{"id":13706016,"url":"https://github.com/google/vxsig","last_synced_at":"2025-05-05T19:34:24.449Z","repository":{"id":65981618,"uuid":"187165583","full_name":"google/vxsig","owner":"google","description":"Automatically generate AV byte signatures from sets of similar binaries.","archived":false,"fork":false,"pushed_at":"2024-12-10T13:57:25.000Z","size":19674,"stargazers_count":269,"open_issues_count":5,"forks_count":32,"subscribers_count":9,"default_branch":"main","last_synced_at":"2025-04-19T22:27:44.152Z","etag":null,"topics":["antivirus","bindiff","binexport","c-plus-plus","disassembly","lcs-algorithm","signatures"],"latest_commit_sha":null,"homepage":"","language":"C++","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/google.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-05-17T07:11:02.000Z","updated_at":"2025-04-17T02:06:34.000Z","dependencies_parsed_at":"2024-02-13T15:04:50.591Z","dependency_job_id":null,"html_url":"https://github.com/google/vxsig","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fvxsig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fvxsig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fvxsig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/google%2Fvxsig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/google","download_url":"https://codeload.github.com/google/vxsig/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252563153,"owners_count":21768413,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["antivirus","bindiff","binexport","c-plus-plus","disassembly","lcs-algorithm","signatures"],"created_at":"2024-08-02T22:00:51.369Z","updated_at":"2025-05-05T19:34:19.439Z","avatar_url":"https://github.com/google.png","language":"C++","readme":"# VxSig\n\nCopyright 2011-2024 Google LLC\n\nDisclaimer: This is not an official Google product (experimental or otherwise),\nit is just code that happens to be owned by Google.\n\n## Introduction\n\nVxSig is a tool and library to automatically generate AV byte signatures from\nsets of similar binaries. It processes files generated by\n[BinExport](https://github.com/google/binexport) and\n[BinDiff](https://www.zynamics.com/software.html).\n\nSignatures can be generated for [Yara](https://github.com/VirusTotal/yara) (the\ndefault) and [ClamAV](https://www.clamav.net/).\n\n## Status\n\nVxSig is a mature tool that has been used at Google to create signature and scan\nfor many kinds of malware and targetted threats.\n\n## Quick Start\n\nVxSig uses [Bazel](https://bazel.build/) to build and manage its dependencies.\nThe preferred way to use a current version is via\n[Bazelisk](https://github.com/bazelbuild/bazelisk), so install that first. For\nexample, on Debian-based Linux distributions do:\n\n```bash\n(cd /tmp \u0026\u0026 \\\n  wget -qO- \\\n  https://github.com/bazelbuild/bazelisk/releases/download/v1.19.0/bazelisk-linux-$(dpkg --print-architecture) \\\n  \u003e bazelisk \u0026\u0026 \\\n  echo 'd28b588ac0916abd6bf02defb5433f6eddf7cba35ffa808eabb65a44aab226f7  bazelisk' | \\\n  sha256sum -c \u0026\u0026 \\\n  chmod +x bazelisk \u0026\u0026 \\\n  sudo mv bazelisk /usr/local/bin/ \\\n)\n```\n\nRefer to the Bazel\n[Getting started guide](https://bazel.build/start) for how to get started on\nother platforms.\n\nClone and run the build:\n\n```bash\ngit clone https://github.com/google/vxsig \u0026\u0026 cd vxsig\nbazelisk build -c opt //vxsig:vxsig\n```\n\nTo build an example Yara signature:\n\n```bash\nbazel-bin/vxsig/vxsig --detection_name=VxSigTestSig --trim_length=400 \\\n  vxsig/testdata/592fvs2065.BinDiff\n```\n\nThe output should look like this (truncated):\n\n```\n----8\u003c--------8\u003c---- Signature ----8\u003c--------8\u003c----                    \nrule VxSigTestSig {\n  meta:\n    vxsig_build = \"redacted\"\n  strings:\n    $ = {\n         00008bd85985db5975\n         // 00401049: mov ebx, eax\n         // 0040104b: pop ecx\n         // 0040104c: test ebx, ebx\n         // 0040104e: pop ecx\n         // 0040104f: jnz 0x4010b7\n      [-]110000435653e8\n         // 004010c0: inc ebx\n         // 004010c1: push esi\n         // 004010c2: push ebx\n         // 004010c3: call 0x40226c\n      [-]1100006a10be\n         // 004010fe: push b1 0x10\n         // 00401100: mov esi, 0x4042a8\n      [-]6a0056e8\n         // 00401105: push b1 0x0\n         // 00401107: push esi\n         // 0040110b: call 0x402266\n...\n```\n\n## Further reading / Similar tools\n\n*   The original thesis that provided the basis for this tool (German language\n    only):\n    [Automatisierte Signaturgenerierung für Malware-Stämme](https://www.zynamics.com/downloads/blichmann-christian--diplomarbeit--final.pdf)\n*   [zynamics VxClass](https://web.archive.org/web/20210224202639/https://www.zynamics.com/vxclass.html), a discontinued\n    malware analysis pipeline using a previous version of VxSig.\n*   Cisco's Talos Group's\n    [BASS Automated Signature Synthesizer](https://github.com/Cisco-Talos/BASS),\n    an open-source reimplementation of the thesis\n*   [functionsimsearch](https://github.com/googleprojectzero/functionsimsearch),\n    a tool that can be used to create a corpus of files for computing function\n    occurrence counts.\n\n## Getting Involved\n\nIf you want to contribute, please read [CONTRIBUTING.md](CONTRIBUTING.md) and\nsend pull requests. You can also report bugs or file feature requests.\n","funding_links":[],"categories":["Tools","Malware Analysis"],"sub_categories":["Virus/Anti-Virus"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fvxsig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgoogle%2Fvxsig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgoogle%2Fvxsig/lists"}