Course 20 - Malware Analysis: Identifying and Defeating Code Obfuscation | Episode 3: Analyzing and Defeating String Obfuscation in Native

In this lesson, you’ll learn about:String Obfuscation in Native Malware:Why string analysis is significantly harder in native code compared to interpreted languages.How compiled binaries store logic as machine instructions inside formats like the Portable Executable (PE), requiring reverse engineering rather than simple string extraction.Core Native String-Hiding Techniques:Stack Strings: Constructing strings dynamically on the stack using assembly instructions instead of storing them in readable sections of the binary.Checksum-Based Resolution: Hiding API and file names by comparing runtime-generated hashes against hard-coded checksums to build dynamic import tables without exposing cleartext strings.Encrypted Strings: Using encryption algorithms to keep strings unreadable until they are decrypted during execution.Static Analysis and String Recovery:Leveraging advanced extraction tools to recover stack strings that standard utilities cannot detect.Manually reconstructing strings in disassembly tools by converting numeric byte values into ASCII characters.Using cross-references (Xrefs) to confirm which functions are responsible for resolving APIs or decrypting strings.Dynamic Analysis and Debugging:Verifying static findings by stepping through execution in a debugger and observing register values and memory changes.Inspecting memory with appropriate commands to correctly display Unicode or multi-byte strings that contain embedded null bytes.Reversing Checksum Logic:Tracing low-level assembly operations such as bit rotations (ROL) and XOR instructions used to generate hashes from strings.Understanding normalization steps, such as converting strings to lowercase, to ensure consistent checksum comparisons across systems.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy