GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → trendmicro → telfhash

trendmicro / telfhash

Licence: Apache-2.0 license
Symbol hash for ELF files

Programming Languages

python
139335 projects - #7 most used programming language

Labels

hashelfmalware-analysis

Projects that are alternatives of or similar to telfhash

Lief
Authors
Stars: ✭ 2,730 (+3540%)
Mutual labels:  elf, malware-analysis
Detect It Easy
Program for determining types of files for Windows, Linux and MacOS.
Stars: ✭ 2,982 (+3876%)
Mutual labels:  elf, malware-analysis
Habomalhunter
HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system.
Stars: ✭ 627 (+736%)
Mutual labels:  elf, malware-analysis
MalwareHashDB
Malware hashes for open source projects.
Stars: ✭ 31 (-58.67%)
Mutual labels:  hash, malware-analysis
bonomen
BONOMEN - Hunt for Malware Critical Process Impersonation
Stars: ✭ 42 (-44%)
Mutual labels:  malware-analysis
sha3
SHA3 for Ruby is a XKCP based native (C) binding to SHA3 (FIPS 202) cryptographic hashing algorithm
Stars: ✭ 35 (-53.33%)
Mutual labels:  hash
cheatsheet
These are some of the commands which I use frequently during Malware Analysis and DFIR.
Stars: ✭ 23 (-69.33%)
Mutual labels:  malware-analysis
gdb-memstr
Generate arbitrary strings out of contents of ELF sections
Stars: ✭ 13 (-82.67%)
Mutual labels:  elf
dcc
Direct/Interactive C Compiler
Stars: ✭ 18 (-76%)
Mutual labels:  elf
haiti
🔑 A CLI tool to identify the hash type of a given hash.
Stars: ✭ 95 (+26.67%)
Mutual labels:  hash
BlockHashLoc
Recover files using lists of blocks hashes, bypassing the File System entirely
Stars: ✭ 45 (-40%)
Mutual labels:  hash
ELFPatch
A library for patching ELFs
Stars: ✭ 46 (-38.67%)
Mutual labels:  elf
assemblyline
AssemblyLine 4 - File triage and malware analysis
Stars: ✭ 69 (-8%)
Mutual labels:  malware-analysis
elfloader
ARMv7M ELF loader
Stars: ✭ 71 (-5.33%)
Mutual labels:  elf
ipld-explorer-cli
🔎 Explore the IPLD directed acyclic graph with your keyboard
Stars: ✭ 22 (-70.67%)
Mutual labels:  hash
aparoid
Static and dynamic Android application security analysis
Stars: ✭ 62 (-17.33%)
Mutual labels:  malware-analysis
WeDefend
⛔🛡️ WeDefend - Monitor and Protect Windows from Remote Access Trojan
Stars: ✭ 23 (-69.33%)
Mutual labels:  malware-analysis
emerald
Import DynamoRIO drcov code coverage data into Ghidra
Stars: ✭ 30 (-60%)
Mutual labels:  malware-analysis
abireport
Tool to create ABI reports from ELF binaries in packaging
Stars: ✭ 16 (-78.67%)
Mutual labels:  elf
elf-stuff
Compilation of ELF Packers and ELF obfuscation / Anti-Debugging stuff
Stars: ✭ 20 (-73.33%)
Mutual labels:  elf
View All Similar Projects ➔

Trend Micro ELF Hash (telfhash)

telfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. With telfhash, you can cluster ELF files by similarity based on symbols. This is particularly useful for clustering malicious samples. If a sample has no symbols, telfhash uses its call addresses destinations to emulate a symbol list. See Resources section for more information.

Installation

pip

The easiest way to get telfhash working is installing it via pip:

pip install telfhash

Manual

Requirements

telfhash uses TLSH in generating the hash. TLSH must be installed in your system in order for telfhash to work.

You can install TLSH from here:

The TLSH git repo has detailed instructions on how to compile and install the TLSH binaries and libraries. Don't forget to also install the TLSH Python library. telfhash uses the TLSH Python library to generate the actual hash.

Installing

Clone the telfhash repository from here:

Use the setup.py to install the telfhash library:

python setup.py install

Usage

Command line

If telfhash was installed via the python setup.py install command, the telfhash executable will by made available.

