google / vxsig Goto Github PK
View Code? Open in Web Editor NEWAutomatically generate AV byte signatures from sets of similar binaries.
License: Apache License 2.0
vxsig's Issues
BinExport files misformed
When using last commit (470f04635c4bb8007035bf1fa4f529b80f6e6d3b), some BinExport files in are invalid in the testdata directory.
List of invalid files (in vxsig/testdata):
- 328b26dc3f0d8543e151495f4d6f3960323e3f51223522c2e4cd1e2fe9f9ed8f.BinExport
- 8433c9a6345d210d2196096461804d7137bbf2a6b71b20cc21f4ecf7d15ef6c2.BinExport
- 61971471cedcb4daed8d07ad79297568ffdaa17eb4ff301dc953cfafa91a4507.BinExport
- sshd.korg.BinExport
The tool used with any of the associated BinDiff file will fail with this error message.
± % bazel-bin/vxsig/vxsig --detection_name=VxSigTestSig --trim_length=400 vxsig/testdata/sshd.korg_vs_sshd.trojan1.BinDiff
Parsing diff results
Loading function metadata and instruction data
[siggen_main.cc : 102] RAW: Check status.ok() failed: Failed to generate signature: failed parsing vxsig/testdata/sshd.korg.BinExport
[1] 13700 abort bazel-bin/vxsig/vxsig --detection_name=VxSigTestSig --trim_length=400 Remark : The others files works and a signature is generated.
The list of invalid files was found using this :
find vxsig/testdata -name '*.BinExport' -exec sh -c "cat {} | protoc --decode_raw 1>/dev/null || echo {}"Compilation Failure: No filesystem.cc file
Dear folks,
May I have your advice over this error? Thank you so much. Stay safe from virus.
Regards,
Anthony
hacker@ubuntu:$ git clone https://github.com/google/vxsig && cd vxsig/vxsig$ bazel build -c opt //vxsig:vxsig
Cloning into 'vxsig'...
remote: Enumerating objects: 33, done.
remote: Counting objects: 100% (33/33), done.
remote: Compressing objects: 100% (31/31), done.
remote: Total 304 (delta 7), reused 10 (delta 2), pack-reused 271
Receiving objects: 100% (304/304), 18.97 MiB | 5.48 MiB/s, done.
Resolving deltas: 100% (176/176), done.
hacker@ubuntu:
Starting local Bazel server and connecting to it...
INFO: Analyzed target //vxsig:vxsig (38 packages loaded, 944 targets configured).
INFO: Found 1 target...
INFO: Deleting stale sandbox base /home/hacker/.cache/bazel/bazel_hacker/2d6676569272affd55cecfcb749b2caa/sandbox
INFO: From Compiling vxsig/siggen_main.cc:
In file included from ./vxsig/match_chain_table.h:53:0,
from ./vxsig/generic_signature.h:22,
from ./vxsig/siggen.h:37,
from vxsig/siggen_main.cc:32:
bazel-out/k8-opt/bin/vxsig/vxsig.pb.h: In function 'int main(int, char**)':
bazel-out/k8-opt/bin/vxsig/vxsig.pb.h:2640:19: warning: 'trim_algorithm' may be used uninitialized in this function [-Wmaybe-uninitialized]
trim_algorithm = value;
vxsig/siggen_main.cc:58:47: note: 'trim_algorithm' was declared here
SignatureDefinition::SignatureTrimAlgorithm trim_algorithm;
^~~~~~~~~~~~~~
ERROR: /home/hacker/.cache/bazel/_bazel_hacker/2d6676569272affd55cecfcb749b2caa/external/com_google_binexport/BUILD.bazel:100:11: C++ compilation of rule '@com_google_binexport//:filesystem' failed (Exit 1) gcc failed: error executing command /usr/bin/gcc -U_FORTIFY_SOURCE -fstack-protector -Wall -Wunused-but-set-parameter -Wno-free-nonheap-object -fno-omit-frame-pointer -g0 -O2 '-D_FORTIFY_SOURCE=1' -DNDEBUG -ffunction-sections ... (remaining 52 argument(s) skipped)
Use --sandbox_debug to see verbose messages from the sandbox
external/com_google_binexport/util/filesystem.cc:39:10: fatal error: filesystem: No such file or directory
#include <filesystem>
^~~~~~~~~~~~
compilation terminated.
Target //vxsig:vxsig failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 41.416s, Critical Path: 7.95s
INFO: 17 processes: 17 linux-sandbox.
FAILED: Build did NOT complete successfully
VxSig doesn't seem to be producing correct Yara signatures when using static binaries
The Yara signatures look off, and don't correctly match the expected binaries when using static binaries, produced using Ida Free, BinExport, and processed via VxSig.
Processing the following files outputs the warnings:
string "$" may slow down scanning
warning: rule "VxSig_Signature": too many matches for $, results for this rule may be incorrect
warning: rule "VxSig_Signature": too many matches for $, results for this rule may be incorrect
warning: rule "VxSig_Signature": too many matches for $, results for this rule may be incorrect
warning: rule "VxSig_Signature": too many matches for $, results for this rule may be incorrect
warning: rule "VxSig_Signature": too many matches for $, results for this rule may be incorrect
And only one of the two files used to produce the diff is matched by the signatures.
Files attached:
vxsig_attempt.zip
build error on windows: xargs: command not found
bazel build -c opt //vxsig:vxsig
Extracting Bazel installation...
Starting local Bazel server and connecting to it...
