Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Cisco-Talos/CASC
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.0.0
Choose a base ref
...
head repository: Cisco-Talos/CASC
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref

Commits on Mar 6, 2017

  1. Copy the full SHA
    c4e30d5 View commit details

Commits on Mar 20, 2017

  1. Copy the full SHA
    302a355 View commit details
  2. updated revision date

    demonduck committed Mar 20, 2017
    Copy the full SHA
    3dd915e View commit details
  3. Merge pull request #7 from vrtadmin/dev

    Dev
    demonduck authored Mar 20, 2017
    Copy the full SHA
    8101c28 View commit details

Commits on Mar 28, 2017

  1. fix for #8

    disassembly no longer has to be part of a function
    demonduck committed Mar 28, 2017
    Copy the full SHA
    fa9199a View commit details

Commits on Apr 12, 2017

  1. fix for setl intel instr

    demonduck committed Apr 12, 2017
    Copy the full SHA
    6751f9c View commit details
  2. fixup opcodes to prevent invalid signature

    crude attempt to normalize the opcodes when masking is done to prevent
    invalid signatures. Not highly optimized and may create longer than
    necessary signtures. Manual updates should be performed if needed.
    demonduck committed Apr 12, 2017
    Copy the full SHA
    59bba2a View commit details

Commits on May 12, 2017

  1. fix when default mask is used

    fixes errors cause when looking at .NET binaries.
    demonduck committed May 12, 2017
    Copy the full SHA
    f04489d View commit details
  2. updated last revision date

    demonduck committed May 12, 2017
    Copy the full SHA
    3f1420e View commit details

Commits on Jul 3, 2017

  1. Update README.md

    Cleanup of Markdown
    vrtadmin authored Jul 3, 2017
    Copy the full SHA
    0686f97 View commit details
  2. Update README.md

    More Markdown Cleanup
    vrtadmin authored Jul 3, 2017
    Copy the full SHA
    d747a0b View commit details

Commits on Jul 7, 2017

  1. fixed variable typo

    demonduck committed Jul 7, 2017
    Copy the full SHA
    ac9e8df View commit details

Commits on Jul 19, 2017

  1. Merge pull request #10 from Cisco-Talos/dev

    Dev
    demonduck authored Jul 19, 2017
    Copy the full SHA
    30baebb View commit details

Commits on Jul 20, 2017

  1. Implemented signature analyze functionality

    Jonas Zaddach committed Jul 20, 2017
    Copy the full SHA
    26a54f3 View commit details
  2. Use better way to get current tag from git repo

    Jonas Zaddach committed Jul 20, 2017
    Copy the full SHA
    0993acd View commit details
  3. Debugged absolute offset in ndb signatures

    Jonas Zaddach committed Jul 20, 2017
    Copy the full SHA
    305d953 View commit details
  4. Remove highlighting before saving db and restore after to avoid havin…

    …g stale highlighting
    Jonas Zaddach committed Jul 20, 2017
    Copy the full SHA
    5adb8ce View commit details
  5. Generate unique signature dict key

    Jonas Zaddach committed Jul 20, 2017
    Copy the full SHA
    93cdefa View commit details
  6. Do not add signature if it couldn't be parsed

    Jonas Zaddach committed Jul 20, 2017
    Copy the full SHA
    f2c6419 View commit details
  7. Copy the full SHA
    f2417af View commit details

Commits on Jul 28, 2017

  1. Fix yara translation for skip with lower bound 0

    Jonas Zaddach committed Jul 28, 2017
    Copy the full SHA
    b3ec558 View commit details
  2. Fix wrong initializer type for matches and typo

    Jonas Zaddach committed Jul 28, 2017
    Copy the full SHA
    3eacb9c View commit details
  3. Merge pull request #11 from zaddach/sigalyzer

    Sigalyzer
    number0x37 authored Jul 28, 2017
    Copy the full SHA
    6b8e867 View commit details

Commits on Sep 21, 2017

  1. Copy the full SHA
    0dc25bd View commit details

Commits on Oct 17, 2017

  1. Build packages with 32 and 64 bit binaries (IDA 7.0)

    Jonas Zaddach committed Oct 17, 2017
    Copy the full SHA
    e9a4731 View commit details
  2. Updated README for Ida Pro 7.0

    Jonas Zaddach committed Oct 17, 2017
    Copy the full SHA
    8bf2dd4 View commit details

Commits on Dec 7, 2017

  1. Correctly access error token in signature parse error

    Jonas Zaddach committed Dec 7, 2017
    Copy the full SHA
    8d170f2 View commit details
  2. Merge pull request #12 from zaddach/jonas/ida7_doc

    IDA 7.0 compatibility and documentation fixes
    demonduck authored Dec 7, 2017
    Copy the full SHA
    b23b4ab View commit details

Commits on Apr 23, 2018

  1. Copy the full SHA
    280c42f View commit details
  2. Merge pull request #15 from demonduck/ida-7.1-fix

    enough to get CASC working with IDA 7.1 (for the most part)
    demonduck authored Apr 23, 2018
    Copy the full SHA
    9597f49 View commit details

Commits on Sep 11, 2018

  1. Changed ndb/ldb signature detection

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    3dd8f99 View commit details
  2. Removed ambiguities from signature parser

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    2181f8b View commit details
  3. Cleaned up imports

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    a3e47e2 View commit details
  4. Removed conflicts from parser

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    4720c94 View commit details
  5. Fixed cases of missing package specifier

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    1cf2cf1 View commit details
  6. Fixed typo ',' -> '.'

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    eb940de View commit details
  7. Removed debug print messages

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    0e4c3f7 View commit details
  8. IDA 7.1 needs GetIdaDirectory import from idc

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    9fb1bc5 View commit details
  9. Use 'git describe --always --tags' for more robust tag

    Jonas Zaddach committed Sep 11, 2018
    Copy the full SHA
    d5dc9ae View commit details
  10. Merge pull request #20 from zaddach/jonas/ida71

    Support for IDA 7.1 and lots of parser fixes
    demonduck authored Sep 11, 2018
    Copy the full SHA
    770a819 View commit details

Commits on Sep 12, 2018

  1. Merge pull request #21 from Cisco-Talos/dev

    Release accompagnying SigAnalyzer blog post
    demonduck authored Sep 12, 2018
    Copy the full SHA
    9740d9c View commit details
150 changes: 95 additions & 55 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,37 +1,62 @@
================================================================================
ClamAV Signature Creator (CASC) - IDA Pro plug-in to generate signatures
================================================================================
Disclaimer
============
## ClamAV Signature Creator (CASC) - IDA Pro plug-in to generate signatures



## Disclaimer

THE SOFTWARE TOOL AND RELAED DATA (THE “TOOL”) AND ANY ALTERATIONS, MODIFICATIONS, ENHANCEMENTS AND IMPROVEMENTS THERETO AND TECHNICAL SUPPORT (IF ANY) ARE BEING PROVIDED TO YOU ON AN “AS-IS” BASIS, WITHOUT WARRANTY, EXPRESS OR IMPLIED, OF ANY KIND INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK ARISING OUT OF YOUR USE OF THE TOOL REMAINS SOLELY WITH YOU. YOU ACKNOWLEDGE AND AGREE THAT USE OF THE TOOL IS SOLELY AT YOUR OWN RISK. IN NO EVENT SHALL CISCO OR ITS LICENSORS BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES WHATSOEVER AS A RESULT OF YOUR USE OF THE TOOL, INCLUDING, WITHOUT LIMITATION, LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF DATA, OR OTHER LOSS ARISING OUT OF THE USE OF OR INABILITY TO USE THE TOOL, EVEN IF CISCO HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, OR FOR ANY CLAIM BY YOU OR BASED ON A THIRD PARTY CLAIM.

============


## CASC
The ClamAV Signature Creator (CASC), is an IDA Pro plug-in to aid reverse
engineers in creating ClamAV NDB and LDB signatures from IDA Pro's Disassembly
or Strings view.

CASC should run on any platform that supports IDA Pro 6.7 and higher.
Limited functionality is available for IDA Pro 6.6
Limited functionality is available for IDA Pro 6.6.
The signature analyzer part of CASC has only been tested on IDA 6.9.

README with pictures can be found on our wiki:
https://github.com/vrtadmin/casc/wiki

Installation
============
The ClamAV Signature Creator (CASC) is easy to install. Simply copy and paste
the Python script (clamav_sig_creator.py) to IDA Pro’s plug-in directory

[https://github.com/vrtadmin/casc/wiki](https://github.com/vrtadmin/casc/wiki)

## Building
You need a working build system to build the yara-python library. On Ubuntu,
you can get that by installing `sudo apt-get install -y build-essential
libpython2.7-dev libpython2.7-dev:i386 gcc-multilib libssl-dev libssl-dev:i386`
on a 64 bit system (The build process has been developed for a 64 bit machine,
and will not work out of the box on a 32 bit machine).

