 | Unicode Strings for signature (maybe a dumb question) |  |
|
darksider9
| Joined: 30 Jan 2012 |
| Posts: 0 |
| Location: USA |
|
|
 Posted: Mon Jan 30, 2012 11:19 pm |
|
 |
 |
|
|
Hi All,
First time poster, and just now starting to attempt to develop some signatures for ClamAV. I was wondering though (I know this maybe a dumb question), is it possible to develop a signature based off a UNICODE STRING inside of the file? Some EXE's that I have been seeing, have a very specific STRING, and I was wondering if I could make it fire off of that alone. Any help is much appreciated. Thank you in advance.
Darksider
|
|
|
 |
| | |
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Tue Jan 31, 2012 12:00 am |
|
|
|
|
|
Sure, it's possible to get a signature for anything you can see in a debugger/hex editor/disassembler. It if is really unique, it might hold up and not have any false positives. I prefer to stay away from formatting type stuff, but I think something like that fairly new Unicode trick of reversing the extension so it does not appear at the end of the filename might work. Not many legitimate executable files would do that.
Watch it though--every time I think I have found something unique, it seems to get false positives!
Regards,
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by
phpBB © phpBB Group
Design by
phpBBStyles.com |
Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
