To support the static analysis of Go and Rust executables, FLOSS now extracts program strings using enhanced algorithms.
Where traditional extraction algorithms provide compound and confusing string output FLOSS recovers the individual Go and Rust strings as they are used in a program.
Analysts who have inspected Go or Rust samples know how confusing the traditional strings.
This problem arises because Rust and Go compilers do not NULL-terminate strings.
Using FLOSS to extract Go and Rust strings Figure 2 shows an example of running FLOSS version 3.0 on a Rust executable.
String deobfuscation may be inaccurate or take a long time for Go and Rust executables because they are often large and have many and/or complex functions to analyze.
To only focus on the static strings of Go and Rust programs you can use the -only/-no arguments to enable or disable the extraction of a string type, e.g., static or decoded.
Go and Rust strings are part of the static string extraction.
The language-specific strings are listed in a section named FLOSS GO STRINGS or FLOSS RUST STRINGS. This section follows the output of the regular ASCII and UTF16-LE encoded strings.
To identify Rust compilers FLOSS searches common Rust string patterns, including those related to error handling.
Extracting Strings from Go Binaries Go strings are generally UTF-8 encoded this isn't guaranteed.
In compiled Go binaries the most interesting strings for analysts are commonly stored without a NULL terminator.
Extracting Go Strings from Windows PE files FLOSS identifies String structures and code references in Go programs to extract individual strings with corresponding lengths.
Our algorithm relies on the Go linker storing strings in one consecutive range in length-sorted order, from shortest to longest.
Extracting Strings from Rust Binaries Strings in Rust are guaranteed to be valid UTF-8 sequences.
FLOSS focuses on these and doesn't specifically handle other string types which may contain non-UTF-8 characters such as OsStrings or byte strings.
For Windows PE files Rust strings commonly reside in the binary's.
Extracting Rust Strings from Windows PE files To extract strings from programs created using the Rust compiler, FLOSS reuses many of the ideas and functions used for the Go string extraction.
Conclusion The newest release of FLOSS extracts strings from Windows binaries written in Go and Rust.
To try out FLOSS' new functionality download a standalone binary from the Release page or use pip to install the tool from PyPI. You can then run the tool against any Windows PE Go or Rust sample to extract language-specific strings.
This Cyber News was published on www.mandiant.com. Publication date: Wed, 13 Dec 2023 21:43:04 +0000