Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to generate signatures for a set of binaries (more than two binaries) #10

Open
seekamoon opened this issue Dec 12, 2023 · 1 comment
Open

How to generate signatures for a set of binaries (more than two binaries) #10

seekamoon opened this issue Dec 12, 2023 · 1 comment
Labels
question Further information is requested

Comments

@seekamoon
Copy link

seekamoon commented Dec 12, 2023
edited
Loading

Hi all,

Thank you for your wonderful work. I am trying to use VxSig to generate AV signatures for a few malware families, where each family consists of multiple binaries (>2).

If I understand correctly, VxSig takes a pair of binaries as input, locating the common parts, and finally generate YARA rules to represent them.

Now how to generate signatures for a pair of binaries is clear. However, I am still confused about how to use VxSig to generate YARA rules for a set of binaries (more than two binaries). Actually I have some initial ideas, but I am not sure.

Could you give me some suggestions, or, what is the best practice of dealing with more than two binaries?

Much thanks in advance!
@cblichmann cblichmann added the question Further information is requested label Feb 13, 2024
@cblichmann
Copy link
Member

Hi!
To generate AV signatures for multiple binaries, you first need to have a BinDiff chain.

For example, if you have three binaries binA, binB and binC the workflow would be like this:

  1. Load each file into a disassembler (i.e. IDA Pro, Binary Ninja or Ghidra) and fix up any disassembly errors
  2. Using the BinExport plugin, export each file. This will result in files binA.BinExport, binB.BinExport and binC.BinExport
  3. Use BinDiff to build a chain. You can use this sequence of commands:\
bindiff binA.BinExport binB.BinExport
bindiff binB.BinExport binC.BinExport

This will result in files binA_vs_binB.BinDiff and binB_vs_binC.BinDiff
4. Now we're ready to run vxsig:\

vxsig --detection_name "bin.MALWARE" binA_vs_binB.BinDiff binB_vs_binC.BinDiff

You can actually try this out with the BinExport files in vxsig/testdata/:

bazelisk run //vxsig:vxsig -- $PWD/1794a0afbfc38411dec87fa2660d6dd6515cf8d03cb32bb24a1d7a8e1ecf30fa_vs_1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82.BinDiff $PWD/1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82_vs_1d3949acb5eb175af3cbc5f448ece50669a44743faec91e3d574dad9596a9d83.BinDiff

The command above will output a YARA signature for the three files:

  • 1794a0afbfc38411dec87fa2660d6dd6515cf8d03cb32bb24a1d7a8e1ecf30fa.BinExport
  • 1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82.BinExport
  • 1d3949acb5eb175af3cbc5f448ece50669a44743faec91e3d574dad9596a9d83.BinExport

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cblichmann @seekamoon