QuasarApp/LIEF
4
0
Fork 0
mirror of https://github.com/QuasarApp/LIEF.git synced 2025-05-11 03:09:32 +00:00
Code Issues Projects Releases Wiki Activity

Enhance get_imphash function to compute the same imphash value as pefile

Browse Source 
close
This commit is contained in:
Romain Thomas 2021-01-17 17:54:35 +01:00
parent 6720ed2385
commit 45263af2ce
12 changed files with 791 additions and 61 deletions

40
api/python/PE/pyUtils.cpp

@ -23,15 +23,21 @@ namespace PE {
void init_utils(py::module& m) {
py::enum_<IMPHASH_MODE>(m, "IMPHASH_MODE",
"Enum to define the behavior of :func:`~lief.PE.get_imphash`")
.value("DEFAULT", IMPHASH_MODE::DEFAULT, "Default implementation")
.value("LIEF", IMPHASH_MODE::LIEF, "Same as DEFAULT")
.value("PEFILE", IMPHASH_MODE::PEFILE, "Use pefile algorithm")
.value("VT", IMPHASH_MODE::VT, "Same as PEFILE since Virus Total is using pefile");
m.def("is_pe",
static_cast<bool (*)(const std::string&)>(&is_pe),
"Check if the given file is a ``PE``",
"Check if the given file is a ``PE``",
"file"_a);
m.def("is_pe",
static_cast<bool (*)(const std::vector<uint8_t>&)>(&is_pe),
"Check if the given raw data is a ``PE``",
"Check if the given raw data is a ``PE``",
"raw"_a);
m.def("get_type",
@ -47,19 +53,27 @@ void init_utils(py::module& m) {
m.def("get_imphash",
&get_imphash,
"Compute the hash of imported functions\n\n"
R"delim(
Compute the hash of imported functions
"Properties of the hash generated:\n"
"\t* Order agnostic\n"
"\t* Casse agnostic\n"
"\t* Ordinal (**in some extent**) agnostic\n\n"
Properties of the hash generated:
".. warning::\n\n"
"\tThe algorithm used to compute the *imphash* value has some variations compared to Yara, pefile, VT implementation\n"
* Order agnostic
* Casse agnostic
* Ordinal (**in some extent**) agnostic
*
".. seealso::\n\n"
"\thttps://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html\n",
"binary"_a);
If one needs the same output as Virus Total (i.e. pefile), you can use :attr:`~lief.PE.IMPHASH_MODE.PEFILE`
as second parameter.
.. warning::
The algorithm used to compute the *imphash* value has some variations compared to Yara, pefile,
VT implementation
.. seealso::
https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
)delim",
"binary"_a, "mode"_a = IMPHASH_MODE::DEFAULT);
m.def("resolve_ordinals",
&resolve_ordinals,
@ -67,7 +81,7 @@ void init_utils(py::module& m) {
"The ``strict`` boolean parameter enables to throw a " RST_CLASS_REF(lief.not_found) " exception "
"if the ordinal can't be resolved. Otherwise it skips the entry.",
"import"_a, "strict"_a = false,
"import"_a, "strict"_a = false, "use_std"_a = false,
py::return_value_policy::copy);
}

3
doc/sphinx/api/cpp/pe.rst

@ -536,6 +536,9 @@ Utilities
.. doxygenfunction:: LIEF::PE::get_imphash
:project: lief
.. doxygenenum:: LIEF::PE::IMPHASH_MODE
:project: lief
.. doxygenfunction:: LIEF::PE::resolve_ordinals
:project: lief

5
doc/sphinx/api/python/pe.rst

@ -632,6 +632,11 @@ Utilities
.. autofunction:: lief.PE.get_imphash
.. autoclass:: lief.PE.IMPHASH_MODE
:members:
:inherited-members:
:undoc-members:
.. autofunction:: lief.PE.resolve_ordinals
-----------

