{"id":3310,"date":"2026-05-23T06:04:20","date_gmt":"2026-05-23T06:04:20","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/"},"modified":"2026-05-23T06:04:20","modified_gmt":"2026-05-23T06:04:20","slug":"an-example-of-stack-string-in-high-level-language-sat-may-23rd","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/","title":{"rendered":"An Example of Stack String in High Level Language, (Sat, May 23rd)"},"content":{"rendered":"
\n

This week, I\u2019m attending the SEC670[1<\/a>] training (\u201cRed Teaming Tools – Developing Windows Implants, Shellcode, Command and Control\u201d). From my point of view, this training fits perfectly with FOR610 or FOR710 (malware analysis) because it addresses malware from the opposite: Instead of performing reverse engineering, you write malicious code! Always interesting to have another point of view.<\/p>\n

Many techniques used by threat actors are often discovered while reversing\u00a0the malware code and are read in assembly. A perfect example are stack strings. This is a malware obfuscation technique where strings are constructed dynamically at runtime by assigning individual characters or bytes directly onto the stack, rather than storing them as contiguous string literals in the binary’s static data sections. Read: they won\u2019t be detected by simple tools like \u201cstrings\u201d or \u201cpestr\u201d.<\/p>\n

From an assembly code point of view, a stack string looks like this:<\/p>\n

\nsub     esp, 16                 ; Reserve 16 bytes (padded to hold our string)\nmov     byte [esp + 0], 0x73    ; 's'\nmov     byte [esp + 1], 0x61    ; 'a'\nmov     byte [esp + 2], 0x6E    ; 'n'\nmov     byte [esp + 3], 0x73    ; 's'\nmov     byte [esp + 4], 0x20    ; ' '\nmov     byte [esp + 5], 0x69    ; 'i'\nmov     byte [esp + 6], 0x73    ; 's'\nmov     byte [esp + 7], 0x63    ; 'c'\nmov     byte [esp + 8], 0x00    ; '\u0000' null terminator\nmov     eax, 4                  ; sys_write\nmov     ebx, 1                  ; fd = stdout\nmov     ecx, esp                ; buf = stack string\nmov     edx, 8                  ; len = 8\nint     0x80<\/pre>\n
The string “sans isc” will be printed on the console.<\/p>\n
But, how do you implement this in a high-level language like C? Here is an example:<\/p>\n
\n#include <stdio.h>\n#include <string.h>\n\nvoid plainTextExample(void) {\n    \/\/ Will be stored in .rodata and easy to spot with \"strings\" tools\n    const char* url = \"http:\/\/plain-malicious.com\/\";\n    printf(\"Plain URL = %sn\", url);\n}\n\nvoid stackStringExample(void) {\n    \/\/ Now we use a stack string. The script will be located in .text!\n    char url[30];\n    url[0] = 0x68;   \/\/ 'h'\n    url[1] = 0x74;   \/\/ 't'\n    url[2] = 0x74;   \/\/ 't'\n    url[3] = 0x70;   \/\/ 'p'\n    url[4] = 0x3A;   \/\/ ':'\n    url[5] = 0x2F;   \/\/ '\/'\n    url[6] = 0x2F;   \/\/ '\/'\n    url[7] = 0x65;   \/\/ 'e'\n    url[8] = 0x6E;   \/\/ 'n'\n    url[9] = 0x63;   \/\/ 'c'\n    url[10] = 0x6F;  \/\/ 'o'\n    url[11] = 0x64;  \/\/ 'd'\n    url[12] = 0x65;  \/\/ 'e'\n    url[13] = 0x64;  \/\/ 'd'\n    url[14] = 0x2D;  \/\/ '-'\n    url[15] = 0x6D;  \/\/ 'm'\n    url[16] = 0x61;  \/\/ 'a'\n    url[17] = 0x6C;  \/\/ 'l'\n    url[18] = 0x69;  \/\/ 'i'\n    url[19] = 0x63;  \/\/ 'c'\n    url[20] = 0x69;  \/\/ 'i'\n    url[21] = 0x6F;  \/\/ 'o'\n    url[22] = 0x75;  \/\/ 'u'\n    url[23] = 0x73;  \/\/ 's'\n    url[24] = 0x2E;  \/\/ '.'\n    url[25] = 0x63;  \/\/ 'c'\n    url[26] = 0x6F;  \/\/ 'o'\n    url[27] = 0x6D;  \/\/ 'm'\n    url[28] = 0x2F;  \/\/ '\/'\n    url[29] = 0x00;  \/\/ '\u0000'\n    printf(\"Obfuscated URL = %sn\", url);\n    memset(url, 0, sizeof(url));\n}\n\nint main(void) {\n    plainTextExample();\n    stackStringExample();\n    return 0;\n}<\/pre>\n
Because characters are hex-encoded, it makes them even more difficult to be spotted by the reverse engineer’s eyes.<\/p>\n
Once compiled, let\u2019s disassemble it with Ghidra. As expected the first string is directly discovered:<\/p>\n
\"\"<\/p>\n
Now, let’s try to find the second string. It’s not directly available. The stack string is generated with the code below. Characters are moved one by one (0x68, 0x74, 0x74, …):<\/p>\n
\"\"<\/p>\n
Of course, we are lazy people and we need tools and processes to spot such type of strings. We have tools to do this, like floss[2<\/a>]. But, to better understand how we can spot them, let’s have a look at a “manual” technique. Because bytes are moved one by one on the stack, the ASM instruction\u00a0used is “movb” or “mov BYTE PTR” (depending on the syntax convention, AT&T or Intel). Let’s try to decode\u00a0the strings with a simple shell:<\/p>\n
