tlsh fuzzy hashing

Question

tlsh fuzzy hashing

c3rb3ru5d3d53c opened this issue 3 years ago · 14 comments

c3rb3ru5d3d53c commented 3 years ago

Include Fuzzy Hashing

rpkrawczyk commented 3 years ago

Links:

Answer 1 · 2021-12-25T19:18:33.000Z

This should allow easy comparison of byte strings and trait strings for similarity.

Answer 2 · 2022-01-06T00:06:58.000Z

libtlsh-dev package should do it :)

Answer 3 · 2022-01-10T20:08:35.000Z

https://github.com/trendmicro/tlsh/blob/master/test/simple_unittest.cpp

Answer 4 · 2022-04-27T13:06:44.000Z

Add method and code to common.c. Interface?

Answer 5 · 2022-04-30T11:38:43.000Z

This is now merged, @herrcore and @pisco-sour, I'm going to swap this issue to you guys for implementation. 😄

Answer 6 · 2022-05-03T14:51:08.000Z

raw.cpp, pe.cpp and blelf.cpp need the functions ReadBuffer and ReadFile.

They all need to produce the json keys file_sha256, file_tlsh.

Answer 7 · 2022-05-03T14:52:02.000Z

Include tlsh in cmake build?

Answer 8 · 2022-05-03T18:27:08.000Z

Including the file-based data into the traits output is a nightmare. The decompiler outputs the traits but it does not known anything about the file, only sections are known to it. Introducing another global variable is a recipe for disaster IMHO.
Solutions could be:

Decompiler is initialised with a reference to a file, it will always know from where it startet. Then, of course a decompiler should not be reused for another file. Is this ever done?
Make methods with which to set file information in the decompiler, like set_tlsh, set_sha256, etc. They could be used if they were provided.
Call WriteTraits with a reference to the file and take the information from this reference.
Reorganise code completely to have a file class containing the the raw data, hashes, etc. The decompiler is initialised with this file class and can take its information from there. This could even be a "has a" relation.

I would favour the last solution but this would introduce some major code changes and the decompilers would have to be rewritten in huge parts. As we do not have that much time I do think this is feasible. Hence I would suggest solution 3, this can be done with little effort does not brake anything and makes kinda sense.

Answer 9 · 2022-05-04T05:19:29.000Z

Decompiler handles multiple types of files.
Yeah, I agree the decompiler should not be reused by another file.

One approach I was thinking about was to have only one extra function used only for python binding... one that sets the command line arguments. Then the python binding code just runs one function which contains what main() has, without the parameter processing. This way both CLI and python binding have similar way of interaction.

Answer 10 · 2022-05-04T11:22:15.000Z

We should elaborate in the next standup.

Answer 11 · 2022-05-04T11:27:42.000Z

Yeah, I think WriteTraits/GetTraits should be separate so we can execute these methods as well as set the appropriate data structures across multiple decompilers. The datastructure for the traits will be the same across all decompilers anyway.

Answer 12 · 2022-05-04T16:27:53.000Z

OK, the changes seem to be working so far. But I had to put the usage of the file hashes in the WriteTraits function as this is the only member function, the GetTraits... functions are static. Do they really need to be?

Answer 13 · 2022-05-07T00:11:24.000Z

Closing for now 😄 we can still continue improvements!