fingerprint

README

Fingerprint

This repo serves as an experimental library for fingerprinting various files similar to how VirusTotal does.

Besides some general file hashes and file type analysis, it contains some additional parsing modules for Elf, PE, and Mach-o binaries. Included in these are section entropy calculations and imported/exported symbols. Additionally it has implementations of telfhash (Elf), imphash (PE), and symhash (Mach-o) fuzzy symbol hashing algorithms that are fairly useful in malware analysis.

The only dependency required is the capstone library (used for enumerating call sites through disassembling stripped elf binaries for telfhash calculations).

Documentation

Index

• type Info
  • func Parse(r Reader, size int) (*Info, error)
• type Reader

Types

type Info

type Info struct {
	MIME   string      `json:"mime"`
	SSDEEP string      `json:"ssdeep,omitempty"`
	MD5    string      `json:"md5"`
	SHA1   string      `json:"sha1"`
	SHA256 string      `json:"sha256"`
	Size   int         `json:"size"`
	PE     *pe.Info    `json:"pe,omitempty"`
	MachO  *macho.Info `json:"macho,omitempty"`
	Elf    *elf.Info   `json:"elf,omitempty"`
	LNK    *lnk.Info   `json:"lnk,omitempty"`
}

Info contains fingerprinting information.

func Parse

func Parse(r Reader, size int) (*Info, error)

Parse determines the file type for the data and then enriches the information based off of the file type contained.

type Reader

type Reader interface {
	io.ReadSeeker
	io.ReaderAt
}

Reader is the interface that must be satisfied for parsing a stream of data.