search

google / vxsig

Automatically generate AV byte signatures from sets of similar binaries.
Apache License 2.0
257 stars 33 forks source link

BinExport files misformed #5

Closed DarkaMaul closed 4 years ago

DarkaMaul commented 4 years ago

When using last commit (470f04635c4bb8007035bf1fa4f529b80f6e6d3b), some BinExport files in are invalid in the testdata directory.

List of invalid files (in vxsig/testdata):

The tool used with any of the associated BinDiff file will fail with this error message.

± % bazel-bin/vxsig/vxsig --detection_name=VxSigTestSig --trim_length=400 vxsig/testdata/sshd.korg_vs_sshd.trojan1.BinDiff
Parsing diff results
Loading function metadata and instruction data
[siggen_main.cc : 102] RAW: Check status.ok() failed: Failed to generate signature: failed parsing vxsig/testdata/sshd.korg.BinExport
[1]    13700 abort      bazel-bin/vxsig/vxsig --detection_name=VxSigTestSig --trim_length=400

Remark : The others files works and a signature is generated.

The list of invalid files was found using this : 

find vxsig/testdata -name '*.BinExport' -exec sh -c "cat {} | protoc --decode_raw 1>/dev/null || echo {}"
cblichmann commented 4 years ago

These files are in BinExport v1 format (which was never officially published). So they're not really malformed. But they're also not terribly useful this way.

I just removed those files, but I kept the .BinDiff files, as those are used in tests.