12
doc/sphinx/changelog.rst

@ -23,6 +23,18 @@ Changelog
:PE:
* Enhance PE Authenticode. See `PE Authenticode <tutorials/13_pe_authenticode.html>`_
* :func:`~lief.PE.get_imphash` can now generate the same value as pefile and Virus Total (:issue:`299`)
.. code-block:: python
pe = lief.parse("example.exe")
vt_imphash = lief.PE.get_imphash(pe, lief.PE.IMPHASH_MODE.PEFILE)
lief_imphash = lief.PE.get_imphash(pe, lief.PE.IMPHASH_MODE.DEFAULT)
.. seealso::
:class:`lief.PE.IMPHASH_MODE` and :func:`lief.PE.get_imphash`
* :attr:`~lief.PE.LangCodeItem.items` now returns a dictionary whose values are **bytes** (instead of
``str`` object). This change is related to ``utf-16`` support.
* :github_user:`kohnakagawa` fixed wrong enums values: :commit:`c03125045e32a9cd65c613585eb4d0385350c6d2`, :commit:`6ee808a1e4611d09c6cf0aea82a612be69584db9`, :commit:`cd05f34bae681fc8af4b5e7cc28eaef816802b6f`

24
include/LIEF/PE/utils.hpp

@ -27,6 +27,14 @@ namespace PE {
class Binary;
class Import;
//! Enum to define the behavior of LIEF::PE::get_imphash
enum class IMPHASH_MODE {
DEFAULT = 0, /**< Default implementation */
LIEF = DEFAULT, /**< Same as IMPHASH_MODE::DEFAULT */
PEFILE, /**< Use pefile algorithm */
VT = PEFILE, /**< Same as IMPHASH_MODE::PEFILE since Virus Total is using pefile */
};
//! check if the `file` is a PE file
LIEF_API bool is_pe(const std::string& file);
@ -41,15 +49,18 @@ LIEF_API PE_TYPE get_type(const std::vector<uint8_t>& raw);
//! Compute the hash of imported functions
//!
//! Properties of the hash generated:
//! By default, it generates an hash with the following properties:
//! * Order agnostic
//! * Casse agnostic
//! * Ordinal (**in some extent**) agnostic
//!
//! @warning The algorithm used to compute the *imphash* value has some variations compared to Yara, pefile, VT implementation
//! If one needs the same output as Virus Total (i.e. pefile), you can pass IMPHASH_MODE::PEFILE
//! as second parameter.
//!
//! @warning The default algorithm used to compute the *imphash* value has some variations compared to Yara, pefile, VT implementation
//!
//! @see https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
LIEF_API std::string get_imphash(const Binary& binary);
LIEF_API std::string get_imphash(const Binary& binary, IMPHASH_MODE mode = IMPHASH_MODE::DEFAULT);
//! Take a PE::Import as entry and try to resolve imports
//! by ordinal.
@ -57,11 +68,12 @@ LIEF_API std::string get_imphash(const Binary& binary);
//! The ``strict`` boolean parameter enables to throw an LIEF::not_found exception
//! if the ordinal can't be resolved. Otherwise it skips the entry.
//!
//! @param[in] import Import to resolve
//! @param[in] strict If set to ``true``, throw an exception if the import can't be resolved
//! @param[in] import Import to resolve
//! @param[in] strict If set to ``true``, throw an exception if the import can't be resolved
//! @param[in] use_std If ``true``, it will use the [pefile](https://github.com/erocarrera/pefile/tree/09264be6f731bf8578aee8638cc4046154e03abf/ordlookup) look-up table for resolving imports
//!
//! @return The PE::import resolved with PE::ImportEntry::name set
LIEF_API Import resolve_ordinals(const Import& import, bool strict=false);
LIEF_API Import resolve_ordinals(const Import& import, bool strict=false, bool use_std=false);
LIEF_API ALGORITHMS algo_from_oid(const std::string& oid);
}

