Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Export Hash Method (exphash) #1795

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add Export Hash Method (exphash) #1795

wants to merge 2 commits into from

Conversation

LloydLabs
Copy link

Much like an imphash, an exphash is simply a MD5 hash of the exports defined in the Export Address Table. This is helpful for comparing PE files which export functions, which can then be compared to others. Found this useful when hunting for DLLs used in DLL-hijacking etc.

If no exports are found, YR_UNDEFINED simply returned.

import "pe"

rule test_exphash
{
	condition:
		pe.is_dll() and pe.exphash() == "a52adfc0598657d621ede8248dd0ea80"
}

@google-cla
Copy link

google-cla bot commented Sep 21, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@LloydLabs LloydLabs changed the title Export Hash (exphash) Add Export Hash Method (exphash) Sep 21, 2022
@LloydLabs
Copy link
Author

Just a quick note on AppVeyor; for some reason, the unit tests aren't passing for Windows. In my tests on *nix, they passed fine. Not sure what's going on, cc @wxsBSD or @plusvic might know?

@ostracon
Copy link

Minor update and all tests are passing.

@hillu
Copy link
Contributor

hillu commented Jan 10, 2023

The function description should read "Generate a hash of the imports".

yr_get_integer() and yr_get_string() may return YR_UNDEFINED or
NULL, respectively. It would make sense to add checks for those
unlikely values, bailing out of the function.

LGTM, otherwise.

@LloydLabs
Copy link
Author

LloydLabs commented Feb 23, 2023
edited
Loading

The function description should read "Generate a hash of the imports".

yr_get_integer() and yr_get_string() may return YR_UNDEFINED or NULL, respectively. It would make sense to add checks for those unlikely values, bailing out of the function.

LGTM, otherwise.

Thanks! This is how the imphash implementation works too, I'll keep it like this for now unless a reviewer wants to change it.

This function is also now present in the pefile library.

@N0fix
Copy link

N0fix commented Jul 6, 2023
edited
Loading

Much like an imphash, an exphash is simply a MD5 hash of the exports defined in the Export Address Table.

As described in this blog post (from which someone links this PR) and in your implementation in pefile, exphash is calculated using SHA256. Is there a reason why md5 would be used in Yara over SHA256?
Having two different ways of calculating exphash looks like a bad idea to me.

@N0fix N0fix mentioned this pull request Jul 7, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ostracon ostracon ostracon approved these changes

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@LloydLabs @ostracon @hillu @N0fix @ostraconify