Signature matching #2964
-
|
Does the signature matcher work on a perfect match or is does it match based on a confidence threshold, heuristic, etc.? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
The short explanation is that it's something in between. It's a somewhat fuzzy match that is described in more detail here: https://binary.ninja/2020/03/11/signature-libraries.html It's not strictly a heuristic but neither is it a perfect match. You can see in the blog post how it stores the data and how it masks off certain bytes subject to change to make it slightly malleable but is still based on a particular architecture. We originally planned on building an IL based implementation but early tests showed some limitations so we can take more time to implement something more advanced. |
Beta Was this translation helpful? Give feedback.
The short explanation is that it's something in between. It's a somewhat fuzzy match that is described in more detail here: https://binary.ninja/2020/03/11/signature-libraries.html
It's not strictly a heuristic but neither is it a perfect match. You can see in the blog post how it stores the data and how it masks off certain bytes subject to change to make it slightly malleable but is still based on a particular architecture.
We originally planned on building an IL based implementation but early tests showed some limitations so we can take more time to implement something more advanced.