Hello, welcome to the Wednesday, June 3, 2020 edition of the Sandinert Storm Center's Stormcast.

My name is Johannes Ulrich.

And the time recording from Jacksonville, Florida.

Well, one of the first things you typically, at least what I do when I look at a piece of malware is run the Linux strings command on it.

Doesn't often reveal a ton of interesting stuff, but well, when it works, it's quick

and certainly can tell you a little bit more about the binary you are dealing with.

Now, as I mentioned, the strings command doesn't always really reveal a lot.

There are a number of different techniques, how you can sort of obfuscate strings to not

show up. And one technique is today discussed by Jim and that's stack strings.

Stack strings are strings that are assembled on the stack by, as Jim calls it,

type one stack strings, just copying one letter at a time to the stack,

assembling the string that you would like to use.

And that way, of course, the binary, you don't have the string.

You just have individual letters, which usually don't really show up easily when you're

using the strings command.

Now, another type of stack string that Jim is talking about here is what he's calling

type 2 stack string.

Type 2 stack strings, well, same idea, similar idea,

but they're copied four letters at a time,

and they may actually be using the push command,

which is the normal command that you're using to send data to the stack

instead of the move instruction that type 1 stack strings use.

...