Reputation: 1375
How can I create a byte signature for ClamAV?
I want to get a byte sequence out of the .text section of an object file and turn it into a signature. I want to execute ClamAV's clamscan with this signature to find other object files containing the same byte sequence.
With objdump the byte sequence looks like this:
A byte sequence for this example could look like this:
55 48 89 e5 48 83 ec 10 bf 0a 00 00 00 e8 ?? ?? ?? ?? 48 89 45 f8 c9 c3
the ?? being place holder.
I didn't find a way to do it with sigtool. Is there another tool for that, or do I have to do it manually and if so in which form do I have to save the signatures (format within the signature database and format of the database itself)?
Upvotes: 2
Views: 492
Answers (1)
Reputation: 1375
I had to write a script which was doing this task by hand. I didn't find a way sigtool can do that for me. A script ran through the objdump and replaced the variable bytes. I stored the result in a database and with this database I could identify which library was linked statically using clamscan in binary mode (even if someone strips out the library names).
Upvotes: 1
Related Questions
- How do I create a Virus signature?
- How to sign a SQL Server assembly created with assembly_bits / hex bytes?
- How to sign a ZIP file like I would sign an assembly?
- How to sign .EXE File
- There is a signature for a specific ABI in an ELF or binary file?
- Signing binary files (not code signing)
- Scanning for Virus Signatures Using Java
- How can I digitally sign an executable?
- How to sign an assembly using devenv.com
- Signing a mixed mode C++ assembly