XORsearch: Searching With Regexes, (Mon, Apr 7th)
SANS Internet Storm Center, InfoCON: green 2025-04-07
Xavier asked me a question from one of his FOR610 students: "how can you perform a regex search with XORsearch"?
XORsearch is a tool like grep but it performs a brute-force attack on the input file, trying out different encodings like XOR.
You can give it a string to search for, but not a regular expression.
There is a work around however: let XORsearch extract all possible strings, and then use a regular expression to grep through the results.
Here is an example with a Cobalt Strike beacon:
Option -S instructs XORsearch to extract all ASCII strings, and re-search.py is used with its built-in regular expression for IPv4 address.
We obtain one address, that we then use directly with XORsearch:
This gives us more information: we see a URL path, and we know the encoding is XOR, and the key is 0x0D.
With option -n, we can look for even more info surrounding that IPv4 address:
There also a method using YARA rules, but for that I need to publish a Python version of xorsearch first. More details in an upcoming diary entry.
Didier Stevens Senior handler blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.