Fundamentals

An Example of Stack String in High Level Language

SANS ISC handler Xavier Mertens explores the concept of stack strings — a common malware obfuscation technique where strings are constructed on the stack at runtime rather than stored in cleartext — and demonstrates how this technique translates from low-level C to higher-level languages. The analysis provides practical code examples showing how attackers use stack strings to hide command-and-control addresses, file paths, and registry keys from static analysis tools. By showing the technique in higher-level languages commonly used in modern malware, Mertens helps defenders understand that language choice alone does not preclude sophisticated obfuscation. The post includes detection strategies and YARA rule guidance for identifying stack string patterns in memory during dynamic analysis.

View on Graph

Overview

  • SANS ISC handler Xavier Mertens explores the concept of stack strings — a common malware obfuscation technique where strings are constructed on the stack at runtime rather than stored in cleartext — and demonstrates how this technique translates from low-level C to higher-level languages.
  • The analysis provides practical code examples showing how attackers use stack strings to hide command-and-control addresses, file paths, and registry keys from static analysis tools.
  • By showing the technique in higher-level languages commonly used in modern malware, Mertens helps defenders understand that language choice alone does not preclude sophisticated obfuscation.
  • The post includes detection strategies and YARA rule guidance for identifying stack string patterns in memory during dynamic analysis.

Responsible use. This content is provided for defensive security education and authorized testing purposes only. Techniques and tools described here should only be applied in environments where you have explicit authorization. Unauthorized use of offensive security techniques is illegal and unethical.

Sources