search

google / vxsig

Automatically generate AV byte signatures from sets of similar binaries.
Apache License 2.0
257 stars 33 forks source link

How to generate signatures for a set of binaries (more than two binaries) #10

Open seekamoon opened 9 months ago

seekamoon commented 9 months ago

Hi all,

Thank you for your wonderful work. I am trying to use VxSig to generate AV signatures for a few malware families, where each family consists of multiple binaries (>2).

If I understand correctly, VxSig takes a pair of binaries as input, locating the common parts, and finally generate YARA rules to represent them.

Now how to generate signatures for a pair of binaries is clear. However, I am still confused about how to use VxSig to generate YARA rules for a set of binaries (more than two binaries). Actually I have some initial ideas, but I am not sure.

Could you give me some suggestions, or, what is the best practice of dealing with more than two binaries?

Much thanks in advance!

cblichmann commented 7 months ago

Hi! To generate AV signatures for multiple binaries, you first need to have a BinDiff chain.

For example, if you have three binaries binA, binB and binC the workflow would be like this:

  1. Load each file into a disassembler (i.e. IDA Pro, Binary Ninja or Ghidra) and fix up any disassembly errors
  2. Using the BinExport plugin, export each file. This will result in files binA.BinExport, binB.BinExport and binC.BinExport
  3. Use BinDiff to build a chain. You can use this sequence of commands:\ 
    bindiff binA.BinExport binB.BinExport
bindiff binB.BinExport binC.BinExport

    This will result in files binA_vs_binB.BinDiff and binB_vs_binC.BinDiff

  4. Now we're ready to run vxsig:\ 
    vxsig --detection_name "bin.MALWARE" binA_vs_binB.BinDiff binB_vs_binC.BinDiff

You can actually try this out with the BinExport files in vxsig/testdata/:

bazelisk run //vxsig:vxsig -- $PWD/1794a0afbfc38411dec87fa2660d6dd6515cf8d03cb32bb24a1d7a8e1ecf30fa_vs_1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82.BinDiff $PWD/1b0a84953909816c1945c2153605c2ddeb3b138fb4c262c7262cd9689ed25f82_vs_1d3949acb5eb175af3cbc5f448ece50669a44743faec91e3d574dad9596a9d83.BinDiff

The command above will output a YARA signature for the three files: