You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This PR integrates the tlshc library https://github.com/avast/tlshc that provides a C implementation of the TLSH hashing function https://github.com/trendmicro/tlsh, calculates Telfhash using the TLSH hashing function, and also creates a simple MD5 hash of imported symbols for ELF files.
The current tlsh library of Avast is missing important feature: calculate 2 hashes and give the score.
The original code has this method int totalDiff(const Tlsh *, bool len_diff=true) const;. However, there's no function like that in https://github.com/avast/tlshc/blob/main/include/tlshc/tlsh.h. Therefore, current hash comparison in Yara module is based on exact hash matching. It's not good IMO.
To use this method / function with Yara, the tlsh module needs to convert a hash from text to a struct's data. Therefore the method int fromTlshStr(const char* str); is required. It's also missing in Avast's module.
I created 2 issues on Avast's repository about 2 missing functions. Hope they update this soon. avast/tlshc#1 avast/tlshc#2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR integrates the tlshc library https://github.com/avast/tlshc that provides a C implementation of the TLSH hashing function https://github.com/trendmicro/tlsh, calculates Telfhash using the TLSH hashing function, and also creates a simple MD5 hash of imported symbols for ELF files.