Run `python package.py --output <output-dir>` to build the plugin zip archives.
This will build all combinations of 32/64 versions for Windows and Linux.

## Installation
If you are using your system's python for IDA Pro (probably the case if you're
on a 32 bit Linux system, or on a 64 bit Linux system and you're using IDA 7.0
or higher), you can install the packages _ply_, _yara-python_ and
_ida-netnode_, and then unzip the _casc-\*-universal.zip_ archive into your IDA
Pro directory.

Otherwise, if you use the python bundled with IDA Pro, you'll need to install
the libraries in this python. Either you can do this by yourself (e.g., by
following the instructions from [hexblog](http://www.hexblog.com/?p=726)), or
you use the archives with bundled dependencies that we provide. Those archives
are built as described in the [building][#Building] step above, by running
_package.py_. To install an archive, simply pick the _casc-\*-fat.zip_
corresponding to your system, and unzip it in your IDA Pro directory.

In case you don't want to install additional libraries, the plugin will degrade
gracefully and hide the _"Analyze"_ functionality which requires the libraries to
be installed.

| Operating System | IDA Pro Plug-in Path |
| ------------------------------ | -----------------------------------------|
| Windows XP (x86) | C:\Program Files\IDA 6.7\plugins\ |
| Windows Vista and higher (x64) | C:\Program Files (x86)\IDA 6.7\plugins\ |
| Linux | <ida_install_dir>/plug-ins |
| Windows XP (x86) | `C:\Program Files\IDA 6.7\plugins\` |
| Windows Vista and higher (x64) | `C:\Program Files (x86)\IDA 6.7\plugins\` |
| Linux | `<ida_install_dir>/plug-ins ` |

## Support Information

Support Information
===================
ClamAV Signature Creator (CASC) is meant for creating ClamAV signatures on the
sample as it exists on disk. Sub signatures could be based off unpacked code
during the sample’s execution, however, ClamAV would not be able to match those
@@ -41,6 +66,8 @@ Tested on
---------
| IDA Pro Version | OK | Notes |
| ----- | --------------- | ---------------------------------------------------|
| 7.0 | Y | |
| 6.95| Y | |
| 6.7 | Y | |
| 6.6 | Y | Doesn't support right click option in IDA View or Strings Windows |
| 6.5 | N | IDA doesn't provide PySide and Qt support |
@@ -59,65 +86,70 @@ Once the Python script is copied to the IDA Pro plug-ins folder, open IDA Pro
with a sample. There are two ways of opening the plug-in.

- IDA Pro’s Plug-in Menu (Edit -> Plugins -> ClamAV Signature Creator
- Press ` (backtik)
- Press \` (backtick)

Once the plug-in is opened you will be able to view sub signatures created in
the past and saved in the IDB, add new misc ClamAV sub signatures, and add sub
signatures generated from disassembly selected in the IDB.

Creating Sub Signatures
=======================
## Creating Sub Signatures

Sub signatures can either be created from disassembly viewable from within IDA
Pro or manually from entering/creating a valid ClamAV sub signature.

Insert Misc. Sub Signature
--------------------------
### Insert Misc. Sub Signature

A custom ClamAV sub signature can be created in a couple of different ways:
- Within the CASC plug-in window, press the Ins key
- Within the CASC plug-in window, right click and select Insert
- Within the CASC plug-in window, right click and select "Insert"
- Within the Strings window; select the string(s) of interest, right click,
and select “Add string to ClamAV Signature Creator”
and select "Add string to ClamAV Signature Creator"

### Insert Assembly Sub Signature

Insert Assembly Sub Signature
-----------------------------
There are several ways to create a sub signature from disassembly within the
IDB. All methods involve first selecting the code you are interested in
creating a signature from. Either highlight the code or position and click your
cursor in the basic block of interest, then:
- Within the CASC plug-in window, press Ctrl+Ins
- Within the CASC plug-in window, right click and select “Insert Assembly”

- Within the CASC plug-in window, press Ctrl+Ins
- Within the CASC plug-in window, right click and select "Insert Assembly"
- Within the IDA View window by
* Pressing Ctrl+`
* Right click and select Add Assembly to ClamAV Sig Creator…
* Pressing Ctrl+\`
* Right click and select "Add Assembly to ClamAV Sig Creator…"

The Assembly to Signature window will allow you to insert notes for the sub
signature, apply various masking options, and scroll through the
opcodes/assembly associated with that sub signature.

