{"id":4031,"date":"2021-03-22T09:51:13","date_gmt":"2021-03-22T17:51:13","guid":{"rendered":"https:\/\/www.pnfsoftware.com\/blog\/?p=4031"},"modified":"2021-03-22T09:51:13","modified_gmt":"2021-03-22T17:51:13","slug":"jeb-codeless-native-signatures","status":"publish","type":"post","link":"https:\/\/www.pnfsoftware.com\/blog\/jeb-codeless-native-signatures\/","title":{"rendered":"Using Codeless Native Signatures"},"content":{"rendered":"\n<p>One of the new exciting features coming with JEB 4.0 is a set of signatures to <strong>identify common native libraries in a compiler-agnostic fashion<\/strong>.<\/p>\n\n\n\n<p>These &#8220;codeless&#8221; signatures were built to tackle an old reverse-engineering problem: the identification of common open-source libraries in executables. Because such libraries are compiled by the developers themselves, traditional code-based signatures &#8212; like our own <a href=\"https:\/\/www.pnfsoftware.com\/blog\/siglibgen-native-signatures-generation-for-jeb\/\" data-type=\"URL\" data-id=\"https:\/\/www.pnfsoftware.com\/blog\/siglibgen-native-signatures-generation-for-jeb\/\">SigLib<\/a> &#8212; need to be re-generated with the <em>same <\/em>compiler setup than the developers, otherwise the signatures won&#8217;t match because the code differs. <\/p>\n\n\n\n<p>Therefore, identifying open-source libraries with code-based signatures is a lots of effort for a small return, because each set of signatures only matches <em>one<\/em> compiler setup (compiler&#8217;s version, optimization level&#8230;), and there is a vast number of them!<\/p>\n\n\n\n<p>We developed codeless signatures to identify open-source libraries without the burden of signatures re-generation for each compiler setup. We are currently shipping signatures for the following libraries:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>OpenSSL, versions 0.9.8m to 1.1.1g<\/li><li>libcurl, versions 7.30.0 to 7.71.1<\/li><li>libssh2, versions 1.8.0, 1.8.2 and 1.9.0<\/li><li>bzip2, versions 1.0.6 and 1.0.8<\/li><li>zlib, versions 1.2.3, 1.2.8, 1.2.10 and 1.2.11<\/li><\/ul>\n\n\n\n<p>The signatures can be applied on <em>any <\/em>binary opened in JEB, through &#8220;Native &gt; Codeless Signatures Libraries&#8221; menu.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/www.pnfsoftware.com\/blog\/wp-content\/uploads\/2021\/02\/open_codeless.gif\" alt=\"\"\/><\/figure>\n\n\n\n<p>We also ship an automatic library version identification tool (available from &#8220;Codeless Signature Libraries&#8221; dialog), which should help to decide which versions of the library was linked, when it not obvious.<\/p>\n\n\n\n<p>In order to build such signatures we made some tradeoffs, notably by accepting to miss some routines and to have a few false positives. We believe JEB&#8217;s codeless signatures are particularly suitable when one is <em>not<\/em> interested into library&#8217;s internals, and therefore the only library routines whose name really matter are the ones used by the rest of the code (like when doing malware analysis).<\/p>\n\n\n\n<p>Overall, our current experiments show promising results, for example <strong>we usually identify 50-60% of OpenSSL routines, with a false positives ratio of less than 2%, on a variety of architecture\/compiler setups<\/strong>.<\/p>\n\n\n\n<p>We will describe in details the internals of JEB&#8217;s codeless signatures in an upcoming whitepaper, but in the meantime we made <a href=\"https:\/\/youtu.be\/GbA9LppApbQ\">a video<\/a> to demonstrate how to use them:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"JEB 4 Demo - Using codeless signatures to quickly identify openssl in a malware\" width=\"660\" height=\"371\" src=\"https:\/\/www.youtube.com\/embed\/GbA9LppApbQ?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>We really encourage you to test JEB&#8217;s codeless signatures and report feedback through the usual channels:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>leave a comment on this post<\/li><li>email&nbsp;<a href=\"mailto:support@pnfsoftware.com\">support@pnfsoftware.com<\/a><\/li><li>message us on&nbsp;<a href=\"https:\/\/jebdecompiler.slack.com\/\">Slack<\/a><\/li><li>or send us a Tweet&nbsp;<a href=\"https:\/\/twitter.com\/jebdec\">@jebdec<\/a><\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>One of the new exciting features coming with JEB 4.0 is a set of signatures to identify common native libraries in a compiler-agnostic fashion. These &#8220;codeless&#8221; signatures were built to tackle an old reverse-engineering problem: the identification of common open-source libraries in executables. Because such libraries are compiled by the developers themselves, traditional code-based signatures &hellip; <a href=\"https:\/\/www.pnfsoftware.com\/blog\/jeb-codeless-native-signatures\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Using Codeless Native Signatures<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,2,13],"tags":[],"class_list":["post-4031","post","type-post","status-publish","format-standard","hentry","category-jeb4","category-malware","category-native-code"],"_links":{"self":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4031","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/comments?post=4031"}],"version-history":[{"count":0,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/posts\/4031\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/media?parent=4031"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/categories?post=4031"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.pnfsoftware.com\/blog\/wp-json\/wp\/v2\/tags?post=4031"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}