SSDEEP, I believe, is an essential tool to many researchers, malware analysts, reverse engineers, etc. Recently, a friend of mine asked how to compute/compare ssdeep hashes in Windows, programatically? Since, I have used SSDEEP in past for a few projects, I pointed him towards ssdeep and pydeep. I have used these Python libs on Linux a lot of times. And I was pretty sure these libs will work just fine on Windows too (guess what, I was very wrong).
I tried compiling it myself, but nada. Couldn't find an existing solution that helped. I also didn't want to install cygwin, etc. just for this work. So, I set to write a mini wrapper for SSDEEP on Windows.
My main goal was to provide a similar interface that's provided by ssdeep library for Python on Linux. Also, I wanted to limit/zero the number of external libs needed.
* Drum rolls *
I present to you - SSDEEP-FTW ( SSDEEP - For the Windows ). The project is not a Python implementation of ssdeep, but rather a mini wrapper that runs commands and parses output, all the while using the original ssdeep executable on your system.
The code has been tested on following setup:
- Operating System: Windows 7
- Python 2.7
- ssdeep 2.13
No external python libraries are required.
Setting up is pretty easy,
- Clone the project from Github repo.
- Download ssdeep 2.13 from here.
- Unzip the ssdeep 2.13 and remember the path.
ssftw.pyfile and edit
SSDEEP_PATHvariable and replace it with path to
ssdeep.exeon your system.
As of now, I haven't prepared a Python package of it, but I plan to do it soon. Therefore, right now there are two way to use the wrapper script:
- keep the
ssftw.pyfile in same directory as your project.
- Copy the
Libsfolder in your Python installation. Generally
C:\Python27\Lib\. This will allow you to run
import ssftwfrom anywhere in your system.
Now you are ready to use the code.
Using the code should be pretty straightforward if you have used
ssdeep python wrapper on Linux. Even if you haven't used it, I have created an example script which demonstrates the possible operations. The script is available in repo as
example.py. You can know more about code by reading the script, the code is (well?) documented.
Monkey-patching your existing scripts
If you have some scripts that are already using ssdeep Python library, you can possibly monkey-patch your scripts by replacing,
try: from os import name if name == "nt": from ssftw import SSFTW ssdeep = SSFTW() else: import ssdeep except: pass
Please, remember that only
compare functions will work.
Right now, only following operations are supported:
- Computing ssdeep hash from a file.
- Computing ssdeep hash from a string.
- Comparing two ssdeep hashes.
Also, please note that the script directly parses the output produced by ssdeep executable, therefore, it could very well stop working in future. The wrapper is merely a dirty hack around the original
ssdeep.exe in your system. (Use it at your own risk)
However, the wrapper works as expected, a least on the setup listed above.
If mom reading this, ↩