On Mon 13/Aug/2018 00:27:55 +0200 Al Varnell wrote:
> I don't quite understand why you think it might not detect it.
>
> Text strings are not required to have an even number of digits. The hex
> equivalent to that string would be: {62 63 39 [...] 34 30}. As
> long as the string appears in a file, it should match.
That's right.
I thought it is unlikely to find a 65 bytes binary sequence, so it looked wrong
to me. Perhaps, that's a wrong conjecture, since a malware writer may want to
hard code crypto data in the executable. The sequence doesn't seem to be code.
> I'd have to have the actual sample file in order to say anything more about
> it.
I don't attach it, as it may appear to be a (broken) executable. Using an
xxd[*] dump (instead of hd) solves the problem since xxd is reversible and
idempotent:
~/tmp$ diff -s <(xxd -g 1 keymarble-dummy) <(xxd -g 1 keymarble-dummy|xxd
-r|xxd -g 1)
Files /dev/fd/63 and /dev/fd/62 are identical
So you can copy the following to a file and revert to binary:
~/tmp$ xxd -g 1 keymarble-dummy
00000000: 4d 5a 74 68 69 73 20 69 73 20 61 20 64 75 6d 6d MZthis is a dumm
00000010: 79 20 6b 65 79 6d 61 72 62 6c 65 20 66 69 6c 65 y keymarble file
00000020: 20 63 72 65 61 74 65 64 20 66 6f 72 20 6d 61 6b created for mak
00000030: 69 6e 67 20 74 65 73 74 73 0a 00 00 40 00 00 00 ing tests...@...
00000040: 50 45 62 63 39 62 37 35 61 33 31 31 37 37 35 38 PEbc9b75a3117758
00000050: 37 32 34 35 33 30 35 63 64 34 31 38 62 38 64 66 7245305cd418b8df
00000060: 37 38 36 35 32 64 31 63 30 33 65 39 64 61 30 63 78652d1c03e9da0c
00000070: 66 63 39 31 30 64 36 64 33 38 65 65 34 31 39 31 fc910d6d38ee4191
00000080: 64 34 30 0a 00
Best
Ale
--
[*] https://github.com/jnweiger/xxd
(But it's probably already installed on your box.)
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
