Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Imphash differs from standardized imphash for PE binaries with delayed imports #287

Closed
metthal opened this issue Apr 30, 2018 · 2 comments
Closed

Imphash differs from standardized imphash for PE binaries with delayed imports #287

metthal opened this issue Apr 30, 2018 · 2 comments
Assignees
@metthal
Labels
bug C-fileformat C-fileinfo high-priority T-format-pe

Comments

@metthal
Copy link
Member

metthal commented Apr 30, 2018
edited
Loading

Currently, we calculate imphash also from delayed imports, but if we want to use our imphashes fro example in YARA, or any other place which use standardized imphash, we should not consider delayed imports into imphash.

I propose keeping delayed imports in import table as we do now, but without them being taken into account when calculating imphash. This will probably require some flag to be added for each import (It doesn't necessarily need to be flag called delayed but rather something in terms of excludeFromImphash).
@metthal
Copy link
Member Author

metthal commented May 2, 2018

According to the discussion we had about this issue, it would be also nice to have this information presented in fileinfo as an attribute in import table.

@metthal metthal self-assigned this May 14, 2018
metthal added a commit that referenced this issue May 15, 2018
@metthal
fileformat: Delayed imports in PE are no longer considered when calcu…
7523e07 
…lating

imphash (#287)

Calculation of imphash is also postponed until all imports are loaded.
This is related to #285.
metthal added a commit that referenced this issue May 15, 2018
@metthal
fileinfo: Present information about delayed PE imports in import table
582f8cc 
(#287)
@metthal
Copy link
Member Author

metthal commented May 15, 2018

Fixed in 7523e07 and 582f8cc

@metthal metthal closed this as completed May 15, 2018
@metthal metthal mentioned this issue May 15, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@metthal metthal

Labels
bug C-fileformat C-fileinfo high-priority T-format-pe
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@metthal