We begin this recipe by looking at an example signature detection script in order to understand how it works. This is a simplified example, of course, but it should reinforce the point nonetheless. I want us to focus on the signature variable, which is a dictionary object. Each item in this dictionary represents a signature we want to identify as malicious.

The first item in this dictionary is the hexadecimal value 4883c03b, which represents the add  rax, 0x3b instruction setting up the execve system call number in RAX. There are, of course, a plethora of different opcodes we could look for when determining whether the execve system call is being set up in memory, but this will do for now. The remaining items in this dictionary are various combinations of the /bin/bash string that have been converted into a hexadecimal format using a few different methods. We also want to make sure we open the file and read it into a file object as binary. This is done with inputFile = open(sys.argv[1], 'rb'), where 'rb' indicates read mode and binary mode, respectively. Next, we use the binascii method known as hexlify while reading all the bytes in the file to convert the file into one long hexadecimal string object.

We then use a for loop to iterate through each item in our signature dictionary and compare each item against the hexadecimal string of our input file, looking to see if we have any matches:

In step 2, we run the script against the ch09-revshell64 binary, which is a copy of the edited reverse shell binary from Chapter 7, Analyzing a Simple Reverse Shell. Immediately, the script identifies several signatures within the binary, as shown in the following screenshot:

In step 3, we validate our script's findings by running a familiar tool against the binary: