flare-floss
by mandiant
FLOSS automatically extracts and deobfuscates all strings from malware binaries using advanced static analysis techniques.
FLARE Obfuscated String Solver - Automatically extract obfuscated strings from malware.
Primary Use Case
FLOSS is primarily used by malware analysts and security researchers to enhance static analysis by revealing obfuscated strings within malware binaries that traditional tools like strings.exe miss. It helps uncover hidden configuration data, domains, and other artifacts critical for understanding malware behavior.
- Automatically extracts static, stack, tight, and decoded strings from binaries
- Supports extraction of language-specific strings from Go and Rust compiled programs
- Enhances traditional strings extraction by revealing obfuscated and runtime-constructed strings
- Provides additional Python scripts for integration with tools like Binary Ninja and IDA Pro
- Offers command-line interface with flexible options to filter string types
- Open source with active releases and CI testing
- Licensed under Apache 2.0
Installation
- Download the standalone executable from the releases page: https://github.com/mandiant/flare-floss/releases
- Refer to the installation documentation for detailed installation methods: doc/installation.md
Usage
>_ floss malware.exeExtract obfuscated strings from a malware binary.
>_ floss --only stack tight -- suspicious.exeExtract only stack and tight strings from the specified binary.
>_ floss --no static -- backdoor.exeExtract all strings except static strings from the binary.
>_ floss -hDisplay core help and usage information.
>_ floss -HDisplay all supported arguments and detailed usage.
- Integrate FLOSS into automated malware triage pipelines to accelerate static analysis and reduce manual effort.
- Combine FLOSS output with dynamic analysis tools to correlate runtime behavior with extracted strings for comprehensive malware profiling.
- Use FLOSS in purple team exercises to simulate adversary obfuscation techniques and improve detection capabilities.
- Leverage FLOSS’s language-specific string extraction to enhance analysis of Go and Rust malware samples increasingly seen in the wild.
- Incorporate FLOSS into continuous integration (CI) workflows for security teams developing detection signatures or threat intelligence.
Docs Take 2 Hours. AI Takes 10 Seconds.
Ask anything about flare-floss. Installation? Config? Troubleshooting? Get answers trained on real docs and GitHub issues—not generic ChatGPT fluff.
This tool hasn't been indexed yet. Request indexing to enable AI chat.
Admin will review your request within 24 hours
Related Tools
x64dbg
x64dbg/x64dbg
An open-source user mode debugger for Windows. Optimized for reverse engineering and malware analysis.
theZoo
ytisf/theZoo
A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.
flare-vm
mandiant/flare-vm
A collection of software installations scripts for Windows systems that allows you to easily setup and maintain a reverse engineering environment on a VM.
capa
mandiant/capa
The FLARE team's open-source tool to identify capabilities in executable files.
retoolkit
mentebinaria/retoolkit
Reverse Engineer's Toolkit
awesome-yara
InQuest/awesome-yara
A curated list of awesome YARA rules, tools, and people.