Skip navigation.

How to get malicious strings in malware



I would like to know;

1- Given I have a binary/packed/unpacked ones, how can I know which strings are malicious, which aren't? Is there any link/knowledge base that you could point me out?

2- How to you get those strings? XOR tools? IDA Pro? OllyDBG? strings command?


I want to get "malicious strings" which I can consider a database of malicious strings, so that each time I analyze a binary I can know a particular PE/EXE is a malicious/benign.


1. Do you mean you want each

1. Do you mean you want each possible string made by packing 'malware" string?

2. Answer 1.

Define "malicious string".

Define "malicious string".

Safe String database


1)There is nothing called malicious string because a string which is used in a safe file can be used in a malware too. Then if you want a malicious string database, you have to have a safe string database first which is a tedious process.

2)Consider if you have malware file in hand, you can pickup bytes which are unique for that malware or generic for that particular malware family.
You can store these bytes in a database or "rule file" like yara.

If you want to automate these process you should never have any doubts with your two questions.



The others are right, no string on it's own is actually malicious, however you can usually get a good idea of various functionality the malware might have or like Malcode said, what family it belongs to, etc. I like to use the Malware Analysts Pack (MAP) search for it on Google, it's free and it will add some extensions to your lab OS (if using windows) so you can just right click on a file and select "Strings". I always do that before doing into any kind of dynamic or static analysis.

Strings found with the MAP "strings" will also list out all API's imported, however that might be a little more confusing than if you used, say, IDA Pro's strings tab. Good luck!