Full Disclosure mailing list archives
Re: [Tool] DeepToad 1.1.0
From: Joxean Koret <joxeankoret () yahoo es>
Date: Tue, 5 Jan 2010 15:00:12 +0000 (GMT)
Yes. It isn't designed to search for the differences between 2 binary files but to search for similar files, _independently_ of the format, and group them. This tool can be used, in example, to search for similar "crapwares" or to search for similar image files (not similar looking, but similar files), similar office documents, etc... --- El mar, 5/1/10, T Biehn <tbiehn () gmail com> escribió:
De: T Biehn <tbiehn () gmail com> Asunto: Re: [Full-disclosure] [Tool] DeepToad 1.1.0 Para: "Dan Kaminsky" <dan () doxpara com> CC: "Joxean Koret" <joxeankoret () yahoo es>, "Full Disclosure" <full-disclosure () lists grok org uk>, bugtraq () securityfocus com Fecha: martes, 5 de enero, 2010 15:56 I can see what you're saying, it could be useful for finding differences in different versions of the same binary but from what I can see Joxean's app is meant to group files of the same 'type,' not provide 'diff' capabilities. -Travis On Tue, Jan 5, 2010 at 9:51 AM, Dan Kaminsky <dan () doxpara com> wrote:I looked into a fair amount of this sort ofnormalization back when I wasplaying with dotplots. The idea was to upgrade fromsimple Levenshteinstring comparison (with no knowledge of variablelength x86 instructions,pointers that shift from compile to compile, etc) tosomething with at leastsome domain specific knowledge. What I found,somewhat surprisingly, wasthat dumb string comparison was more than enough. Infact, when I comparedpre-patch and post-patch builds, it was easy todirectly see when contentwas added, removed, shifted in location, etc.Joxean's going to have muchthe same result -- as basic as his similarity metricis, he'll get the broadstrokes just fine. Ultimately the best approach is to build a graph ofhow functions interactand measure graph isomorphism, but of course Halvarfigured that out yearsago :) On Tue, Jan 5, 2010 at 3:41 PM, T Biehn <tbiehn () gmail com>wrote:Hmm, Wouldn't it be more useful to the sec community tohave a algorithmthat abstracts at the -interpreted- content level?That is whenanalyzing binaries I wouldn't think that thiswould classify two withnear identical functionality together, even thoughit is removing asignificant chunk of information during the hashpass.I would largely assume that your algorithm, as is,works best onuncompressed bitmaps. Is there something I'mmissing?-Travis On Sun, Jan 3, 2010 at 6:37 AM, Joxean Koret<joxeankoret () yahoo es> wrote:Hi all, I'm happy to announce the very first publicrelease of the open sourceproject DeepToad, a tool for computing fuzzyhashes from files.DeepToad can generate signatures, clusterizefiles and/or directoriesand compare them. It's inspired in the verygood tool ssdeep [1] and, infact, both projects are very similar. The complete project is written in purepython and is distributed underthe LGPL license [2]. Links: Project's Web Page http://code.google.com/p/deeptoad/ Download Web Page http://code.google.com/p/deeptoad/downloads/list Wiki http://code.google.com/p/deeptoad/w/list References: [1] http://ssdeep.sourceforge.net/ [2] http://www.gnu.org/licenses/lgpl.html Regards && Happy new year! Joxean Koret_______________________________________________Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FFA73Chttp://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/-- FD1D E574 6CAB 2FAF 2921 F22E B8B7 9D0D 99FF A73C http://pgp.mit.edu:11371/pks/lookup?search=tbiehn&op=index&fingerprint=on http://pastebin.com/f6fd606da
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Tool] DeepToad 1.1.0 Joxean Koret (Jan 03)
- Re: [Tool] DeepToad 1.1.0 T Biehn (Jan 05)
- Re: [Tool] DeepToad 1.1.0 Dan Kaminsky (Jan 05)
- Re: [Tool] DeepToad 1.1.0 T Biehn (Jan 05)
- Re: [Tool] DeepToad 1.1.0 Joxean Koret (Jan 05)
- Re: [Tool] DeepToad 1.1.0 Dan Kaminsky (Jan 05)
- Re: [Tool] DeepToad 1.1.0 Dan Kaminsky (Jan 05)
- Re: [Tool] DeepToad 1.1.0 T Biehn (Jan 05)