Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Nim Strings SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Nim Strings

On Tuesday's Stormcast, Johannes talked about malware written in the Nim Programming language.

Internally, strings in the Nim programming language are stored inside a structure (STRING_LITERAL) that consists of 2 integers followed by the string.

Both integers represent the length of the string, although the second integer has one bit set to indicate it is a string literal.

Here is an example of a program I wrote and compiled to a 32-bit PE file:

In red is the string itself (17 bytes long, 0x11). Green is the first integer: the length of the string (0x00000011) encoded as a little-endian 32-bit integer (0x11000000). Yellow is the second integer: the length of the string encoded as a little-endian 32-bit integer with the 3rd most-significant bit set (0x00000011 + x40000000 -> 0x11000040).

I wrote a Python script to extract these strings. It's beta: I still have to decided if and how to integrate this in my strings.py tool).

Unlike the classic tool strings, this tool will also extract strings that contain non-printable characters.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

575 Posts
ISC Handler
Mar 22nd 2021

Sign Up for Free or Log In to start participating in the conversation!