Feature: TELFHash Support in "elf" module

VirusTotal / yara

The pattern matching swiss knife

https://virustotal.github.io/yara/

BSD 3-Clause "New" or "Revised" License

8.29k stars 1.45k forks source link

Feature: TELFHash Support in "elf" module #1378

Closed Neo23x0 closed 3 years ago

Neo23x0 commented 4 years ago

I think this telfhash by TrendMicro would be a good extension for the elf module.

Details https://blog.trendmicro.com/trendlabs-security-intelligence/grouping-linux-iot-malware-samples-with-trend-micro-elf-hash/

Recent Article https://www.trendmicro.com/en_us/research/20/j/virustotal-now-supports-trend-micro-elf-hash.html

hillu commented 4 years ago

The basic feature that you and I would probably think of (imphash, but for ELF files) is certainly useful and can be efficiently implemented, as part of the elf module. However, it would be a bad idea to implement handling of static binaries: There, the TELF implmentation uses the Capstone disassembler to determine target addresses of call instructions.

plusvic commented 3 years ago

I haven't looked at telfhash yet, but if it depends on the Capstone disassembler that would be a heavy dependency :(

Neo23x0 commented 3 years ago

Understood. Yes, that's bad.

merces commented 3 years ago

It's kinda tough to get rid of a disassembly library without reducing its capacity but I'll think about that. Thanks for considering it anyway.