ENNAENNA

FLARE FLOSS

Apache-2.0

๐Ÿงฌ Reverse Engineering ยท Python

FLARE FLOSS (FireEye Labs Obfuscated String Solver) automatically extracts obfuscated strings from malware binaries. While the standard 'strings' utility only finds plaintext, FLOSS uses advanced static analysis techniques to identify string decoding routines, emulates them, and recovers the decoded strings. It handles XOR encoding, stack strings (built character-by-character), tight strings (short encoded sequences), and custom decryption routines. FLOSS integrates with FLARE's analysis toolkit and produces output compatible with YARA rule generation. It dramatically reduces manual reverse engineering time for string-heavy malware analysis.

4.0kstars
526forks
119issues
Updated 4d ago
+I use this
View on GitHub

Installation

$ pip install flare-floss

Use Cases

  • Extracting obfuscated strings from malware samples
  • Recovering XOR-encoded and stack-built strings
  • Generating IOCs from decoded malware strings
  • Automating string analysis in malware triage pipelines

Tags

string-extractionmalware-analysisdeobfuscationmandiantstatic-analysisflaregsoc-2026malwarestrings

Details

Category
๐Ÿงฌ Reverse Engineering
Language
Python
License
Apache-2.0
Platforms
๐Ÿงlinux๐ŸŽmacos๐ŸชŸwindows

Links

GitHub Repository

github.com/mandiant/flare-floss

Releases

github.com/mandiant/flare-floss/releases

Issues

github.com/mandiant/flare-floss/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Community Reviews

Alternatives & Comparisons

Ghidra

Java

NSA's reverse engineering framework. Disassembly, decompilation, graphing, and scripting for binary analysis.

Compare FLARE FLOSS vs Ghidra

YARA

C

Pattern matching swiss knife for malware researchers. Create rules to identify and classify malware samples.

Compare FLARE FLOSS vs YARA

Radare2

C

Portable reversing framework. Disassembly, debugging, analysis, patching, and scripting in a single CLI.

Compare FLARE FLOSS vs Radare2

capa

Python

Automatically identify capabilities in executable files - detects techniques like persistence, C2, and anti-analysis.

Compare FLARE FLOSS vs capa

More in Reverse Engineering

dnSpy

C#

.NET debugger, decompiler, and assembly editor. Inspect and modify .NET and Unity assemblies without source code.

dotnetdecompilerdebugger

ILSpy

C#

Open-source .NET decompiler and assembly browser. Produces clean C# from compiled binaries with cross-platform support.

dotnetdecompilerassembly-browser

x64dbg

C++

Open-source x64/x32 debugger for Windows. Full-featured binary debugger with plugin ecosystem for malware analysis and reverse engineering.

debuggerdisassemblermalware-analysis

Detect It Easy

C++/Qt

Binary packer and compiler detection. Identifies compilers, linkers, packers, and protectors used to build PE, ELF, and Mach-O files.

packer-detectionbinary-analysispe

angr

Python

Binary analysis framework. Symbolic execution, CFG recovery, and vulnerability discovery for compiled binaries in Python.

symbolic-executionbinary-analysiscfr

RetDec

C++

Retargetable decompiler by Avast. Converts machine code back to C from x86, ARM, MIPS, and PowerPC binaries.

decompilerllvmmulti-arch