pravic
commented
8 years ago For interoperability reasons, I suggest you to change imphash behaviour to ignore ordlookup database and do not add this "ord" string on ordinal functions
I encourage this too. Moreover, ordinals widely used in form of dll.@6.
But I suppose that pefile could not change behavior, as it will break compatibility.
Hi,
Having a database to resolve ordinal imports is nice but if you consider this to calculate imphash, other software should use the same database in order to match imphashes correctly. Another problem is the "ord" string concatenated with the ordinal number. Other software would have to respect that in order to get the same hash result.
That's the way pefile is currently working with imphash if I understood it correctly:
Given a file import data ready to be sent for MD5 calculation to get imphash result:
ws2_32.getsockname,kernel32.rtlmovememory,kernel32.getmailslotinfo,msvbvm60.ord585,msvbvm60.ord586The file imports the 6th function from WS2_32.DLL and 585th and 586th functions from MSVBVM60.DLL. Thanks to ordlookup database, the 6th function from WS2_32.DLL was resolved to getsockame(). In the other hand, the 585th function from MSVBVM60.DLL is not in the database, so the string "ord" + 585 is used. The same for function 586.
For interoperability reasons, I suggest you to change imphash behaviour to ignore ordlookup database and do not add this "ord" string on ordinal functions, so the result would be:
ws2_32.6,kernel32.rtlmovememory,kernel32.getmailslotinfo,msvbvm60.585,msvbvm60.586Function names cannot start with numbers, so we don't need to be afraid of conflicts. ;)
I know some systems are using imphash already and this change would probably impact them but actually if more modules are added to ordlookup database (or if anything changes there), it will currently break imphash anyway, so I think you should consider fix this problem as soon as possible. If you agree, I'll be happy to send the patch.
Thanks for your attention!