Skip to content

Releases: Cisco-Talos/CASC

IDA 7.1 support and SigAnalyzer parser improvements

12 Sep 15:42
@zaddach zaddach
1.1.0
9740d9c
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
IDA 7.1 support and SigAnalyzer parser improvements Latest
Latest

This release brings support for IDA Pro 7.1, improves the SigAnalyzer signature parser to understand more signatures, and fixes a couple of bugs.

To install, either pick one of the installation packages and unzip them into your IDA Pro directory, or get the source and build the installation packages yourself.

If you just want to use the CASC functionality without SigAnalyzer, you can pick the casc_1.1.0_universal.zip archive. The plugin will degrade gracefully to CASC-only mode if supporting libraries are missing.

Assets 7
Loading

CASC with Sigalyzer

02 Aug 18:40
@demonduck demonduck
1.1.0pre
6b8e867
Compare
Choose a tag to compare
CASC with Sigalyzer Pre-release
Pre-release

Bundled projects:

Assets 5
Loading

CASC v1.0.0

02 Feb 14:02
@demonduck demonduck
v1.0.0
18d3710
Compare
Choose a tag to compare
CASC v1.0.0

The ClamAV Signature Creator (CASC), is an IDA Pro plug-in to aid reverse engineers in creating ClamAV NDB and LDB signatures from IDA Pro's Disassembly, Strings, and Imports windows.

This version decoupled the masking UI and masking operations from the dialog boxes and Assembly class. Update allows for new architecture parsers and masking options to be created and used in a plug-in like fashion. The method for saving sub signature data has changed since CASC's initial release, thus, old IDBs with CASC data will not load up old CASC saved data.

Changes:

  • Added a minimized Intel parser to break out more instruction fields and options
  • Added a Intel mask UI to provide more options for masking opcodes/disassembly
  • Added signature decoding view in non disassembly GUI dialog boxes
  • Added minimized version of sigtool --decode to help understand the signature composition in a meaningful way (uses masked disassembly for assembly based sub signatures)
  • Added Original Opcodes view to Assembly dialog box to help with conducting customized masking/alterations to disassembly opcodes
  • Added right click menu to Imports window to allow imports to be used as a sub signature
  • Added Intel Masking
    • Corrections and refinements to masking global offsets, Jcc and JMP conditions
    • Can mask off individual register values for most instructions (instructions that use a fixed register will not alter)
  • Updated signature creation and validation to work with currently support ClamAV versions (0.98 and above)
    • Sub signatures now support alternate streams. Single or multi-byte fixed length alternate streams can be used
    • Hexsigs anchored to a byte are now supported (HEXSIG[x-y]aa or aa[x-y]HEXSIG)
  • Updated message and signature generated for ClamAV addition email
  • Fixed bug with CASC data storage and updated underlying storage mechanism to support storing data longer than 1024 characters
  • Fixed random IDA crash issues by ensuring thread safe coding practices for interaction with IDA components
  • Fixed misc. bugs and typos
Assets 2
Loading