FireDog - Open source cross-platform lightweight virus signature detection engine.

Related tags

Miscellaneous FireDog
Overview

FireDog

开源跨平台轻量级病毒特征检测引擎。Open source cross-platform lightweight virus signature detection engine.

语言 Language

C++ 11

LICENSE

是你们喜欢的:MIT License.

让我们搞起来!

It's what you like:MIT License.

Let's do it!

交流 contact us

QQGroup: 337571436

Email: [email protected]

简介 Introduction

提供一个轻量级的特征检测引擎,支持自定义扩展特征库,等有时间再画引擎架构图。

Provide a lightweight feature detection engine, support custom extended feature libraries, and draw engine architecture diagrams when you have time.

更新日志 Update log

v1.1.0

1:重构特征库格式,特征库更加合理。
2:升级hex检测,支持通配符,例如:6D ?? ?5 6? [73-75] [41-5A,61-7A] 6C 6F 75 64
3:加入轻量级规则引擎/rule/rule.h,所以特征库支持使用规则进行条件匹配,语法类似mongodb的查询。

1: Refactor the format of the feature library to make the feature library more reasonable.
2: Upgrade hex detection to support wildcards, for example: 6D ?? ?5 6? [73-75] [41-5A,61-7A] 6C 6F 75 64
3: Add the lightweight rule engine /rule/rule.h, so the signature database supports the use of rules for condition matching, and the syntax is similar to mongodb query.

v1.0.0

支持hex、md5、text类型检测。
Support hex, md5, text type detection.

使用 Use

Step 1: download

git clone https://github.com/MountCloud/FireDog.git

Step 2: include

include FireDog

Step 3: Example

pushFeatureLibrary(featureLibrary); if (ecode != NO_ERROR) { cout << "push feature library faild"; return; } //step3: create match,One matcher per file! //创建检测器,一个检测器对应一个文件! Matcher* matcher = fireDog->createNewMatcher(); if (matcher == NULL) { cout << "create matcher faild"; return; } //step4: matcher bytes int length = bytes.length(); MatcherResult* mr = NULL; //test check multiple bytes 一次放入多个byte //检测 //mr = matcher->matchBytes(bytes.c_str(), length); //or Check byte one by one 或者一个byte一个的检测 for (int i = 0; i < bytes.size(); i++) { char byte = bytes[i]; mr = matcher->matchByte(byte); if (mr != NULL) { break; } } //检测结果 if (mr != NULL) { cout << "found it:" << mr->name << endl; } else { cout << "not found." << endl; } } int main() { testMatcher(); return 0; } "> 
#include 
   
    
#include 
    
     
#include 
     
      

#include "firedog.h"
#include "featurelibrary.h"
#include "matcher.h"

#include "stringutil.h"

#include "rule/rule.h"

using namespace std;
using namespace firedog;

void testMatcher() {

    //test featureLibrary 定义特征库
    const char* featureLibraryJson = R"(
        {
            "version":"1.1.0",
            "items":[
                {
                    "name":"test simple",
                    "describe":"match hello world,hello hex:68 65 6C 6C 6F,world hex:77 6F 72 6C 64",
                    "author":"MountCloud",
                    "features":[
                        {
                            "key":"str1",
                            "text":"hello"
                        },
                        {
                            "key":"str2",
                            "text":"world"
                        }
                    ],
                    "rule":{
                        "$and":[
                            "str1",
                            "str2"
                        ]
                    }
                },
                {
                    "name":"test complex hex match",
                    "describe":"match mountcloud firedog,mountcloud hex:6D 6F 75 6E 74 63 6C 6F 75 64,firedog hex:66 69 72 65 64 6F 67",
                    "author":"MountCloud",
                    "features":[
                        {
                            "key":"hex1",
                            "hex":"6D ?? ?5 6? [73-75] [41-5A,61-7A] 6C 6F 75 64"
                        },
                        {
                            "key":"hex2",
                            "hex":"66 6? 72 ?? 64 [60-70] 67"
                        }
                    ],
                    "rule":{
                        "$and":[
                            "hex1",
                            "hex2"
                        ]
                    }
                },
                {
                    "name":"test complex rule match",
                    "describe":"match we can do it.",
                    "author":"MountCloud",
                    "features":[
                        {
                            "key":"str1",
                            "text":"we"
                        },
                        {
                            "key":"str2",
                            "text":"can"
                        },
                        {
                            "key":"str3",
                            "text":"do"
                        },
                        {
                            "key":"str4",
                            "text":"it"
                        }
                    ],
                    "rule":{
                        "$and":[
                            {
                                "$or":[
                                    {
                                        "$and":[
                                            "str1","str2"
                                        ]
                                    },
                                    {
                                        "$and":[
                                            "str3","str4"
                                        ]
                                    }
                                ]
                            },
                            {
                                "$and":[
                                    "str1",
                                    "str4"
                                ]
                            }
                        ]
                    }
                }
            ]
        }