122
src/PE/utils.cpp

@ -35,11 +35,23 @@
#include "LIEF/PE/ImportEntry.hpp"
#include "LIEF/BinaryStream/VectorStream.hpp"
#include "LIEF/utils.hpp"
#include "utils/ordinals_lookup_tables/libraries_table.hpp"
#include "utils/ordinals_lookup_tables_std/libraries_table.hpp"
#include "hash_stream.hpp"
namespace LIEF {
namespace PE {
inline std::string to_lower(std::string str) {
std::string lower = str;
std::transform(std::begin(str), std::end(str),
std::begin(lower), ::tolower);
return lower;
}
bool is_pe(const std::string& file) {
std::ifstream binary(file, std::ios::in | std::ios::binary);
if (not binary) {
@ -153,21 +165,65 @@ PE_TYPE get_type(const std::vector<uint8_t>& raw) {
}
std::string get_imphash(const Binary& binary) {
uint8_t md5_buffer[16];
std::string get_imphash_std(const Binary& binary) {
static const std::set<std::string> ALLOWED_EXT = {"dll", "ocx", "sys"};
std::vector<uint8_t> md5_buffer(16);
if (not binary.has_imports()) {
return "";
}
std::string lstr;
bool first_entry = true;
hashstream hs(hashstream::HASH::MD5);
for (const Import& imp : binary.imports()) {
std::string libname = imp.name();
Import resolved = resolve_ordinals(imp, /* strict */ false, /* use_std */ true);
size_t ext_idx = resolved.name().find_last_of(".");
std::string name = resolved.name();
std::string ext;
if (ext_idx != std::string::npos) {
ext = to_lower(resolved.name().substr(ext_idx + 1));
}
if (ALLOWED_EXT.find(ext) != std::end(ALLOWED_EXT)) {
name = name.substr(0, ext_idx);
}
std::string entries_string;
for (const ImportEntry& e : resolved.entries()) {
std::string funcname;
if (e.is_ordinal()) {
funcname = "ord" + std::to_string(e.ordinal());
} else {
funcname = e.name();
}
if (not entries_string.empty()) {
entries_string += ",";
}
entries_string += name + "." + funcname;
}
if (not first_entry) {
lstr += ",";
} else {
first_entry = false;
}
lstr += to_lower(entries_string);
// use write(uint8_t*, size_t) instead of write(const std::string&) to avoid null char
hs.write(reinterpret_cast<const uint8_t*>(lstr.data()), lstr.size());
lstr.clear();
}
return hex_dump(hs.raw(), "");
}
std::string get_imphash_lief(const Binary& binary) {
std::vector<uint8_t> md5_buffer(16);
if (not binary.has_imports()) {
return std::to_string(0);
}
auto to_lower = [] (const std::string& str) {
std::string lower = str;
std::transform(
std::begin(str),
std::end(str),
std::begin(lower),
::tolower);
return lower;
};
it_const_imports imports = binary.imports();
std::string import_list;
@ -199,24 +255,24 @@ std::string get_imphash(const Binary& binary) {
mbedtls_md5(
reinterpret_cast<const uint8_t*>(import_list.data()),
import_list.size(),
md5_buffer);
std::string output_hex = std::accumulate(
std::begin(md5_buffer),
std::end(md5_buffer),
std::string{},
[] (const std::string& a, uint8_t b) {
std::stringstream ss;
ss << std::hex;
ss << std::setw(2) << std::setfill('0') << static_cast<uint32_t>(b);
return a + ss.str();
});
return output_hex;
md5_buffer.data());
return hex_dump(md5_buffer, "");
}
std::string get_imphash(const Binary& binary, IMPHASH_MODE mode) {
switch (mode) {
case IMPHASH_MODE::LIEF:
{
return get_imphash_lief(binary);
}
case IMPHASH_MODE::PEFILE:
{
return get_imphash_std(binary);
}
}
}
Import resolve_ordinals(const Import& import, bool strict) {
Import resolve_ordinals(const Import& import, bool strict, bool use_std) {
it_const_import_entries entries = import.entries();
@ -230,15 +286,11 @@ Import resolve_ordinals(const Import& import, bool strict) {
return import;
}
std::string name = import.name();
std::transform(
std::begin(name),
std::end(name),
std::begin(name),
::tolower);
std::string name = to_lower(import.name());
auto&& it_library_lookup = ordinals_library_tables.find(name);
if (it_library_lookup == std::end(ordinals_library_tables)) {
auto it_library_lookup = use_std ? imphashstd::ordinals_library_tables.find(name) : ordinals_library_tables.find(name);
if (it_library_lookup == std::end(imphashstd::ordinals_library_tables) or
it_library_lookup == std::end(ordinals_library_tables)) {
std::string msg = "Ordinal lookup table for '" + name + "' not implemented";
if (strict) {
throw not_found(msg);
@ -250,7 +302,7 @@ Import resolve_ordinals(const Import& import, bool strict) {
for (ImportEntry& entry : resolved_import.entries()) {
if (entry.is_ordinal()) {
LIEF_DEBUG("Dealing with: {}", entry);
auto&& it_entry = it_library_lookup->second.find(static_cast<uint32_t>(entry.ordinal()));
auto it_entry = it_library_lookup->second.find(static_cast<uint32_t>(entry.ordinal()));
if (it_entry == std::end(it_library_lookup->second)) {
if (strict) {
throw not_found("Unable to resolve ordinal: " + std::to_string(entry.ordinal()));

