Text strings, or just “strings” for short, are pieces of human-readable text contained within a piece of code.
Consider the following code:
This code calls the function printf with the text string Hello World. This will result in the application outputting “Hello World”.
While the printf function call will be translated into machine code, the string will remain intact and stored somewhere within the application.
Under normal circumstance, code is stored in the .text section and strings are stored in the .data or .rdata section.
This can be somewhat confusing as the application’s code is compiled to binary, therefore is not “text”.
By browsing sections like .data or .rdata it’s possible to see many of the text strings embedded within a normal application.
Often these strings can give us clues as to what the application is doing.
Most malware will attempt to conceal, encrypt, or obfuscate text strings to avoid making it too easy to write detection rules or reverse engineer the code. There are many different techniques by which this can be done.
These challenges will introduce you to just some of the many ways malware can conceal text.
[Read more]