Thursday, March 3, 2011

sigscan - signature scanner

I've just discovered this signature scanner thanks to cyphunk in his comment to my post on bfcrypt. And I'm very thankful because it's quite hard to find it with search engines: there's only a Subversion repository with no description, no README files. Only source code, and the name: sigscan.

The source is available, but the license is unknown. And it works under Linux!

Anyway, here's how to get it:

$ svn co http://svn.xp-dev.com/svn/sigscan/trunk sigscan

If you don't have colorgcc installed, you can just do this:

$ sed -i 's/colorgcc/gcc/' makefile

$ make
gcc -c ./src/main.c -g -Wunused -I ./include -o obj/main.o
gcc -c ./src/handlers.c -g -Wunused -I ./include -o obj/handlers.o
gcc -o bin/sigscan obj/main.o obj/handlers.o

And now it's ready to use:

$ sigscan
sigscan v1.13 by petter wahlman, badeip@binary-art.net
usage: sigscan filename
--help this info
--nofs don't scan for file systems
--nocrypto don't scan for crypto signatures
--signatures show supported signatures

$ sigscan --signatures

containers (data):
[ 20 bytes] ARM Interrupt vectors
[ 16 bytes] SHA1
[ 16 bytes] cpio archive
[ 16 bytes] Cram FS
[ 8 bytes] ROM FS
[ 4 bytes] Squash FS
[ 10 bytes] BZIP header
[ 4 bytes] ELF
[ 8 bytes] 7-Zip archive
[ 7 bytes] RAR archive
[ 4 bytes] ZIP central directory
[ 8 bytes] ZIP local header
[ 4 bytes] u-boot/PPCBoot image
[ 5 bytes] ISO 9660
[ 5 bytes] TAR archive
[ 4 bytes] JFFS2
[ 4 bytes] LZMA1
[ 4 bytes] LZMA2
[ 4 bytes] QEMI QCOW
[ 4 bytes] CAB archive
[ 4 bytes] uClinux FLAT binary
[ 3 bytes] GZIP header
[ 11 bytes] Mediatek bootloader

crypto algorithms (code):
[ 72 bytes] Blowfish
[ 256 bytes] Camellia
[8192 bytes] CAST
[ 768 bytes] CAST256
[1024 bytes] CRC32
[ 48 bytes] DES
[ 128 bytes] GOST
[ 128 bytes] HAVAL
[2048 bytes] MARS
[ 256 bytes] MD2
[ 48 bytes] MD5
[ 18 bytes] PKCS_MD2
[ 18 bytes] PKCS_MD5
[ 15 bytes] PKCS_RIPEMD160
[ 19 bytes] PKCS_SHA256
[ 19 bytes] PKCS_SHA384
[ 19 bytes] PKCS_SHA512
[ 19 bytes] PKCS_Tiger
[2048 bytes] RawDES
[ 256 bytes] RC2
[1024 bytes] Rijndael
[ 256 bytes] SAFER
[ 256 bytes] SHA256
[ 640 bytes] SHA512
[16384 bytes] SHARK
[ 256 bytes] SKIPJACK
[ 256 bytes] Square/SHARK
[4096 bytes] Square
[8192 bytes] Tiger
[4096 bytes] Twofish
[ 80 bytes] WAKE
[2048 bytes] Whirlpool
[1024 bytes] zlib
[ 20 bytes] SHA-1
[ 8 bytes] RC5_RC6
[ 256 bytes] MD5
[ 16 bytes] MD4
[ 32 bytes] HAVAL

No comments:

Post a Comment