Compute SSDEEP hashes using Python (for Windows)

TL;DR: I wrote a dirty-wrapper for SSDEEP to compute/compare fuzzy hashes on Windows. Repo here and example code here.

Introduction

SSDEEP, I believe, is an essential tool to many researchers, malware analysts, reverse engineers, etc. Recently, a friend of mine asked how to compute/compare ssdeep hashes in Windows, programatically? Since, I have used SSDEEP in past for a few projects, I pointed him towards ssdeep and pydeep. I have used these Python libs on Linux a lot of times. And I was pretty sure these libs will work just fine on Windows too (guess what, I was very wrong).

I tried compiling it myself, but nada. Couldn't find an existing solution that helped. I also didn't want to install cygwin, etc. just for this work. So, I set to write a mini wrapper for SSDEEP on Windows.

My main goal was to provide a similar interface that's provided by ssdeep library for Python on Linux. Also, I wanted to limit/zero the number of external libs needed.

SSDEEP-FTW

* Drum rolls *

I present to you - SSDEEP-FTW ( SSDEEP - For the Windows ). The project is not a Python implementation of ssdeep, but rather a mini wrapper that runs commands and parses output, all the while using the original ssdeep executable on your system.

The project is licensed under The Beer-Ware License. 1

Prerequisites:

The code has been tested on following setup:

  • Operating System: Windows 7
  • Python 2.7
  • ssdeep 2.13

No external python libraries are required.

Setting up:

Setting up is pretty easy,

  1. Clone the project from Github repo.
  2. Download ssdeep 2.13 from here.
  3. Unzip the ssdeep 2.13 and remember the path.
  4. Open ssftw.py file and edit SSDEEP_PATH variable and replace it with path to ssdeep.exe on your system.

As of now, I haven't prepared a Python package of it, but I plan to do it soon. Therefore, right now there are two way to use the wrapper script:

  • keep the ssftw.py file in same directory as your project.
  • Copy the ssftw.py to Libs folder in your Python installation. Generally C:\Python27\Lib\. This will allow you to run import ssftw from anywhere in your system.

Now you are ready to use the code.

Usage:

Using the code should be pretty straightforward if you have used ssdeep python wrapper on Linux. Even if you haven't used it, I have created an example script which demonstrates the possible operations. The script is available in repo as example.py. You can know more about code by reading the script, the code is (well?) documented.

Monkey-patching your existing scripts

If you have some scripts that are already using ssdeep Python library, you can possibly monkey-patch your scripts by replacing,

import ssdeep  

with

try:  
    from os import name
    if name == "nt":
        from ssftw import SSFTW
        ssdeep = SSFTW()
    else:
        import ssdeep
except:  
    pass

Please, remember that only hash, hash_from_file and compare functions will work.

Limitations:

Right now, only following operations are supported:

  • Computing ssdeep hash from a file.
  • Computing ssdeep hash from a string.
  • Comparing two ssdeep hashes.

Also, please note that the script directly parses the output produced by ssdeep executable, therefore, it could very well stop working in future. The wrapper is merely a dirty hack around the original ssdeep.exe in your system. (Use it at your own risk)
However, the wrapper works as expected, a least on the setup listed above.

  1. If mom reading this,

license.replace("Beer", "Coffee")