# run strings on all malware *.bin files in the directory and output strings to .bin.txt files
get-childitem \ -filter *.bin |select name,fullname|foreach-object {$cmd = "/c strings64.exe -n 8 `""+$_.fullname +"`" > `""+$_.name+".txt`""; start-process -filepath "cmd.exe" -argumentlist $cmd}
# compare every .bin.txt files and return only strings that are in ALL of them
$counter=0; $matches = @(); $lines1 = @(); get-childitem \ -filter *.bin.txt |select name,fullname|foreach-object {if($counter -eq 0){$counter++; $lines1=get-content -path $_.fullname; $lines1=$lines1|sort;}else{$matches=@();$counter++;$lines2=get-content -path $_.fullname;$lines2=$lines2|sort;foreach($str in $lines1){if($lines2 -contains $str) {$matches += $str}};$lines1=$matches;}};$matches|get-unique
-----------
find matches in multiple malware files
find matches in multiple lists
find matches in multiple arrays
-----------------
Sample output
-----------------
!This program cannot be run in DOS mode.
CloseHandle
GetCurrentProcess
GetProcAddress
KERNEL32.dll
USER32.dll
Showing posts with label compare. Show all posts
Showing posts with label compare. Show all posts
Friday, April 10, 2020
Compare Malware Strings of 2 Files for Matches
# run strings on both malware samples
strings64.exe -n 8 malware1.exe > str1.txt
strings64.exe -n 8 malware2.exe > str2.txt
# put the results into 2 arrays
[string []] $lines1 = Get-Content -Path str1.txt
[string []] $lines2 = Get-Content -Path str2.txt
# sort the arrays
$lines1 = $lines1 |sort
$lines2 = $lines2 |sort
# find matches in the 2 lists
$matches = @()
foreach ($str in $lines1) {if($lines2 -contains $str) {$matches += $str}}
$matches|get-unique
-----------
find matches in 2 arrays
find matches in 2 lists
find lines in 2 files
find lines in 2 arrays
compare 2 malware strings
compare 2 files
compare 2 arrays
-----------------
Sample output
-----------------
!This program cannot be run in DOS mode.
#+3;CScs
#http://crl.verisign.com/pca3-g5.crl04
#http://logo.verisign.com/vslogo.gif04
%u.%u%s%s
%VeriSign Class 3 Code Signing 2010 CA
%VeriSign Class 3 Code Signing 2010 CA0
%VeriSign Class 3 Code Signing 2010 CA0
*?|<>/":
... %d%%
.DEFAULT\Control Panel\International
.http://crl.thawte.com/ThawteTimestampingCA.crl0
@sS\-Z?G
[Rename]
\Microsoft\Internet Explorer\Quick Launch
~nsu.tmp
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
-----------------
strings64.exe -n 8 malware1.exe > str1.txt
strings64.exe -n 8 malware2.exe > str2.txt
# put the results into 2 arrays
[string []] $lines1 = Get-Content -Path str1.txt
[string []] $lines2 = Get-Content -Path str2.txt
# sort the arrays
$lines1 = $lines1 |sort
$lines2 = $lines2 |sort
# find matches in the 2 lists
$matches = @()
foreach ($str in $lines1) {if($lines2 -contains $str) {$matches += $str}}
$matches|get-unique
-----------
find matches in 2 arrays
find matches in 2 lists
find lines in 2 files
find lines in 2 arrays
compare 2 malware strings
compare 2 files
compare 2 arrays
-----------------
Sample output
-----------------
!This program cannot be run in DOS mode.
#+3;CScs
#http://crl.verisign.com/pca3-g5.crl04
#http://logo.verisign.com/vslogo.gif04
%u.%u%s%s
%VeriSign Class 3 Code Signing 2010 CA
%VeriSign Class 3 Code Signing 2010 CA0
%VeriSign Class 3 Code Signing 2010 CA0
*?|<>/":
... %d%%
.DEFAULT\Control Panel\International
.http://crl.thawte.com/ThawteTimestampingCA.crl0
@sS\-Z?G
[Rename]
\Microsoft\Internet Explorer\Quick Launch
~nsu.tmp
+http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
+http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
-----------------
from linux try this
------------------
strings 1.bin | sort > output1.txt
strings 2.bin | sort > output2.txt
comm -12 output1.txt output2.txt > same.txt
Subscribe to:
Posts (Atom)