search

VirusTotal / yara

The pattern matching swiss knife
https://virustotal.github.io/yara/
BSD 3-Clause "New" or "Revised" License
8.34k stars 1.45k forks source link

vt's imphash and yara's imphash do not match #1993

Closed syyoo84 closed 10 months ago

syyoo84 commented 1 year ago

Describe the bug vt's imphash and yara's imphash do not match. There seems to be an unknown problem with the way imphash is calculated.

test yara version: YARA v4.4.0-rc1

98a4d17d6dee54f9242c704af627da853d978d6d37738f875d08ea0e7eaca373 https://www.virustotal.com/gui/file/98a4d17d6dee54f9242c704af627da853d978d6d37738f875d08ea0e7eaca373/details yara->imphash: f9a7b332d54e235c5fc49d73b127c38b pefile,vt->imphash: a4dea6841158221e1f9d51cae1534166

cf39a14a2dc1fe5aa487b6faf19c63bc97103db670fa24c62832895e3002eca2 https://www.virustotal.com/gui/file/cf39a14a2dc1fe5aa487b6faf19c63bc97103db670fa24c62832895e3002eca2/details yara->imphash: 45c67b3f38ec23b749bca9863180a0e1 pefile,vt->imphash: 051f371797f6e597d48d110e8ed68eca

To Reproduce Steps to reproduce the behavior:

Expected behavior A clear and concise description of what you expected to happen.

Screenshots If applicable, add screenshots to help explain your problem.

Please complete the following information:

Additional context Add any other context about the problem here.

libalidexiaohuli commented 1 year ago

This result is caused by the different import modules extracted by yara and pefile for 98a4d17d6dee54f9242c704af627da853d978d6d37738f875d08ea0e7eaca373.

pefile import module:

oleaut32.dll advapi32.dll user32.dll kernel32.dll kernel32.dll user32.dll gdi32.dll version.dll kernel32.dll advapi32.dll oleaut32.dll ole32.dll kernel32.dll oleaut32.dll comctl32.dll invalid invalid uRL ntdll ntdll

yara import module:

oleaut32.dll advapi32.dll user32.dll kernel32.dll kernel32.dll user32.dll gdi32.dll version.dll kernel32.dll advapi32.dll oleaut32.dll ole32.dll kernel32.dll oleaut32.dll comctl32.dll C:\Windows\System32\ntdll.dll C:\Windows\System32\KernelBase.dll uRL ntdll ntdll

pefile test:

import pefile
pe = pefile.PE("98a4d17d6dee54f9242c704af627da853d978d6d37738f875d08ea0e7eaca373")
out = pe.get_imphash()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print(entry.dll)

yara test:

import "console"
import "pe"
rule test
{
    condition:
        for any i in (0..pe.number_of_imports-1) : ( console.log(pe.import_details[i].library_name) and false) and false
}
syyoo84 commented 1 year ago

This result is caused by the different import modules extracted by yara and pefile for 98a4d17d6dee54f9242c704af627da853d978d6d37738f875d08ea0e7eaca373.

pefile import module:

oleaut32.dll advapi32.dll user32.dll kernel32.dll kernel32.dll user32.dll gdi32.dll version.dll kernel32.dll advapi32.dll oleaut32.dll ole32.dll kernel32.dll oleaut32.dll comctl32.dll invalid invalid uRL ntdll ntdll

yara import module:

oleaut32.dll advapi32.dll user32.dll kernel32.dll kernel32.dll user32.dll gdi32.dll version.dll kernel32.dll advapi32.dll oleaut32.dll ole32.dll kernel32.dll oleaut32.dll comctl32.dll C:\Windows\System32\ntdll.dll C:\Windows\System32\KernelBase.dll uRL ntdll ntdll

pefile test:

import pefile
pe = pefile.PE("98a4d17d6dee54f9242c704af627da853d978d6d37738f875d08ea0e7eaca373")
out = pe.get_imphash()
for entry in pe.DIRECTORY_ENTRY_IMPORT:
    print(entry.dll)

yara test:

import "console"
import "pe"
rule test
{
    condition:
        for any i in (0..pe.number_of_imports-1) : ( console.log(pe.import_details[i].library_name) and false) and false
}

I think pefile or yara will have to decide on a standard for how to calculate imphash.

plusvic commented 10 months ago

pefile has been changed to mimic YARA's behaviour. More details about the underlying issue in https://github.com/erocarrera/pefile/issues/384.

syyoo84 commented 10 months ago

Thank you for your support!