1
src/PE/utils/ordinals_lookup_tables_std/README.md Normal file

@ -0,0 +1 @@
This entries are coming from [pefile](https://github.com/erocarrera/pefile/tree/09264be6f731bf8578aee8638cc4046154e03abf/ordlookup)

40
src/PE/utils/ordinals_lookup_tables_std/libraries_table.hpp Normal file

@ -0,0 +1,40 @@
/* Copyright 2017 - 2021 R. Thomas
* Copyright 2017 - 2021 Quarkslab
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef LIEF_PE_UTILS_LIBRARY_TABLE_STD_H_
#define LIEF_PE_UTILS_LIBRARY_TABLE_STD_H_
#include <map>
#include "frozen.hpp"
#include "ws2_32_dll_lookup.hpp"
#include "oleauth32_dll_lookup.hpp"
namespace LIEF {
namespace PE {
namespace imphashstd {
static const std::map<std::string, const std::map<uint32_t, const char*>&> ordinals_library_tables =
{
{ "ws2_32.dll", ws2_32_dll_lookup },
{ "wsock32.dll", ws2_32_dll_lookup },
{ "oleaut32.dll", oleaut32_dll_lookup },
};
}
}
}
#endif

434
src/PE/utils/ordinals_lookup_tables_std/oleauth32_dll_lookup.hpp Normal file

@ -0,0 +1,434 @@
/* Copyright 2017 - 2021 R. Thomas
* Copyright 2017 - 2021 Quarkslab
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef LIEF_PE_OLEAUTH32_DLL_LOOKUP_STD_H_
#define LIEF_PE_OLEAUTH32_DLL_LOOKUP_STD_H_
#include <map>
#include <cinttypes>
namespace LIEF {
namespace PE {
namespace imphashstd {
// From pefile: https://github.com/erocarrera/pefile/blob/09264be6f731bf8578aee8638cc4046154e03abf/ordlookup/oleaut32.py
static const std::map<uint32_t, const char*> oleaut32_dll_lookup {
{ 0x0002, "SysAllocString" },
{ 0x0003, "SysReAllocString" },
{ 0x0004, "SysAllocStringLen" },
{ 0x0005, "SysReAllocStringLen" },
{ 0x0006, "SysFreeString" },
{ 0x0007, "SysStringLen" },
{ 0x0008, "VariantInit" },
{ 0x0009, "VariantClear" },
{ 0x000a, "VariantCopy" },
{ 0x000b, "VariantCopyInd" },
{ 0x000c, "VariantChangeType" },
{ 0x000d, "VariantTimeToDosDateTime" },
{ 0x000e, "DosDateTimeToVariantTime" },
{ 0x000f, "SafeArrayCreate" },
{ 0x0010, "SafeArrayDestroy" },
{ 0x0011, "SafeArrayGetDim" },
{ 0x0012, "SafeArrayGetElemsize" },
{ 0x0013, "SafeArrayGetUBound" },
{ 0x0014, "SafeArrayGetLBound" },
{ 0x0015, "SafeArrayLock" },
{ 0x0016, "SafeArrayUnlock" },
{ 0x0017, "SafeArrayAccessData" },
{ 0x0018, "SafeArrayUnaccessData" },
{ 0x0019, "SafeArrayGetElement" },
{ 0x001a, "SafeArrayPutElement" },
{ 0x001b, "SafeArrayCopy" },
{ 0x001c, "DispGetParam" },
{ 0x001d, "DispGetIDsOfNames" },