	  )";

    //bytes 校验的bytes
	  //const string bytes = "fire dog hello world.";
    const string bytes = "123213123213 mountcloud 12312312313 firedog";

    int ecode = NO_ERROR;

	  //step1: init feature library 初始化特征库
    FeatureLibrary* featureLibrary = FeatureLibrary::createByJson(featureLibraryJson, &ecode);

    if (ecode != NO_ERROR) {
        cout << "feature library load faild";
        return;
    }

    //step2: push to firedog datasource,support multiple feature libraries
    //将特征库添加到引擎中,支持多个特征库
    FireDog* fireDog = new FireDog();
    ecode = fireDog->pushFeatureLibrary(featureLibrary);
    if (ecode != NO_ERROR) {
        cout << "push feature library faild";
        return;
    }

    //step3: create match,One matcher per file!
    //创建检测器,一个检测器对应一个文件!
    Matcher* matcher = fireDog->createNewMatcher();
    if (matcher == NULL) {
        cout << "create matcher faild";
        return;
    }

    //step4: matcher bytes
    int length = bytes.length();
    MatcherResult* mr = NULL;

    //test check multiple bytes 一次放入多个byte
    //检测
    //mr = matcher->matchBytes(bytes.c_str(), length);
    //or Check byte one by one 或者一个byte一个的检测
    for (int i = 0; i < bytes.size(); i++) {
        char byte = bytes[i];
        mr = matcher->matchByte(byte);
        if (mr != NULL) {
            break;
        }
    }
    //检测结果
    if (mr != NULL) {
        cout << "found it:" << mr->name << endl;
    }
    else {
        cout << "not found." << endl;
    }
}

int main()
{
    testMatcher();
    return 0;
}

特征库示例 Example of feature library

请参考 Please refer to:doc/test-feature-library.json,doc/firedog-featurelibrary-json-schema.json

{
    "version":"1.1.0",
    "items":[
        {
            "name":"test simple",
            "describe":"match hello world,hello hex:68 65 6C 6C 6F,world hex:77 6F 72 6C 64",
            "author":"MountCloud",
            "features":[
                {
                    "key":"str1",
                    "text":"hello"
                },
                {
                    "key":"str2",
                    "text":"world"
                }
            ],
            "rule":{
                "$and":[
                    "str1",
                    "str2"
                ]
            }
        },
        {
            "name":"test complex hex match",
            "describe":"match mountcloud firedog,mountcloud hex:6D 6F 75 6E 74 63 6C 6F 75 64,firedog hex:66 69 72 65 64 6F 67",
            "author":"MountCloud",
            "features":[
                {
                    "key":"hex1",
                    "hex":"6D ?? ?5 6? [73-75] [41-5A,61-7A] 6C 6F 75 64"
                },
                {
                    "key":"hex2",
                    "hex":"66 6? 72 ?? 64 [60-70] 67"
                }
            ],
            "rule":{
                "$and":[
                    "hex1",
                    "hex2"
                ]
            }
        },
        {
            "name":"test complex rule match",
            "describe":"match we can do it., if ((str1&&str2)|(str3&&str4))&&(str1&&str4)",
            "author":"MountCloud",
            "features":[
                {
                    "key":"str1",
                    "text":"we"
                },
                {
                    "key":"str2",
                    "text":"can"
                },
                {
                    "key":"str3",
                    "text":"do"
                },
                {
                    "key":"str4",
                    "text":"it"
                }
            ],
            "rule":{
                "$and":[
                    {
                        "$or":[
                            {
                                "$and":[
                                    "str1","str2"
                                ]
                            },
                            {
                                "$and":[
                                    "str3","str4"
                                ]
                            }
                        ]
                    },
                    {
                        "$and":[
                            "str1",
                            "str4"
                        ]
                    }
                ]
            }
        }
    ]
}
You might also like...
This is a helper library to abstract away interfacing with floppy disk drives in a cross-platform and open source library.
This is a helper library to abstract away interfacing with floppy disk drives in a cross-platform and open source library.

