View Single Post
  #4  
Old 06-04-2021, 09:35
chants chants is offline
VIP
 
Join Date: Jul 2016
Posts: 725
Rept. Given: 35
Rept. Rcvd 48 Times in 30 Posts
Thanks Given: 666
Thanks Rcvd at 1,053 Times in 478 Posts
chants Reputation: 48
This sounds like a perfect case for FLIRT signatures especially if public libraries or reference implementations are involved.

One thought is also to look for signatures for big integer implementations in commonly used libraries like gnu mp/gmp or boost has cpp_int and libtommath, TTMath, BIGINT of OpenSSL, etc. Granted this covers mostly public key crypto like RSA or ECDSA. And there are do many libraries with so many versions that it would be time consuming to be thorough. And symmetric ciphers or hash functions which arent using such arithmetic but mixing like with AES and DES, would be reliant on solely specific signatures.

Of course with custom implementations which is not hard to do even for big integer, it becomes nearly impossible and you are stuck with heuristics and common patterns. Even SBoxes are customizable and its known to be done as long as the math behind it is correctly preserving security of the affine transforms.

It would be really nice to have a huge signature database of the common ones though as most developers are not engineering custom solutions.

Also if Windows API is used, it shouldn't be hard to check the DLL imports.
Reply With Quote