Skip to content

Indicate string obfuscation presence #400

New issue
New issue
Open
Open
Indicate string obfuscation presence#400
Labels
enhancement
@mr-tz

Description

@mr-tz
mr-tz
opened on Jul 22, 2021

Even if emulation fails, can FLOSS provide helpful indicators that string obfuscation is used in a sample?

  • few strings in binary / specific sections
  • functions reference few strings or strings that appear to be obfuscated
  • code sequences indicate stackstrings (see yara/capa rules)
  • if there are many tight loop functions, emit that the program likely uses tightstrings?

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancement

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions