Skip to content

Add Export Hash Method (exphash)#1795

Open
LloydLabs wants to merge 2 commits intoVirusTotal:masterfrom
LloydLabs:exphash
Open

Add Export Hash Method (exphash)#1795
LloydLabs wants to merge 2 commits intoVirusTotal:masterfrom
LloydLabs:exphash

Conversation

@LloydLabs
Copy link
Copy Markdown

@LloydLabs LloydLabs commented Sep 21, 2022

Much like an imphash, an exphash is simply a MD5 hash of the exports defined in the Export Address Table. This is helpful for comparing PE files which export functions, which can then be compared to others. Found this useful when hunting for DLLs used in DLL-hijacking etc.

If no exports are found, YR_UNDEFINED simply returned.

import "pe"

rule test_exphash
{
	condition:
		pe.is_dll() and pe.exphash() == "a52adfc0598657d621ede8248dd0ea80"
}

@google-cla
Copy link
Copy Markdown

google-cla bot commented Sep 21, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@LloydLabs LloydLabs changed the title Export Hash (exphash) Add Export Hash Method (exphash) Sep 21, 2022
@LloydLabs
Copy link
Copy Markdown
Author

LloydLabs commented Sep 25, 2022

Just a quick note on AppVeyor; for some reason, the unit tests aren't passing for Windows. In my tests on *nix, they passed fine. Not sure what's going on, cc @wxsBSD or @plusvic might know?

@ostracon
Copy link
Copy Markdown

ostracon commented Sep 28, 2022

Minor update and all tests are passing.

@hillu
Copy link
Copy Markdown
Contributor

hillu commented Jan 10, 2023

The function description should read "Generate a hash of the imports".

yr_get_integer() and yr_get_string() may return YR_UNDEFINED or
NULL, respectively. It would make sense to add checks for those
unlikely values, bailing out of the function.

LGTM, otherwise.

@LloydLabs
Copy link
Copy Markdown
Author

LloydLabs commented Feb 23, 2023
edited
Loading

The function description should read "Generate a hash of the imports".

yr_get_integer() and yr_get_string() may return YR_UNDEFINED or NULL, respectively. It would make sense to add checks for those unlikely values, bailing out of the function.

LGTM, otherwise.

Thanks! This is how the imphash implementation works too, I'll keep it like this for now unless a reviewer wants to change it.

This function is also now present in the pefile library.

@N0fix
Copy link
Copy Markdown

N0fix commented Jul 6, 2023
edited
Loading

Much like an imphash, an exphash is simply a MD5 hash of the exports defined in the Export Address Table.

As described in this blog post (from which someone links this PR) and in your implementation in pefile, exphash is calculated using SHA256. Is there a reason why md5 would be used in Yara over SHA256?
Having two different ways of calculating exphash looks like a bad idea to me.

@N0fix N0fix mentioned this pull request Jul 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ostracon ostracon ostracon approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@LloydLabs @ostracon @hillu @N0fix @ostraconify