Adafruit Floppy This is a helper library to abstract away interfacing with floppy disk drives in a cross-platform and open source library. Adafruit Fl

Adafruit Industries 142 Dec 19, 2022
A collection of open source threat detection rules created by Cyber Castle's team.

Open Threat Detection Rules As a part of our role towards the cyber security community, we decided to publish some of our detection use cases to give

Cyber Castle 11 Jun 3, 2022
A lightweight & cross-platform IDE supporting the most recent C++ standards
A lightweight & cross-platform IDE supporting the most recent C++ standards

This project has moved to https://gitlab.com/cppit/jucipp. juCi++ a lightweight, platform independent C++-IDE with support for C++11, C++14 and C++17

cppit (zippit) 886 Jan 3, 2023
A cross-platform,lightweight,scalable game server framework written in C++, and support Lua Script
A cross-platform,lightweight,scalable game server framework written in C++, and support Lua Script

Current building status Moon Moon is a lightweight online game server framework implement with multithread and multi-luaVM. One thread may have 1-N lu

Bruce 467 Dec 29, 2022
Lightweight, cross-platform & full-featured shader IDE
Lightweight, cross-platform & full-featured shader IDE

SHADERed is a lightweight tool for writing and debugging shaders. It is easy to use, open source, cross-platform (runs on Windows, Linux & Web).

dfranx 3.8k Dec 30, 2022
A cross-platform,lightweight,scalable game server framework written in C++, and support Lua Script
A cross-platform,lightweight,scalable game server framework written in C++, and support Lua Script

hive Distributed game server framework based on CPP 17 && LUA 5.4 框架(hive)+逻辑(server) 支持跨平台开发(windows,linux,mac) oop模式的lua开发,支持lua热更新 protobuf协议 pbc修改

toney 82 Jan 1, 2023
Open Source Cheat for Apex Legends, designed for ease of use. Made to understand reversing of Apex Legends and respawn's modified source engine as well as their Easy Anti Cheat Implementation.
Open Source Cheat for Apex Legends, designed for ease of use. Made to understand reversing of Apex Legends and respawn's modified source engine as well as their Easy Anti Cheat Implementation.

Apex-Legends-SDK Open Source Cheat for Apex Legends, designed for ease of use. Made to understand reversing of Apex Legends and respawn's modified sou

null 111 Jan 8, 2023
The Leap Motion cross-format, cross-platform declarative serialization library

Introduction to LeapSerial LeapSerial is a cross-format, declarative, serialization and deserialization library written and maintained by Leap Motion.

Leap Motion (Ultraleap) 15 Jan 17, 2022
Ios-malicious-bithunter - iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime. If you are interested in other programs of the author, please visit https://github.com/SecurityLife
Ios-malicious-bithunter - iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of the macho file of the injected dylib dynamic library based on runtime. If you are interested in other programs of the author, please visit https://github.com/SecurityLife

iOS Malicious Bit Hunter Abstract iOS Malicious Bit Hunter is a malicious plug-in detection engine for iOS applications. It can analyze the head of th

Alipay 70 Sep 12, 2022
Releases(v1.3.3)

  • v1.3.3(Jan 5, 2023)

    FireDog Version: v1.3.3 FireDog Editor Version: v2.2 Feature Libraray Version: v1.2.1

    1:修复检测结果为空时报错问题。 2:优化yaml组件,让yaml组件支持gcc 4.8版本(centos7默认),增强引擎的跨平台编译能力。

    1: Fix the error reporting that the detection result is empty. 2: Optimize the yaml component, let the yaml component support gcc 4.8 version (centos7 default), and enhance the cross-platform compilation ability of the engine.

    Source code(tar.gz)
    Source code(zip)
    FireDogEditorV2.2.zip(17.14 MB)

  • v1.3.1.0(Jun 29, 2022)

    FireDog Version: v1.3.1 FireDog Editor Version: v2.1 Feature Libraray Version: v1.2.1

    1:重构规则引擎,支持多种逻辑运算,支持多种统计运算,支持多种比较运算。 2:重构特征库格式,从json改用yaml(json确实看起来不好看)。 3:更改特征匹配逻辑,将字节匹配与校验匹配结果拆分。 4:编辑器适配新的规则引擎和特征库格式。

    1: Refactor the rule engine to support multiple logical operations, multiple statistical operations, and multiple comparison operations. 2: Refactor the feature library format and use yaml instead of json (json does not look good). 3: Change the feature matching logic to split the byte matching and check matching results. 4: The editor adapts to the new rule engine and signature library format.

