Created
July 17, 2017 13:12
-
-
Save absturztaube/c596f8f90d6346dbc75c9df3a02a9044 to your computer and use it in GitHub Desktop.
Perl Modules for ClamAV Signature Generation (without using the sigtool from clamav)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl | |
| use strict; | |
| use warnings FATAL => 'all'; | |
| use ClamAV::Signature; | |
| use ClamAV::SignatureDatabase; | |
| my $sigDatabase = ClamAV::SignatureDatabase->new(); | |
| my $signature = ClamAV::Signature->new(); | |
| $signature->name('Some_Fanzy_Malware_Name'); | |
| $signature->generateHexdump('SOME_MALWAREY_SIGNATURE'); | |
| $sigDatabase->addSignature($signature); | |
| $sigDatabase->writeDatabase('my_signature.ndb'); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package ClamAV::Signature; | |
| use strict; | |
| use warnings FATAL => 'all'; | |
| sub new { | |
| my ($class) = @_; | |
| my $this = {}; | |
| bless $this, $class; | |
| $this->name('Perl.Generic'); | |
| $this->type(0); | |
| $this->offset('*'); | |
| $this; | |
| } | |
| sub name { | |
| my ($this, $set) = @_; | |
| if(defined $set) { | |
| $this->{'name'} = $set; | |
| } | |
| return $this->{'name'}; | |
| } | |
| sub type { | |
| my ($this, $set) = @_; | |
| if(defined $set) { | |
| $this->{'type'} = $set; | |
| } | |
| return $this->{'type'}; | |
| } | |
| sub offset { | |
| my ($this, $set) = @_; | |
| if(defined $set) { | |
| $this->{'offset'} = $set; | |
| } | |
| return $this->{'offset'} | |
| } | |
| sub hexdump { | |
| my ($this, $set) = @_; | |
| if(defined $set) { | |
| $set =~ s/\s//g; | |
| $this->{'hexdump'} = $set; | |
| } | |
| return $this->{'hexdump'}; | |
| } | |
| sub timestamp { | |
| my ($this, $set) = @_; | |
| if(defined $set) { | |
| $this->{'timestamp'} = $set; | |
| } | |
| return $this->{'timestamp'}; | |
| } | |
| sub toString { | |
| my ($this) = @_; | |
| return $this->name().':'.$this->type().':'.$this->offset().':'.$this->hexdump(); | |
| } | |
| sub toTimeString { | |
| my ($this) = @_; | |
| return $this->timestamp().':'.$this->toString(); | |
| } | |
| sub generateHexdump { | |
| my ($this, $content) = @_; | |
| $content =~ s/"/\\"/gi; | |
| my $hexdump = qx/echo "$content" | xxd -ps/; | |
| $hexdump =~ s/[\s]//g; | |
| $this->timestamp(time()); | |
| $this->hexdump($hexdump); | |
| } | |
| 1; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package ClamAV::SignatureDatabase; | |
| use strict; | |
| use warnings FATAL => 'all'; | |
| use ClamAV::Signature; | |
| sub new { | |
| my ($class) = @_; | |
| my $this = {}; | |
| bless $this, $class; | |
| $this->{'signatures'} = {}; | |
| $this; | |
| } | |
| sub signatures { | |
| my ($this) = @_; | |
| return $this->{'signatures'}; | |
| } | |
| sub addSignature { | |
| my ($this, $signature) = @_; | |
| if (ref($signature) eq 'ClamAV::Signature') { | |
| $this->{'signatures'}->{$signature->hexdump()} = $signature; | |
| } | |
| } | |
| sub parseDatabase { | |
| my ($this, $filename) = @_; | |
| open(SIGFILE, '<', $filename); | |
| while(<SIGFILE>) { | |
| my @parts = split(/:/, $_); | |
| my $signature = ClamAV::Signature->new(); | |
| my $keys = [ | |
| 'hexdump', | |
| 'offset', | |
| 'type', | |
| 'name', | |
| 'timestamp' | |
| ]; | |
| for(my $index = (scalar(@parts) - 1); $index >= 0; $index--) { | |
| my $keyIndex = 4 - $index; | |
| my $key = $keys->[$keyIndex]; | |
| $signature->$key($parts[$index]); | |
| } | |
| $this->addSignature($signature); | |
| } | |
| close(SIGFILE); | |
| } | |
| sub cleanDatabase { | |
| my ($this, $timediff) = @_; | |
| my $newSignatures = {}; | |
| foreach my $sig (keys %{$this->{'signatures'}}) { | |
| my $signature = $this->{'signatures'}->{$sig}; | |
| if($signature->timestamp() - time() < $timediff) { | |
| $newSignatures->{$signature->hexdump()} = $signature; | |
| } | |
| } | |
| $this->{'signatures'} = $newSignatures; | |
| } | |
| sub writeDatabase { | |
| my ($this, $filename) = @_; | |
| open(SIGFILE, '>', $filename); | |
| foreach my $sigKey (keys %{$this->{'signatures'}}) { | |
| my $signature = $this->{'signatures'}->{$sigKey}; | |
| print SIGFILE $signature->toString()."\n"; | |
| } | |
| close(SIGFILE); | |
| } | |
| sub writeDatabaseTime { | |
| my ($this, $filename) = @_; | |
| open(SIGFILE, '>', $filename); | |
| my $time = time(); | |
| foreach my $sigKey (keys %{$this->{'signatures'}}) { | |
| my $signature = $this->{'signatures'}->{$sigKey}; | |
| unless($signature->timestamp()) { | |
| $signature->timestamp($time); | |
| } | |
| print SIGFILE $signature->toTimeString()."\n" | |
| } | |
| close(SIGFILE); | |
| } | |
| 1; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm no fan of perl, but i had do do some work with it at work (what a sentence...Oo)
But i thought, it might be usefull for others, which have (or want) to use perl and work with custom databases for clamav
Have fun