{"id":21359384,"url":"https://github.com/trendmicro/telfhash","last_synced_at":"2025-04-10T02:25:33.485Z","repository":{"id":44536630,"uuid":"256580650","full_name":"trendmicro/telfhash","owner":"trendmicro","description":"Symbol hash for ELF files","archived":false,"fork":false,"pushed_at":"2022-02-09T13:48:12.000Z","size":63,"stargazers_count":108,"open_issues_count":3,"forks_count":15,"subscribers_count":12,"default_branch":"master","last_synced_at":"2025-04-04T13:55:40.794Z","etag":null,"topics":["elf","hash","malware-analysis","symbols"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trendmicro.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-17T18:30:40.000Z","updated_at":"2025-03-30T00:46:45.000Z","dependencies_parsed_at":"2022-09-26T17:40:56.374Z","dependency_job_id":null,"html_url":"https://github.com/trendmicro/telfhash","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Ftelfhash","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Ftelfhash/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Ftelfhash/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trendmicro%2Ftelfhash/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trendmicro","download_url":"https://codeload.github.com/trendmicro/telfhash/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248143637,"owners_count":21054812,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["elf","hash","malware-analysis","symbols"],"created_at":"2024-11-22T05:28:02.492Z","updated_at":"2025-04-10T02:25:33.441Z","avatar_url":"https://github.com/trendmicro.png","language":"Python","readme":"# Trend Micro ELF Hash (telfhash)\n\ntelfhash is symbol hash for ELF files, just like imphash is imports hash for PE files. With telfhash, you can cluster ELF files by similarity based on symbols. This is particularly useful for clustering malicious samples. If a sample has no symbols, telfhash uses its call addresses destinations to emulate a symbol list. See [Resources](#Resources) section for more information.\n\n## Installation\n\n### pip\n\nThe easiest way to get telfhash working is installing it via pip:\n\n`pip install telfhash`\n\n### Manual\n\n#### Requirements\n\ntelfhash uses TLSH in generating the hash. TLSH must be installed in your system in order for telfhash to work.\n\nYou can install TLSH from here:\n\n* [https://github.com/trendmicro/tlsh/](https://github.com/trendmicro/tlsh/)\n\nThe TLSH git repo has detailed instructions on how to compile and install the TLSH binaries and libraries. Don't forget to also install the TLSH Python library. telfhash uses the TLSH Python library to generate the actual hash.\n\n#### Installing\n\nClone the telfhash repository from here:\n\n* [https://github.com/trendmicro/telfhash](https://github.com/trendmicro/telfhash)\n\nUse the `setup.py` to install the telfhash library:\n\n python setup.py install\n\n## Usage\n\n### Command line\n\nIf telfhash was installed via the `python setup.py install` command, the `telfhash` executable will by made available.\n\n $ telfhash -h\n usage: telfhash.py [-h] [-g] [-t THRESHOLD] [-r] [-d] files [files ...]\n\n positional arguments:\n files Target ELF file(s). Accepts wildcards\n\n optional arguments:\n -h, --help show this help message and exit\n -g, --group Group the files according to how close their telfhashes\n are\n -t THRESHOLD, --threshold THRESHOLD\n Minimum distance betweeen telfhashes to be considered\n as related. Only works with -g/--group. Defaults to 50\n -r, --recursive Deep dive into all the subfolders. Input should be a\n folder\n -d, --debug Print debug messages\n\n $ telfhash /bin/trace*\n /bin/tracepath 09d097025c0b40af18cb0c08ac3f2f5df100d850483bc1404f108809113290a2d6ae4f\n /bin/traceroute 65e02002d9b9552f56f35e709caf6fa57115f841e83b87148f04b592c023542ed0549f\n /bin/traceroute6 65e02002d9b9552f56f35e709caf6fa57115f841e83b87148f04b592c023542ed0549f\n\n $ telfhash -g /sbin/ip*\n /sbin/ip 33c15268ac66484d58be0e68ed2d7e68c25b5b97edf02b10dff4c412d2c3586725f01b\n /sbin/ip6tables 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/ip6tables-legacy 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/ip6tables-legacy-restore 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/ip6tables-legacy-save 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/ip6tables-restore 