wxsBSD
commented
9 years ago It's the other way around, totalhash published it first. And yes, I suspect this can be done. I can probably do it after I finish my current batch of changes.
Open hxnoyd opened 9 years ago
wxsBSD
commented
9 years ago It's the other way around, totalhash published it first. And yes, I suspect this can be done. I can probably do it after I finish my current batch of changes.
hxnoyd
commented
9 years ago Thanks for the correction Wesley. Looking forward to try pehash Yara rules.
wxsBSD
commented
9 years ago I've got this mostly done. Just need to put it through some more tests.
hxnoyd
commented
9 years ago Thanks for the feedback!
wxsBSD
commented
9 years ago I have to hold off on publishing this work, because it turns out that both the Viper and totalhash implementations are wrong, with respect to the paper, which means I have nothing to test against. I'm working with the author of the paper to ensure my implementation is accurate before I commit it.
If you want details of why they are wrong please see https://gist.github.com/wxsBSD/07a5709fdcb59d346e9e.
plusvic
commented
9 years ago Interesting. The downside is that we'll end up having different implementations, and that will be very confusing for people already familiar with totalhash/Viper's one. It's a shame they didn't get right from the beginning.
wxsBSD
commented
9 years ago Agreed. Once I have an implementation that is accurate to the paper and produces "correct" results according to the author of the paper I will commit it and also fix both Python implementations. I'm not sure when that will be though.
This is an enhancement request. Is it possible to compute pehash via pe module in the same way imphash is? Viper's implementation seems pretty solid and is already used by totalhash: https://github.com/botherder/viper/blob/master/modules/pehash/pehasher.py Thanks in advance.