{ 0x001e, "DispInvoke" },
{ 0x001f, "CreateDispTypeInfo" },
{ 0x0020, "CreateStdDispatch" },
{ 0x0021, "RegisterActiveObject" },
{ 0x0022, "RevokeActiveObject" },
{ 0x0023, "GetActiveObject" },
{ 0x0024, "SafeArrayAllocDescriptor" },
{ 0x0025, "SafeArrayAllocData" },
{ 0x0026, "SafeArrayDestroyDescriptor" },
{ 0x0027, "SafeArrayDestroyData" },
{ 0x0028, "SafeArrayRedim" },
{ 0x0029, "SafeArrayAllocDescriptorEx" },
{ 0x002a, "SafeArrayCreateEx" },
{ 0x002b, "SafeArrayCreateVectorEx" },
{ 0x002c, "SafeArraySetRecordInfo" },
{ 0x002d, "SafeArrayGetRecordInfo" },
{ 0x002e, "VarParseNumFromStr" },
{ 0x002f, "VarNumFromParseNum" },
{ 0x0030, "VarI2FromUI1" },
{ 0x0031, "VarI2FromI4" },
{ 0x0032, "VarI2FromR4" },
{ 0x0033, "VarI2FromR8" },
{ 0x0034, "VarI2FromCy" },
{ 0x0035, "VarI2FromDate" },
{ 0x0036, "VarI2FromStr" },
{ 0x0037, "VarI2FromDisp" },
{ 0x0038, "VarI2FromBool" },
{ 0x0039, "SafeArraySetIID" },
{ 0x003a, "VarI4FromUI1" },
{ 0x003b, "VarI4FromI2" },
{ 0x003c, "VarI4FromR4" },
{ 0x003d, "VarI4FromR8" },
{ 0x003e, "VarI4FromCy" },
{ 0x003f, "VarI4FromDate" },
{ 0x0040, "VarI4FromStr" },
{ 0x0041, "VarI4FromDisp" },
{ 0x0042, "VarI4FromBool" },
{ 0x0043, "SafeArrayGetIID" },
{ 0x0044, "VarR4FromUI1" },
{ 0x0045, "VarR4FromI2" },
{ 0x0046, "VarR4FromI4" },
{ 0x0047, "VarR4FromR8" },
{ 0x0048, "VarR4FromCy" },
{ 0x0049, "VarR4FromDate" },
{ 0x004a, "VarR4FromStr" },
{ 0x004b, "VarR4FromDisp" },
{ 0x004c, "VarR4FromBool" },
{ 0x004d, "SafeArrayGetVartype" },
{ 0x004e, "VarR8FromUI1" },
{ 0x004f, "VarR8FromI2" },
{ 0x0050, "VarR8FromI4" },
{ 0x0051, "VarR8FromR4" },
{ 0x0052, "VarR8FromCy" },
{ 0x0053, "VarR8FromDate" },
{ 0x0054, "VarR8FromStr" },
{ 0x0055, "VarR8FromDisp" },
{ 0x0056, "VarR8FromBool" },
{ 0x0057, "VarFormat" },
{ 0x0058, "VarDateFromUI1" },
{ 0x0059, "VarDateFromI2" },
{ 0x005a, "VarDateFromI4" },
{ 0x005b, "VarDateFromR4" },
{ 0x005c, "VarDateFromR8" },
{ 0x005d, "VarDateFromCy" },
{ 0x005e, "VarDateFromStr" },
{ 0x005f, "VarDateFromDisp" },
{ 0x0060, "VarDateFromBool" },
{ 0x0061, "VarFormatDateTime" },
{ 0x0062, "VarCyFromUI1" },
{ 0x0063, "VarCyFromI2" },
{ 0x0064, "VarCyFromI4" },
{ 0x0065, "VarCyFromR4" },
{ 0x0066, "VarCyFromR8" },
{ 0x0067, "VarCyFromDate" },
{ 0x0068, "VarCyFromStr" },
{ 0x0069, "VarCyFromDisp" },
{ 0x006a, "VarCyFromBool" },
{ 0x006b, "VarFormatNumber" },
{ 0x006c, "VarBstrFromUI1" },
