Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: implement dylib and entitlement hashing for macho #93

Merged
merged 15 commits into from
May 23, 2024

Conversation

latonis
Copy link
Contributor

@latonis latonis commented Mar 21, 2024

Implemented a macho similarity function dylib_hash() and entitlement_hash() which is similar to imphash or any other attribute hashing mechanism.

This will hash dylib entries as defined in https://github.com/g-les/macho_similarity/blob/main/implementation.md#dylib-hashing.

  • I verified the hashing is consistent in both implementation and output by using python ~/src/macho_similarity/ktool_macho_bulk_hashing.py -f <macho>

I plan on implementing symtab_hash, import_hash, and export_hash in future PRs once I get each parsed out as well.

@latonis
Copy link
Contributor Author

latonis commented May 17, 2024

i will get this PR fixed up this weekend :)

@latonis
Copy link
Contributor Author

latonis commented May 18, 2024

Rust nightly channel is throwing up some weird compilation errors. Maybe a discussion for if nightly should be gated for the commits?

@plusvic, thoughts on nightly not being a gated check for tests?

@plusvic
Copy link
Member

plusvic commented May 18, 2024

Rust nightly channel is throwing up some weird compilation errors. Maybe a discussion for if nightly should be gated for the commits?

@plusvic, thoughts on nightly not being a gated check for tests?

I agree, we could run tests with nightly once a day, just like we run the coverage tests.

@latonis latonis changed the title feat: implement dylib_hash function for macho feat: implement dylib and entitlement hashing for macho May 21, 2024
@latonis
Copy link
Contributor Author

latonis commented May 21, 2024

@plusvic, this one is ready for review, the import and export parsing relies on me writing the trie parsing which requires uleb128 parsing among other things.

I think it would be good to get these two in for detection opportunities while I get the imports and exports parsed :)

@plusvic plusvic merged commit eec301a into VirusTotal:main May 23, 2024
15 checks passed
@latonis latonis deleted the macho-dylibhash branch May 23, 2024 18:41
plusvic pushed a commit that referenced this pull request May 29, 2024
#132)

Implements mach-o trie export parsing as well as the export_hash() function mentioned previously in #93.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants