Open seekamoon opened 9 months ago
Hi! To generate AV signatures for multiple binaries, you first need to have a BinDiff chain.
For example, if you have three binaries binA
, binB
and binC
the workflow would be like this:
binA.BinExport
, binB.BinExport
and binC.BinExport
bindiff binA.BinExport binB.BinExport
bindiff binB.BinExport binC.BinExport
This will result in files binA_vs_binB.BinDiff
and binB_vs_binC.BinDiff
vxsig
:\
vxsig --detection_name "bin.MALWARE" binA_vs_binB.BinDiff binB_vs_binC.BinDiff
You can actually try this out with the BinExport files in vxsig/testdata/
:
bazelisk run //vxsig:vxsig -- $PWD/1794a0afbfc38411dec87fa2660d6dd6515cf8d03cb32bb24a1d7a8e1ecf30fa_vs_1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82.BinDiff $PWD/1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82_vs_1d3949acb5eb175af3cbc5f448ece50669a44743faec91e3d574dad9596a9d83.BinDiff
The command above will output a YARA signature for the three files:
1794a0afbfc38411dec87fa2660d6dd6515cf8d03cb32bb24a1d7a8e1ecf30fa.BinExport
1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82.BinExport
1d3949acb5eb175af3cbc5f448ece50669a44743faec91e3d574dad9596a9d83.BinExport
Hi all,
Thank you for your wonderful work. I am trying to use VxSig to generate AV signatures for a few malware families, where each family consists of multiple binaries (>2).
If I understand correctly, VxSig takes a pair of binaries as input, locating the common parts, and finally generate YARA rules to represent them.
Now how to generate signatures for a pair of binaries is clear. However, I am still confused about how to use VxSig to generate YARA rules for a set of binaries (more than two binaries). Actually I have some initial ideas, but I am not sure.
Could you give me some suggestions, or, what is the best practice of dealing with more than two binaries?
Much thanks in advance!