{ 0x006d, "VarBstrFromI2" },
{ 0x006e, "VarBstrFromI4" },
{ 0x006f, "VarBstrFromR4" },
{ 0x0070, "VarBstrFromR8" },
{ 0x0071, "VarBstrFromCy" },
{ 0x0072, "VarBstrFromDate" },
{ 0x0073, "VarBstrFromDisp" },
{ 0x0074, "VarBstrFromBool" },
{ 0x0075, "VarFormatPercent" },
{ 0x0076, "VarBoolFromUI1" },
{ 0x0077, "VarBoolFromI2" },
{ 0x0078, "VarBoolFromI4" },
{ 0x0079, "VarBoolFromR4" },
{ 0x007a, "VarBoolFromR8" },
{ 0x007b, "VarBoolFromDate" },
{ 0x007c, "VarBoolFromCy" },
{ 0x007d, "VarBoolFromStr" },
{ 0x007e, "VarBoolFromDisp" },
{ 0x007f, "VarFormatCurrency" },
{ 0x0080, "VarWeekdayName" },
{ 0x0081, "VarMonthName" },
{ 0x0082, "VarUI1FromI2" },
{ 0x0083, "VarUI1FromI4" },
{ 0x0084, "VarUI1FromR4" },
{ 0x0085, "VarUI1FromR8" },
{ 0x0086, "VarUI1FromCy" },
{ 0x0087, "VarUI1FromDate" },
{ 0x0088, "VarUI1FromStr" },
{ 0x0089, "VarUI1FromDisp" },
{ 0x008a, "VarUI1FromBool" },
{ 0x008b, "VarFormatFromTokens" },
{ 0x008c, "VarTokenizeFormatString" },
{ 0x008d, "VarAdd" },
{ 0x008e, "VarAnd" },
{ 0x008f, "VarDiv" },
{ 0x0090, "DllCanUnloadNow" },
{ 0x0091, "DllGetClassObject" },
{ 0x0092, "DispCallFunc" },
{ 0x0093, "VariantChangeTypeEx" },
{ 0x0094, "SafeArrayPtrOfIndex" },
{ 0x0095, "SysStringByteLen" },
{ 0x0096, "SysAllocStringByteLen" },
{ 0x0097, "DllRegisterServer" },
{ 0x0098, "VarEqv" },
{ 0x0099, "VarIdiv" },
{ 0x009a, "VarImp" },
{ 0x009b, "VarMod" },
{ 0x009c, "VarMul" },
{ 0x009d, "VarOr" },
{ 0x009e, "VarPow" },
{ 0x009f, "VarSub" },
{ 0x00a0, "CreateTypeLib" },
{ 0x00a1, "LoadTypeLib" },
{ 0x00a2, "LoadRegTypeLib" },
{ 0x00a3, "RegisterTypeLib" },
{ 0x00a4, "QueryPathOfRegTypeLib" },
{ 0x00a5, "LHashValOfNameSys" },
{ 0x00a6, "LHashValOfNameSysA" },
{ 0x00a7, "VarXor" },
{ 0x00a8, "VarAbs" },
{ 0x00a9, "VarFix" },
{ 0x00aa, "OaBuildVersion" },
{ 0x00ab, "ClearCustData" },
{ 0x00ac, "VarInt" },
{ 0x00ad, "VarNeg" },
{ 0x00ae, "VarNot" },
{ 0x00af, "VarRound" },
{ 0x00b0, "VarCmp" },
{ 0x00b1, "VarDecAdd" },
{ 0x00b2, "VarDecDiv" },
{ 0x00b3, "VarDecMul" },
{ 0x00b4, "CreateTypeLib2" },
{ 0x00b5, "VarDecSub" },
{ 0x00b6, "VarDecAbs" },
{ 0x00b7, "LoadTypeLibEx" },
{ 0x00b8, "SystemTimeToVariantTime" },
{ 0x00b9, "VariantTimeToSystemTime" },
{ 0x00ba, "UnRegisterTypeLib" },
{ 0x00bb, "VarDecFix" },
{ 0x00bc, "VarDecInt" },
{ 0x00bd, "VarDecNeg" },
{ 0x00be, "VarDecFromUI1" },
{ 0x00bf, "VarDecFromI2" },
{ 0x00c0, "VarDecFromI4" },
