imphash edge case

[syyoo84]

Describe the bug An edge case was discovered in the imphash calculation. https://www.virustotal.com/gui/file/931d78c733c6287cec991659ed16513862bfc6f5e42b74a8a82e4fa6c8a3fe06/details pefile.get_imphash and yara imphash are different. pefile.get_imphash: de0e9a1c5146d0ccdbd2c591204b3397 yara imphash: bec78aac070fc1368d936b79b3b1bfbd The reason for this is that “-” was not checked in the valid_function_name function.

static int valid_function_name(char* name)
{
  if (!strcmp(name, ""))
    return 0;

  size_t i = 0;
  for (char c = name[i]; c != '\x00'; c = name[++i])
  {
    if (!(c >= 'a' && c <= 'z') && !(c >= 'A' && c <= 'Z') &&
        !(c >= '0' && c <= '9') && c != '.' && c != '_' && c != '?' &&
        c != '@' && c != '$' && c != '(' && c != ')' && c != '<' && c != '>')
      return 0;
  }
  return 1;
}

To Reproduce Steps to reproduce the behavior:

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Please complete the following information:

• OS: [e.g. iOS]
• YARA version: [e.g. 4.3.0]

Additional context Add any other context about the problem here.

[syyoo84]

another case The function name of IAT cannot be retrieved in the imphash calculation. pefile.get_imphash: 4b316cfc18098761f4620e44d04c4d9f yara imphash: d41d8cd98f00b204e9800998ecf8427e https://www.virustotal.com/gui/file/db6a9934570fa98a93a979e7e0e218e0c9710e5a787b18c6948f2eedd9338984/details

[dzzie]

MD5 ("") = d41d8cd98f00b204e9800998ecf8427e

I ran into this before as well, maybe imphash should return undefined for this case?

[syyoo84]

thank you for your support