yara icon indicating copy to clipboard operation
yara copied to clipboard
verified publisher icon VirusTotal

Add Export Hash Method (exphash)

Open LloydLabs opened this issue 3 years ago • 6 comments

Much like an imphash, an exphash is simply a MD5 hash of the exports defined in the Export Address Table. This is helpful for comparing PE files which export functions, which can then be compared to others. Found this useful when hunting for DLLs used in DLL-hijacking etc.

If no exports are found, YR_UNDEFINED simply returned.

import "pe"

rule test_exphash
{
	condition:
		pe.is_dll() and pe.exphash() == "a52adfc0598657d621ede8248dd0ea80"
}

LloydLabs avatar Sep 21 '22 13:09 LloydLabs

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

google-cla[bot] avatar Sep 21 '22 13:09 google-cla[bot]

Just a quick note on AppVeyor; for some reason, the unit tests aren't passing for Windows. In my tests on *nix, they passed fine. Not sure what's going on, cc @wxsBSD or @plusvic might know?

LloydLabs avatar Sep 25 '22 13:09 LloydLabs

Minor update and all tests are passing.

ostracon avatar Sep 28 '22 13:09 ostracon

The function description should read "Generate a hash of the imports".

yr_get_integer() and yr_get_string() may return YR_UNDEFINED or NULL, respectively. It would make sense to add checks for those unlikely values, bailing out of the function.

LGTM, otherwise.

hillu avatar Jan 10 '23 23:01 hillu

The function description should read "Generate a hash of the imports".

yr_get_integer() and yr_get_string() may return YR_UNDEFINED or NULL, respectively. It would make sense to add checks for those unlikely values, bailing out of the function.

LGTM, otherwise.

Thanks! This is how the imphash implementation works too, I'll keep it like this for now unless a reviewer wants to change it.

This function is also now present in the pefile library.

LloydLabs avatar Feb 23 '23 22:02 LloydLabs

Much like an imphash, an exphash is simply a MD5 hash of the exports defined in the Export Address Table.

As described in this blog post (from which someone links this PR) and in your implementation in pefile, exphash is calculated using SHA256. Is there a reason why md5 would be used in Yara over SHA256? Having two different ways of calculating exphash looks like a bad idea to me.

N0fix avatar Jul 06 '23 07:07 N0fix