE Obfuscated String Solver\n\nThe FLARE Obfuscated String Solver (FLOSS, formerly FireEye Labs Obfuscated String Solver) uses advanced\nstatic analysis techniques to automatically extract and deobfuscate all strings from\nmalware binaries. You can use it just like `strings.exe` to enhance the\nbasic static analysis of unknown binaries.\n\n### Obfuscated Strings\n\nRather than heavily protecting backdoors with hardcore packers, many\nmalware authors evade heuristic detections by obfuscating only key\nportions of an executable. Often, these portions are strings and resources\nused to configure domains, files, and other artifacts of an infection.\nThese key features will not show up as plaintext in the output of the `strings.exe` utility\nthat we commonly use during basic static analysis.\n\nFLOSS extracts all the following string types:\n1. static strings: \"regular\" ASCII and UTF-16LE strings\n2. stack strings: strings constructed on the stack at run-time\n3. tight strings: a special form of stack strings, decoded on the stack\n4. decoded strings: strings decoded in a function\n\nPlease review the theory behind FLOSS [here](doc/theory.md).\n\nOur [blog post](https://www.mandiant.com/resources/automatically-extracting-obfuscated-strings) talks more about the motivation behind FLOSS and details how the tool works.\n\nFLOSS version 2.0 updates are detailed in this [blog post](https://www.mandiant.com/resources/floss-version-2).\n\n### Language-specific Strings\nNot all compilers use string formats that the classic `strings.exe` algorithm supports. For example, if strings are UTF-8 encoded or stored without a NULL-terminator. FLOSS can identify and extract strings from programs compiled from the following languages:\n 1. Go\n 2. Rust\n\nThe strings FLOSS extracts specific to a compiler are much easier to inspect by humans. \n\nPlease consult the documentation to learn more about the [language-specific string extraction](doc/language_specific_strings.md).\n\n## Installation\nTo use FLOSS, download a standalone executable file from the releases page:\nhttps://github.com/mandiant/flare-floss/releases\n\nSee the [installation documentation](doc/installation.md) for a detailed description of all methods to install FLOSS.\n\n## Usage Examples\nExtract obfuscated strings from a malware binary:\n\n    $ floss malware.exe\n\nOnly extract stack and tight strings:\n\n    $ floss --only stack tight -- suspicious.exe\n\nDo not extract static strings:\n\n    $ floss --no static -- backdoor.exe\n\nDisplay the help/usage screens:\n\n    $ floss -h  # show core arguments\n    $ floss -H  # show all supported arguments\n\nFor a detailed description of using FLOSS, review the documentation\n [here](doc/usage.md).\n\n## Scripts\nFLOSS also contains additional Python scripts in the [scripts](scripts) directory \nwhich can be used to load its output into other tools such as Binary Ninja or IDA Pro.\nFor detailed description of these scripts review the documentation [here](scripts/README.md).\n","funding_links":[],"categories":["Free books","Tools","Python","Malware Reversing","malware","malware-analysis","Blue Team","杀毒免杀_逆向工程"],"sub_categories":["Carving","Static Analysis","Deobfuscation \u0026 Unpacking","资源传输下载"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fflare-floss","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmandiant%2Fflare-floss","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmandiant%2Fflare-floss/lists"}