Selecting a masking option will change the opcodes and assembly text if the
masking option can be applied. Selecting Customize will allow you to edit the
masking option can be applied. Selecting "Customize" will allow you to edit the
opcodes (note the assembly area will not update for any customizations made).
If you uncheck “Customize” then all previously applied masking options will be
applied and the customizations will be deleted.

### Common Problems
## Common Problems
If a masking option is selected but the opcodes and assembly don’t change:

ESP Offsets
This will apply to [esp+offset] operands only
EBP Offsets
This will apply to [ebp+offset] operands only
Absolute Calls
IDA might display the disassembly as
call memset
However, that instruction may be a call to a function within the sample
This will apply to [ebp+offset] operands only

### Absolute Calls
IDA might display the disassembly as

`call memset`

However, that instruction may be a call to a function within the sample
that directly calls or jumps to the actual memset function. If that is the
case, no changes will be made.
Global Offsets
Still in testing, report any issues to
https://github.com/vrtadmin/casc/issues
[https://github.com/vrtadmin/casc/issues](https://github.com/vrtadmin/casc/issues)

### Editing Sub Signatures

Editing Sub Signatures
======================
To edit a signature, simply double click on the signature within the CASC
plug-in window and the signature will open up for editing. Any changes made
will be saved only if you press OK. Prior to saving a sub signature it will
@@ -126,28 +158,36 @@ component. If any problems exist, clicking the OK but will result in an error
message to its right. The error must be corrected before the sub signature will
be saved.

Creating ClamAV Signature
=========================
## Creating ClamAV Signature

Before creating a signature, make sure to give it a descriptive ClamAV
signature name (the default is Win.Trojan.Agent). Once a sub signature(s) is
created, you can select one or more sub signatures from the CASC plug-in window
(use Ctrl or Shift keys to select multiple signatures) and click the
Create ClamAV Signature
"Create ClamAV Signature"

Once the “Create ClamAV Signature” button is click a dialog box with a
formatted email will be displayed for the user to send to ClamAV’s
community-sigs list. Selecting the community-sigs@lists.clamav.net hyperlink
is a mailto: link. It will attempt to copy the signature information displayed
to the systems default mail client. Keep in mind if any special characters are
used then the email’s contents may not be correct and will need to be manually
copied over.

Bugs and Support
================
community-sigs list. Selecting the [community-sigs@lists.clamav.net](community-sigs@lists.clamav.net) hyperlink is a mailto: link. It will attempt to copy the signature information displayed to the systems default mail client. Keep in mind if any special characters are used then the email’s contents may not be correct and will need to be manually copied over.

## Analyzing ClamAV signatures
In the main plugin panel, use the tabbed pane to switch to the _"Analyze"_
mode. Note that this tab is not available if you don't have the required
libraries installed. You can now paste a ClamAV .ldb or .ndb signature in the
text field above the _"Add Signature"_ button. Once you then click _Add
signature_, the signature will appear in the left top list (if it was well
formatted and parsed by the plugin, otherwise check the IDA Pro output window
for errors). Now you can double-click on the signature in the list. For .ndb
signatures this will directly bring you to the matched part of the binary,
and color the match in red. For .ldb signatures, the subsignatures will be
displayed in the right list element. If you double-click any of the sub
signature entries, it will bring you to the match for this subsignature.

## Bugs and Support
There is no support provided with CASC.

If you think you've found a bug, please report it at:
https://github.com/vrtadmin/casc/issues
[https://github.com/vrtadmin/casc/issues](https://github.com/vrtadmin/casc/issues)

In order to help us solve your issues as quickly as possible,
please include the following information when filing a bug:
@@ -159,4 +199,4 @@ please include the following information when filing a bug:
- Any other relevant information

Other options for communication can be found at:
https://github.com/vrtadmin/casc/wiki
[https://github.com/vrtadmin/casc/wiki](https://github.com/vrtadmin/casc/wiki)
Loading