Skip to content

angelsolaorbaiceta/binmat

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

40 Commits
.vscode
.vscode
 
 
bexpr
bexpr
 
 
examples/signatures
examples/signatures
 
 
signature
signature
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 

Repository files navigation

Binary Matcher

A binary signature matcher written in Go.

Usage

Install the binary:

$ go install https://github.com/angelsolaorbaiceta/binmat@latest

Create your signature .yaml files (see next section) and place them inside your $HOME/.config/binmat directory. Every time you run the binmat binary, those signature files are loaded into the program.

Scan a single binary file for matches against your signature files:

$ binmat path/to/bin

Or recursively check every binary inside a given folder against your signature files:

$ binmat path/to/directory

About

A CLI to match binary files using signatures. A signature is defined in a .yaml file, inside your $HOME/.config/binmat directory, and contains the following fields:

  • name: The name given to the signature.
  • description: An optional description of what the signature matches.
  • patterns: Named sequences of bytes or strings to be searched for in the binary. Pattern names can include between 1 and 16 lowercase letters, numbers and underscores.
  • condition: A boolean expression of the defined patterns, joined using the following operations:
    • AND: true when both operands are true.
    • OR: true when either operand is true.
    • NOT: negates an expression.

Here's an example of a signature:

name: example signature
description: a signature for demonstration purposes
patterns:
  a: '{ 74 fc ff ff c6 05 19 45 }'
  b: '{ 51 67 ?? ?? 44 }'
  c: this is a string
condition: a AND (b OR c)

Patterns are either sequences of hexadecimal numbers (byte sequences) or strings.

Byte sequences. Byte sequences are represented by hexadecimal numbers. They appear enclosed between curly brackets, as a string in the yaml file. For example:

a: '{ 74 fc ff ff c6 05 19 45 }'

Byte sequences may contain two question marks (??) that match any byte at that position. Here's an example:

b: '{ 51 67 ?? ?? 44 }'

The previous pattern matches any sequence of bytes that starts with 0x51 0x67, then has two arbitrary bytes, and last, a 0x44 byte. Examples of byte sequences that would be matched:

  • 0x51 0x67 0xab 0xcd 0x44
  • 0x51 0x67 0x11 0x22 0x44
  • 0x51 0x67 0x33 0xff 0x44

Strings. Only ASCII strings are supported at the moment. The string is converted to its ASCII byte sequence, and thus treated exactly as any other byte sequence.

About

A binary signature matcher written in Go

Topics

binary

Resources

Readme

License

GPL-3.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Languages