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/ip6tables-save 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/ipmaddr 7dc08c0a6622ad4b2af66e781c3322864248e073b06ccb56aaaf854088062091c6011c\n /sbin/ipset e4a0029085e66bce4ed2146959136540409454e38028d780613002a6d70154d5023d6a\n /sbin/iptables 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/iptables-apply -\n /sbin/iptables-legacy 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/iptables-legacy-restore 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/iptables-legacy-save 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/iptables-restore 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/iptables-save 083169fc5722ee8734bfb9357cf23b41a5092db0b9a8d0a95d08d743464636ca143c66\n /sbin/iptstate 1ef02223f4318ca385920c9910f975a131268721a1dbb80dff038e758bad21e65718cf\n /sbin/iptunnel d5c08c4aa612ad5b3ae72e781c3330868248e0b2b05c8b52aa2a854089062090c60518\n\n Group 1:\n /sbin/ipmaddr\n /sbin/iptunnel\n Group 2:\n /sbin/ip6tables\n /sbin/ip6tables-legacy\n /sbin/ip6tables-legacy-restore\n /sbin/ip6tables-legacy-save\n /sbin/ip6tables-restore\n /sbin/ip6tables-save\n /sbin/iptables\n /sbin/iptables-legacy\n /sbin/iptables-legacy-restore\n /sbin/iptables-legacy-save\n /sbin/iptables-restore\n /sbin/iptables-save\n Cannot be grouped:\n /sbin/iptstate\n /sbin/ipset\n /sbin/ip\n\n### Python module\n\n \u003e\u003e\u003e import telfhash\n \u003e\u003e\u003e import pprint\n \u003e\u003e\u003e telfhash.telfhash(\"/bin/ping\")\n {'file': '/bin/ping', 'telfhash': '6901d303587a847f9aa30ce44c3f3f5c6101e9525eb2d354cf1297948022b40aa4a99f', 'msg': ''}\n \u003e\u003e\u003e\n \u003e\u003e\u003e results = telfhash.telfhash(\"telfhash/tests/samples/hdumps/*\")\n \u003e\u003e\u003e groups = telfhash.group(results)\n \u003e\u003e\u003e pprint.pprint(groups)\n {'grouped': (('telfhash/tests/samples/hdumps/hdump_32_so_stat_stripped',\n 'telfhash/tests/samples/hdumps/hdump_32_stat_stripped'),\n ('telfhash/tests/samples/hdumps/hdump_64_so_stat_stripped',\n 'telfhash/tests/samples/hdumps/hdump_64_stat_stripped'),\n ('telfhash/tests/samples/hdumps/hdump_32_so_stat',\n 'telfhash/tests/samples/hdumps/hdump_32_stat',\n 'telfhash/tests/samples/hdumps/hdump_64_so_stat',\n 'telfhash/tests/samples/hdumps/hdump_64_stat',\n 'telfhash/tests/samples/hdumps/hdump_static'),\n ('telfhash/tests/samples/hdumps/hdump',\n 'telfhash/tests/samples/hdumps/hdump32',\n 'telfhash/tests/samples/hdumps/hdump_32_dyn',\n 'telfhash/tests/samples/hdumps/hdump_32_dyn_stripped',\n 'telfhash/tests/samples/hdumps/hdump_32_so_dyn',\n 'telfhash/tests/samples/hdumps/hdump_32_so_dyn_stripped',\n 'telfhash/tests/samples/hdumps/hdump_64_dyn',\n 'telfhash/tests/samples/hdumps/hdump_64_dyn_stripped',\n 'telfhash/tests/samples/hdumps/hdump_64_so_dyn',\n 'telfhash/tests/samples/hdumps/hdump_64_so_dyn_stripped',\n 'telfhash/tests/samples/hdumps/hdump_dynamic',\n 'telfhash/tests/samples/hdumps/hdump_stripped')),\n 'nogroup': []}\n \u003e\u003e\u003e\n \u003e\u003e\u003e telfhash.telfhash(\"samples/LinuxMoose/LinuxMoose.arm7.2015.0.bin\")\n {'file': 'samples/LinuxMoose/LinuxMoose.arm7.2015.0.bin', 'telfhash': None, 'msg': 'No symbols found'}\n \u003e\u003e\u003e telfhash.telfhash(\"/bin/ls\", \"/bin/lsattr\")\n [{'file': '/bin/ls', 'telfhash': '1ff0994248230af71762c8b15c0533da9a208b2656e5bf302f1985d04e2a5be779284f', 'msg': ''}, {'file': '/bin/lsattr', 'telfhash': '69c08017dd0fe4f35dd90d589c07380ae7dee06057b9d7400d3c46c1755058c5d5555d', 'msg': ''}]\n\n## Resources\n\n* [Similarity brings your threat hunting to the next level](https://www.brighttalk.com/webcast/18282/452440) - VirusTotal / Trend Micro / Trinity Cyber - November 25, 2020\n* [VirusTotal Now Supports Trend Micro ELF Hash](https://www.trendmicro.com/en_us/research/20/j/virustotal-now-supports-trend-micro-elf-hash.html) - Trend Micro Research - October 13, 2020\n* [Grouping Linux IoT Malware Samples With Trend Micro ELF Hash aka telfash](https://blog.trendmicro.com/trendlabs-security-intelligence/) - Trend Micro Blog - April 20, 2020.\n","funding_links":[],"categories":["Mobile"],"sub_categories":["Linux/ *Nix"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrendmicro%2Ftelfhash","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrendmicro%2Ftelfhash","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrendmicro%2Ftelfhash/lists"}