INFO: Repository com_google_binexport instantiated at:
D:/test/vxsig/WORKSPACE:50:13: in <toplevel>
Repository rule http_archive defined at:
C:/users/user123456/_bazel_admin/4uuzjk7y/external/bazel_tools/tools/build_defs/repo/http.bzl:372:31: in <toplevel>
ERROR: An error occurred during the fetch of repository 'com_google_binexport':
Traceback (most recent call last):
File "C:/users/user123456/_bazel_admin/4uuzjk7y/external/bazel_tools/tools/build_defs/repo/http.bzl", line 143, column 10, in _http_archive_impl
patch(ctx, auth = auth)
File "C:/users/user123456/_bazel_admin/4uuzjk7y/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 193, column 21, in patch
fail("Error applying patch command %s:\n%s%s" %
Error in fail: Error applying patch command find . -path ./third_party -prune -o \( -name '*.cc' -o -name '*.h' \) -print0 |xargs -0 -P8 -n1 sed -i.bak 's,^\(#include "\)third_party/\(absl\),\1\2,g':
FIND: ������ʽ����ȷ
/usr/bin/bash: line 1: xargs: command not found
ERROR: D:/test/vxsig/WORKSPACE:50:13: fetching http_archive rule //external:com_google_binexport: Traceback (most recent call last):
File "C:/users/user123456/_bazel_admin/4uuzjk7y/external/bazel_tools/tools/build_defs/repo/http.bzl", line 143, column 10, in _http_archive_impl
patch(ctx, auth = auth)
File "C:/users/user123456/_bazel_admin/4uuzjk7y/external/bazel_tools/tools/build_defs/repo/utils.bzl", line 193, column 21, in patch
fail("Error applying patch command %s:\n%s%s" %
Error in fail: Error applying patch command find . -path ./third_party -prune -o \( -name '*.cc' -o -name '*.h' \) -print0 |xargs -0 -P8 -n1 sed -i.bak 's,^\(#include "\)third_party/\(absl\),\1\2,g':
FIND: ������ʽ����ȷ
/usr/bin/bash: line 1: xargs: command not found
ERROR: D:/test/vxsig/vxsig/BUILD.bazel:438:10: //vxsig:vxsig depends on @com_google_binexport//:filesystem in repository @com_google_binexport which failed to fetch. no such package '@com_google_binexport//': Error applying patch command find . -path ./third_party -prune -o \( -name '*.cc' -o -name '*.h' \) -print0 |xargs -0 -P8 -n1 sed -i.bak 's,^\(#include "\)third_party/\(absl\),\1\2,g':
FIND: ������ʽ����ȷ
/usr/bin/bash: line 1: xargs: command not found
ERROR: Analysis of target '//vxsig:vxsig' failed; build aborted: Analysis failed
INFO: Elapsed time: 35.611s
INFO: 0 processes.
FAILED: Build did NOT complete successfully (37 packages loaded, 124 targets configured)
Add command-line options to control signature output
VxSig should be able to output:
- just the signature to stdout (no messages or messages to stderr)
- write signatures to file in the requested format
Cutting and pasting from stdout is a bit tedious.
How to generate signatures for a set of binaries (more than two binaries)
Hi all,
Thank you for your wonderful work. I am trying to use VxSig to generate AV signatures for a few malware families, where each family consists of multiple binaries (>2).
If I understand correctly, VxSig takes a pair of binaries as input, locating the common parts, and finally generate YARA rules to represent them.
Now how to generate signatures for a pair of binaries is clear. However, I am still confused about how to use VxSig to generate YARA rules for a set of binaries (more than two binaries). Actually I have some initial ideas, but I am not sure.
Could you give me some suggestions, or, what is the best practice of dealing with more than two binaries?
Much thanks in advance!
Fail to build vxsig, absl header not found
Here's the error shown below.
Please help to fix the problem.
Thanks,
Glen
$ bazel version
Build label: 1.0.0
$ git clone https://github.com/google/vxsig
$ cd vxsig
$ git log
commit 27f5ef3 (HEAD -> master, origin/master, origin/HEAD)
$ bazel build -c opt //vxsig:vxsig --incompatible_disable_deprecated_attr_params=false
In file included from external/com_google_binexport/util/canonical_errors.cc:15:
bazel-out/darwin-opt/bin/external/com_google_binexport/_virtual_includes/status/third_party/zynamics/binexport/util/canonical_errors.h:18:10: fatal error: 'third_party/absl/base/attributes.h' file not found
#include "third_party/absl/base/attributes.h"
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 error generated.
Target //vxsig:vxsig failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 158.249s, Critical Path: 18.96s
INFO: 232 processes: 232 darwin-sandbox.
FAILED: Build did NOT complete successfully
Build is broken on bazel version >= 7, 6.5.0 is the last version that works. There's also a dependency on compiler version.
To successfully build without protobuf redefinition errors, prefix the build statement with something similar to:
USE_BAZEL_VERSION=6.5.0 CC=gcc-9
Replace usages of `std::set<T>` with `absl::flat_hash_set<T>` / `absl::bree_set<T>`
This should speed up the common subsequence operations a bit
Error generating signatures
Some of the bindiff files from testdata are creating error while generating signatures with vxsig. For example, this one https://github.com/google/vxsig/blob/master/vxsig/testdata/61971471cedcb4daed8d07ad79297568ffdaa17eb4ff301dc953cfafa91a4507_vs_8433c9a6345d210d2196096461804d7137bbf2a6b71b20cc21f4ecf7d15ef6c2.BinDiff
Some of them are good to go.
Here's the error shown below
- Its also creating this error for bindiff files, generated using Bindiff 5.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.