You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now we calculate our own imphash which differs from the one generated by pefile or YARA.
The difference is in how we handle imports by ordinals. We just convert the ordinal to the number and append it to the hashed bytes, but both pefile and YARA create string ord<ordinal> [1]. On top of that, imports by ordinals from WS2_32, wsock2 and oleaut32 are translated into their names using lookup tables [2].
We should generate our imphash the same way as they do.
Right now we calculate our own imphash which differs from the one generated by pefile or YARA.
The difference is in how we handle imports by ordinals. We just convert the ordinal to the number and append it to the hashed bytes, but both pefile and YARA create string
ord<ordinal>[1]. On top of that, imports by ordinals fromWS2_32,wsock2andoleaut32are translated into their names using lookup tables [2].We should generate our
imphashthe same way as they do.[1] https://github.com/VirusTotal/yara/blob/master/libyara/modules/pe_utils.c#L1926
[2] https://github.com/VirusTotal/yara/blob/master/libyara/modules/pe_utils.c#L357
The text was updated successfully, but these errors were encountered: