Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate tlshc library, calculate telfhash and import hash in ELF module #1624

Merged
merged 3 commits into from
Jun 20, 2022

Conversation

HoundThe
Copy link
Contributor

This PR integrates the tlshc library https://github.com/avast/tlshc that provides a C implementation of the TLSH hashing function https://github.com/trendmicro/tlsh, calculates Telfhash using the TLSH hashing function, and also creates a simple MD5 hash of imported symbols for ELF files.

@plusvic plusvic added this to the v4.3 milestone Jan 10, 2022
@HoundThe
Copy link
Contributor Author

Some tests were failing due to the usage of md5_ctx in import_md5 not being hidden in case there is no crypto lib to support it.

@plusvic plusvic merged commit 19ac2ef into VirusTotal:master Jun 20, 2022
@vthib vthib mentioned this pull request Dec 27, 2022
7 tasks
@dmknght
Copy link

dmknght commented Jul 20, 2023

The current tlsh library of Avast is missing important feature: calculate 2 hashes and give the score.
The original code has this method int totalDiff(const Tlsh *, bool len_diff=true) const;. However, there's no function like that in https://github.com/avast/tlshc/blob/main/include/tlshc/tlsh.h. Therefore, current hash comparison in Yara module is based on exact hash matching. It's not good IMO.
To use this method / function with Yara, the tlsh module needs to convert a hash from text to a struct's data. Therefore the method int fromTlshStr(const char* str); is required. It's also missing in Avast's module.
I created 2 issues on Avast's repository about 2 missing functions. Hope they update this soon.
avast/tlshc#1
avast/tlshc#2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants