Closed syyoo84 closed 8 months ago
".drv" in module names is ignored when calculating imphash (".drv" extension was not removed) Please also add the “.drv” extension.
@erocarrera Please review the above and let us know of opinions.
Hello,
Firstly, I apologize for the delayed response.
Regarding your initial message, I've been unable to locate the file with the hash e024a5d1889bdf910297bee82e58c1a530da5683f1221414e0661becd67df5e9
on VT to verify the issue you've mentioned. Nonetheless, based on the Yara commit you've referenced, it appears that Yara's behavior has been modified to align with that of pefile, if I understand correctly.
As for your comment on the .drv
extension, I recognize its significance. However, incorporating this extension would necessitate recalculating the imphash values for all files that have referenced a .drv
file. This would be imperative for platforms like Virustotal to ensure correct data association. I generally advise against any changes that alter the imphash value, considering the vast number of professionals who rely on it and maintain databases with millions of files for which it has been determined.
Hello,
Firstly, I apologize for the delayed response.
Regarding your initial message, I've been unable to locate the file with the hash
e024a5d1889bdf910297bee82e58c1a530da5683f1221414e0661becd67df5e9
on VT to verify the issue you've mentioned. Nonetheless, based on the Yara commit you've referenced, it appears that Yara's behavior has been modified to align with that of pefile, if I understand correctly.As for your comment on the
.drv
extension, I recognize its significance. However, incorporating this extension would necessitate recalculating the imphash values for all files that have referenced a.drv
file. This would be imperative for platforms like Virustotal to ensure correct data association. I generally advise against any changes that alter the imphash value, considering the vast number of professionals who rely on it and maintain databases with millions of files for which it has been determined.
e024a5d1889bdf910297bee82e58c1a530da5683f1221414e0661becd67df5e9 For issues related to hash, you need to add the module name check function in iat in pefile. You can refer to the modified code above. I can't upload the sample from vti, so I'll share a picture of the IAT table capture. https://ibb.co/CbsrnQL
I agree with your comment because removing the ".drv" extension requires recalculating the imphash. Thank you so much for your comment.
thank you for your support!
The imphash of the following hash seems to have been calculated incorrectly.
In that case, the get_imphash() function of the pefile module needs to be modified as follows. Reference: https://github.com/VirusTotal/yara/commit/e94ec7b62165a3424e86b82e044d047827ece752 This is the modified code