mgreen27
commented
2 years ago Interestingly, this sample appears to calculate the correct imphash
print(pe.get_imphash()) 8eeaa9499666119d13b3f44ecd77a729
Velociraptor "ImpHash":"8eeaa9499666119d13b3f44ecd77a729"
There appears to be an issue on Velociraptor imphash calculation.
https://www.virustotal.com/gui/file/dce18e2279073ba64a6f35d17120fdca9a4902faef0c99cd96a5d673209e132f/details pefile appears to match VT >>> print(pe.get_imphash()) f4c7486a1887e90d55d1bdfcb415fce1
Velociraptor go-pe: https://github.com/Velocidex/go-pe/blob/master/api.go#L158 "ImpHash":"43543f55093477daeca13874247d8071
The goal is to match pefile: https://github.com/erocarrera/pefile/blob/master/pefile.py#L5338