\n$ objdump -D StackStrings.exe \n| grep -oP 'movs+BYTE PTR [[^]]+],s*0xK[0-9a-fA-F]{1,2}' \n| while read hex\n> do\n> printf \"x${hex}\"\n> done\nhttp:\/\/encoded-malicious.com\/G<\/pre>\n
Magic! So \/bin\/bash can be considered as a reverse-engineering tool \ud83d\ude42<\/p>\n
Happy reversing!<\/p>\n
[1] https:\/\/www.sans.org\/cyber-security-courses\/red-team-operations-developing-custom-tools-windows<\/a>
\n[2]\u00a0https:\/\/github.com\/mandiant\/flare-floss<\/a><\/p>\n
Xavier Mertens (@xme)
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
 (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"
This week, I\u2019m attending the SEC670[1] training (\u201cRed Teaming Tools – Developing Windows Implants, Shellcode, Command and Control\u201d). From my point of view, this training fits perfectly with FOR610 or FOR710 (malware analysis) because it addresses malware from the opposite: Instead of performing reverse engineering, you write malicious code! Always interesting to have another point […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-3310","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nAn Example of Stack String in High Level Language, (Sat, May 23rd) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"An Example of Stack String in High Level Language, (Sat, May 23rd) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"This week, I\u2019m attending the SEC670[1] training (\u201cRed Teaming Tools – Developing Windows Implants, Shellcode, Command and Control\u201d). From my point of view, this training fits perfectly with FOR610 or FOR710 (malware analysis) because it addresses malware from the opposite: Instead of performing reverse engineering, you write malicious code! Always interesting to have another point […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-23T06:04:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"An Example of Stack String in High Level Language, (Sat, May 23rd)\",\"datePublished\":\"2026-05-23T06:04:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/\"},\"wordCount\":391,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/\",\"name\":\"An Example of Stack String in High Level Language, (Sat, May 23rd) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png\",\"datePublished\":\"2026-05-23T06:04:20+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"An Example of Stack String in High Level Language, (Sat, May 23rd)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"An Example of Stack String in High Level Language, (Sat, May 23rd) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/","og_locale":"en_US","og_type":"article","og_title":"An Example of Stack String in High Level Language, (Sat, May 23rd) - Imperative Business Ventures Limited","og_description":"This week, I\u2019m attending the SEC670[1] training (\u201cRed Teaming Tools – Developing Windows Implants, Shellcode, Command and Control\u201d). From my point of view, this training fits perfectly with FOR610 or FOR710 (malware analysis) because it addresses malware from the opposite: Instead of performing reverse engineering, you write malicious code! Always interesting to have another point […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-05-23T06:04:20+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"An Example of Stack String in High Level Language, (Sat, May 23rd)","datePublished":"2026-05-23T06:04:20+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/"},"wordCount":391,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/","name":"An Example of Stack String in High Level Language, (Sat, May 23rd) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png","datePublished":"2026-05-23T06:04:20+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/isc-20260523-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/05\/23\/an-example-of-stack-string-in-high-level-language-sat-may-23rd\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"An Example of Stack String in High Level Language, (Sat, May 23rd)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=3310"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/3310\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=3310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=3310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=3310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}