SWFREtools for Analyzing Flash Malware

SWFRETools is a promising free toolkit by Sebastian Porst for reverse-engineering malicious Flash programs. These tools are early in their development cycle and are missing features; yet, I am excited about the promise of having the more mature versions of these utilities available to malware analysts.

You can download SWFREtools in the source code form or as a compiled distribution. For an overview of SWFREtools, see Sebastian’s SOURCE Boston presentation, in which he introduced the toolkit to the world.

Flash Dissector

SWFRETools includes Flash Dissector—an interactive tool for examining the structure and contents of a SWF file.

After loading the SWF file, Flash Dissector shows the embedded tags using a tree listing on the left side of the screen. It also shows the hex view of the file’s content on the right side.

If you select a tag that includes ActionScript—namely, DoABC or DoAction—Flash Dissector will show you the disassembled version of ActionScript. This is the area where the tool leaves much room for improvement: In my (limited) testing, it only presented disassembled instructions, without showing me the data being operated on.

The most mature tool for examining the structure and contents of SWF files is presently SWFDump, which is a component of the free SWFTools distribution. I’m looking forward to seeing how Flash Dissector evolves: unlike SWFDump, it is designed specifically for dealing with malicious Flash programs.

FP Debugger

SWFRETools also includes FP Debugger—a tool designed for tracing and monitoring Flash Player during its execution. DP Debugger may help with the analysis of obfuscated ActionScript, which deobfuscates itself during runtime. This sounds very promising!

I haven’t had the opportunity to experiment with FP Debugger. If you have a chance to look explore its functionality, please share your observations.

Update: I wrote a related article explaining how to extract Flash objects from PDF files.

Lenny Zeltser


About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more