$ telfhash -h
usage: telfhash.py [-h] [-g] [-t THRESHOLD] [-r] [-d] files [files ...]

positional arguments:
  files                 Target ELF file(s). Accepts wildcards

optional arguments:
  -h, --help            show this help message and exit
  -g, --group           Group the files according to how close their telfhashes
                        are
  -t THRESHOLD, --threshold THRESHOLD
                        Minimum distance betweeen telfhashes to be considered
                        as related. Only works with -g/--group. Defaults to 50
  -r, --recursive       Deep dive into all the subfolders. Input should be a
                        folder
  -d, --debug           Print debug messages

$ telfhash /bin/trace*
/bin/tracepath    09d097025c0b40af18cb0c08ac3f2f5df100d850483bc1404f108809113290a2d6ae4f
/bin/traceroute   65e02002d9b9552f56f35e709caf6fa57115f841e83b87148f04b592c023542ed0549f
/bin/traceroute6  65e02002d9b9552f56f35e709caf6fa57115f841e83b87148f04b592c023542ed0549f

$ telfhash -g /sbin/ip*
/sbin/ip                        33c15268ac66484d58be0e68ed2d7e68c25b5b97edf02b10dff4c412d2c3586725f01b
/sbin/ip6tables                 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/ip6tables-legacy          083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/ip6tables-legacy-restore  083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/ip6tables-legacy-save     083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/ip6tables-restore         083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/ip6tables-save            083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/ipmaddr                   7dc08c0a6622ad4b2af66e781c3322864248e073b06ccb56aaaf854088062091c6011c
/sbin/ipset                     e4a0029085e66bce4ed2146959136540409454e38028d780613002a6d70154d5023d6a
/sbin/iptables                  083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/iptables-apply            -
/sbin/iptables-legacy           083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/iptables-legacy-restore   083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/iptables-legacy-save      083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/iptables-restore          083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/iptables-save             083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66
/sbin/iptstate                  1ef02223f4318ca385920c9910f975a131268721a1dbb80dff038e758bad21e65718cf
/sbin/iptunnel                  d5c08c4aa612ad5b3ae72e781c3330868248e0b2b05c8b52aa2a854089062090c60518

Group 1:
    /sbin/ipmaddr
    /sbin/iptunnel
Group 2:
    /sbin/ip6tables
    /sbin/ip6tables-legacy
    /sbin/ip6tables-legacy-restore
    /sbin/ip6tables-legacy-save
    /sbin/ip6tables-restore
    /sbin/ip6tables-save
    /sbin/iptables
    /sbin/iptables-legacy
    /sbin/iptables-legacy-restore
    /sbin/iptables-legacy-save
    /sbin/iptables-restore
    /sbin/iptables-save
Cannot be grouped:
    /sbin/iptstate
    /sbin/ipset
    /sbin/ip

Python module

>>> import telfhash
>>> import pprint
>>> telfhash.telfhash("/bin/ping")
{'file': '/bin/ping', 'telfhash': '6901d303587a847f9aa30ce44c3f3f5c6101e9525eb2d354cf1297948022b40aa4a99f', 'msg': ''}
>>>
>>> results = telfhash.telfhash("telfhash/tests/samples/hdumps/*")
>>> groups = telfhash.group(results)
>>> pprint.pprint(groups)
{'grouped': (('telfhash/tests/samples/hdumps/hdump_32_so_stat_stripped',
              'telfhash/tests/samples/hdumps/hdump_32_stat_stripped'),
             ('telfhash/tests/samples/hdumps/hdump_64_so_stat_stripped',
              'telfhash/tests/samples/hdumps/hdump_64_stat_stripped'),
             ('telfhash/tests/samples/hdumps/hdump_32_so_stat',
              'telfhash/tests/samples/hdumps/hdump_32_stat',
              'telfhash/tests/samples/hdumps/hdump_64_so_stat',
              'telfhash/tests/samples/hdumps/hdump_64_stat',
              'telfhash/tests/samples/hdumps/hdump_static'),
             ('telfhash/tests/samples/hdumps/hdump',
              'telfhash/tests/samples/hdumps/hdump32',
              'telfhash/tests/samples/hdumps/hdump_32_dyn',
              'telfhash/tests/samples/hdumps/hdump_32_dyn_stripped',
              'telfhash/tests/samples/hdumps/hdump_32_so_dyn',
              'telfhash/tests/samples/hdumps/hdump_32_so_dyn_stripped',
              'telfhash/tests/samples/hdumps/hdump_64_dyn',
              'telfhash/tests/samples/hdumps/hdump_64_dyn_stripped',
              'telfhash/tests/samples/hdumps/hdump_64_so_dyn',
              'telfhash/tests/samples/hdumps/hdump_64_so_dyn_stripped',
              'telfhash/tests/samples/hdumps/hdump_dynamic',
              'telfhash/tests/samples/hdumps/hdump_stripped')),
 'nogroup': []}
>>>
>>> telfhash.telfhash("samples/LinuxMoose/LinuxMoose.arm7.2015.0.bin")
{'file': 'samples/LinuxMoose/LinuxMoose.arm7.2015.0.bin', 'telfhash': None, 'msg': 'No symbols found'}
>>> telfhash.telfhash("/bin/ls", "/bin/lsattr")
[{'file': '/bin/ls', 'telfhash': '1ff0994248230af71762c8b15c0533da9a208b2656e5bf302f1985d04e2a5be779284f', 'msg': ''}, {'file': '/bin/lsattr', 'telfhash': '69c08017dd0fe4f35dd90d589c07380ae7dee06057b9d7400d3c46c1755058c5d5555d', 'msg': ''}]

Resources

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].