    Source code(tar.gz)
    Source code(zip)
    FireDogEditorV2.1.zip(17.48 MB)

  • v1.2.1(Nov 17, 2021)

    FireDog Version: v1.2.1 FireDog Editor Version: v1.0 Feature Libraray Version: v1.1.0

    1:单资源匹配返回单条匹配特征改为返回多条匹配特征,这样单个文件允许被检测出多个特征。 2:【革命性更新】推出“特征库编辑器 FireDogEditor”,可以使用界面对特征库进行修改,并且进行测试,该编辑器支持国际化。

    1: Single resource matching returns a single matching feature instead of returning multiple matching features, so that a single file allows multiple features to be detected. 2: [Revolutionary update] Launched the "feature library editor FireDogEditor", you can use the interface to modify and test the feature library, the editor supports internationalization.

    Source code(tar.gz)
    Source code(zip)
    FireDogEditorV1.0.zip(17.46 MB)

  • v1.1.0(Sep 27, 2021)

    1:重构特征库格式,特征库更加合理。 2:升级hex检测,支持通配符,例如:6D ?? ?5 6? [73-75] [41-5A,61-7A] 6C 6F 75 64 3:加入轻量级规则引擎/rule/rule.h,所以特征库支持使用规则进行条件匹配,语法类似mongodb的查询。

    1: Refactor the format of the feature library to make the feature library more reasonable. 2: Upgrade hex detection to support wildcards, for example: 6D ?? ?5 6? [73-75] [41-5A,61-7A] 6C 6F 75 64 3: Add the lightweight rule engine /rule/rule.h, so the signature database supports the use of rules for condition matching, and the syntax is similar to mongodb query.

    Source code(tar.gz)
    Source code(zip)

  • v1.0.0(Sep 23, 2021)

Owner
Sharing makes people progress. [email protected].
null
GitHub
This is no malware, This is no virus. This is my implementation of the effect from Mrs.Major3.

BloodMelter This is no malware, This is no virus. This is a very small effect of very small blood for a some PC. Table Of Contents Preview About Warni

SonicTheHedgehog 4 Dec 21, 2022
Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel.

Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.

Sheng-Hao Ma 413 Dec 10, 2022
Signature spoofer for microG (Zygisk version)

Wyrlook — Zygisk microG Enhancer. Absolutely nothing is ready yet! (I haven't developed for Android for 8 years lol that's gonna be a fun ride) A Zygi

Mikhail Pershin 7 Apr 24, 2022
A cross platform shader language with multi-threaded offline compilation or platform shader source code generation

A cross platform shader language with multi-threaded offline compilation or platform shader source code generation. Output json reflection info and c++ header with your shaders structs, fx-like techniques and compile time branch evaluation via (uber-shader) "permutations".

Alex Dixon 286 Dec 14, 2022
Khepri is a Cross-platform agent, the architecture and usage like Coblat Strike but free and open-source.

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Young 1.4k Dec 30, 2022
Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++, the architecture and usage like Cobalt Strike

Khepri Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++ Description Khepri is a Cross-platform agent, the archi

Young 1.4k Jan 3, 2023
SDR++ is a cross-platform and open source SDR software with the aim of being bloat free and simple to use.

SDR++ is a cross-platform and open source SDR software with the aim of being bloat free and simple to use.

AlexandreRouma 2.2k Jan 7, 2023
First open-source Geometry Dash cross-platform Modding SDK

BoolkaSDK First open-source Geometry Dash cross-platform Modding SDK Requirements CMake 3.21 Android NDK r23 LLVM x86 Java and ApkTool Building Open C

null 7 Nov 20, 2022
A free and open-source cross-platform application to control your Philips hue compatible lights💡

?? OpenHue ?? A cross platform application to control your Philips hue compatible lights. licensed under the gpl 3.0 license. Currently in super early

BOB450 4 Dec 28, 2022
SomeSmile - a free, open source and not yet cross-platform

SomeSmile - a free, open source and not yet cross-platform Table Of Contents For What? Structure Start Usage Guide How To Build Screenshots End For Wh

SonicTheHedgehog 3 Aug 3, 2022