Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve Tlsh library in Yara #1962

Open
dmknght opened this issue Sep 13, 2023 · 0 comments
Open

Improve Tlsh library in Yara #1962

dmknght opened this issue Sep 13, 2023 · 0 comments

Comments

@dmknght
Copy link

dmknght commented Sep 13, 2023

Is your feature request related to a problem? Please describe.
The current Tlsh code is the TLSH-C, which was ported by Avast dev. This version is missing 2 functions

  1. Calculate the diff score of 2 Tlsh hashes (Add total_diff to tlsh.c and tlsh.h avast/tlshc#1)
  2. Load the hash value from a string (Add fromTlshStr to the tlsh.h avast/tlshc#2)
    Therefore, Tlsh version that Yara is using can do hash matching only. IMO tlsh is a fuzzyhash algorithm so it should has score diffing

Describe the solution you'd like
In https://github.com/VirusTotal/yara/blob/master/libyara/tlshc/tlsh.c, Yara can add


int tlsh_total_diff(Tlsh* tlsh, Tlsh *other, bool len_diff)
{
    return tlsh_impl_total_diff(tlsh->impl, other->impl, len_diff);
}

int tlsh_from_tlsh_str(Tlsh* tlsh, const char *str)
{
    return tlsh_impl_from_tlsh_str(tlsh->impl, str);
}

And then add a function in ELF module to compare hash (maybe create an other function to compare with diff_len)

bool yr_elf_tlsh_cmp(char *hash, int user_score)
{
    Tlsh tlsh = new_tlsh();
    tlsh_from_tlsh_str(tlsh, hash);
   // Code block to get hash from metadata here
   if (user_score < tlsh_total_diff(tlsh, <elf_tlsh_struct>, False))
       return True;
   return False;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant