Hey there,
Should you ever need to extract human-readable strings from an unknown (and suspicious) binary, here’s VL.FLOSS! It conveniently wraps Mandiant’s FLARE Obfuscated String Solver (FLOSS) in a little-easy-to-use node.
It’s like Microsoft’s strings.exe but better. More details in this little article.
FLOSS is a commonly used tool in static malware analysis, where you’re trying to figure out what a potentially malicious binary is doing without running it.
You would typically look for function imports, callback URLs or any other clue that lets you figure out what the executable you’re looking at could do.
floss.exe weights 30MB, so I did not want to version it or distribute it in a nuget. What’s your opinion on that?
Happy flossing, and be careful when manipulating naughty files 🙃