Request feature: section parsing and section hasing for ELF files

[dmknght]

For now, i see section hashing is supported in PE parser and sigtool but nothing similar for ELF files. IMO this feature is useful. For example, i created 2 stageless payload of metasploit. 1 uses x86/shikata_ga_nai encoder and 1 other use no encoder Scan result show 1 file is clean Signature is string-based detection However, 2 generated files have same signature: No section in the file

So by detecting this signature, we can bypass the encoders which obfuscate strings. It can either write as exact signature for malware / heuristic rules for some malwares. Yara rules as i mentioned in discord

Test again with different encoder, x64/xor_dynamic

Clamscan doesn't detect the new file, run3

However, yara detects this binary using the no sections rule

During the test, stagger payload linux/x64/meterpreter_reverse_tcp has sections but if i use encoder x86/shikata_ga_nai, it has no sections

However, stagger payloads that has no encoder or use encoder x64/xor_dynamic has sections. I haven't tried comparing section hashing for 2 samples => can't do 100% detection for all variants

I haven't tested the ELF section hashing for malware variants so i don't really know how it works for real world malwares. However I still think this is an effective method to detect malwares because in the test, we can see some different encoder bypassed ClamAV signatures and this method can detect many samples without analyzing unique strings

P/s: Update: I'm using rizin, a fork of radare2 to calculate hash of sections for 2 other sample. md5sum for section comment of file run5: Same md5sum of comment section in file run6

Test again with yara rule

Result

[mjbroekman]

As Mach-O files also have sections, I'd love it if those could be parsed and hashed as well.