{ 0x00c1, "VarDecFromR4" },
{ 0x00c2, "VarDecFromR8" },
{ 0x00c3, "VarDecFromDate" },
{ 0x00c4, "VarDecFromCy" },
{ 0x00c5, "VarDecFromStr" },
{ 0x00c6, "VarDecFromDisp" },
{ 0x00c7, "VarDecFromBool" },
{ 0x00c8, "GetErrorInfo" },
{ 0x00c9, "SetErrorInfo" },
{ 0x00ca, "CreateErrorInfo" },
{ 0x00cb, "VarDecRound" },
{ 0x00cc, "VarDecCmp" },
{ 0x00cd, "VarI2FromI1" },
{ 0x00ce, "VarI2FromUI2" },
{ 0x00cf, "VarI2FromUI4" },
{ 0x00d0, "VarI2FromDec" },
{ 0x00d1, "VarI4FromI1" },
{ 0x00d2, "VarI4FromUI2" },
{ 0x00d3, "VarI4FromUI4" },
{ 0x00d4, "VarI4FromDec" },
{ 0x00d5, "VarR4FromI1" },
{ 0x00d6, "VarR4FromUI2" },
{ 0x00d7, "VarR4FromUI4" },
{ 0x00d8, "VarR4FromDec" },
{ 0x00d9, "VarR8FromI1" },
{ 0x00da, "VarR8FromUI2" },
{ 0x00db, "VarR8FromUI4" },
{ 0x00dc, "VarR8FromDec" },
{ 0x00dd, "VarDateFromI1" },
{ 0x00de, "VarDateFromUI2" },
{ 0x00df, "VarDateFromUI4" },
{ 0x00e0, "VarDateFromDec" },
{ 0x00e1, "VarCyFromI1" },
{ 0x00e2, "VarCyFromUI2" },
{ 0x00e3, "VarCyFromUI4" },
{ 0x00e4, "VarCyFromDec" },
{ 0x00e5, "VarBstrFromI1" },
{ 0x00e6, "VarBstrFromUI2" },
{ 0x00e7, "VarBstrFromUI4" },
{ 0x00e8, "VarBstrFromDec" },
{ 0x00e9, "VarBoolFromI1" },
{ 0x00ea, "VarBoolFromUI2" },
{ 0x00eb, "VarBoolFromUI4" },
{ 0x00ec, "VarBoolFromDec" },
{ 0x00ed, "VarUI1FromI1" },
{ 0x00ee, "VarUI1FromUI2" },
{ 0x00ef, "VarUI1FromUI4" },
{ 0x00f0, "VarUI1FromDec" },
{ 0x00f1, "VarDecFromI1" },
{ 0x00f2, "VarDecFromUI2" },
{ 0x00f3, "VarDecFromUI4" },
{ 0x00f4, "VarI1FromUI1" },
{ 0x00f5, "VarI1FromI2" },
{ 0x00f6, "VarI1FromI4" },
{ 0x00f7, "VarI1FromR4" },
{ 0x00f8, "VarI1FromR8" },
{ 0x00f9, "VarI1FromDate" },
{ 0x00fa, "VarI1FromCy" },
{ 0x00fb, "VarI1FromStr" },
{ 0x00fc, "VarI1FromDisp" },
{ 0x00fd, "VarI1FromBool" },
{ 0x00fe, "VarI1FromUI2" },
{ 0x00ff, "VarI1FromUI4" },
{ 0x0100, "VarI1FromDec" },
{ 0x0101, "VarUI2FromUI1" },
{ 0x0102, "VarUI2FromI2" },
{ 0x0103, "VarUI2FromI4" },
{ 0x0104, "VarUI2FromR4" },
{ 0x0105, "VarUI2FromR8" },
{ 0x0106, "VarUI2FromDate" },
{ 0x0107, "VarUI2FromCy" },
{ 0x0108, "VarUI2FromStr" },
{ 0x0109, "VarUI2FromDisp" },
{ 0x010a, "VarUI2FromBool" },
{ 0x010b, "VarUI2FromI1" },
{ 0x010c, "VarUI2FromUI4" },
{ 0x010d, "VarUI2FromDec" },
{ 0x010e, "VarUI4FromUI1" },
{ 0x010f, "VarUI4FromI2" },
{ 0x0110, "VarUI4FromI4" },
{ 0x0111, "VarUI4FromR4" },
{ 0x0112, "VarUI4FromR8" },
{ 0x0113, "VarUI4FromDate" },
{ 0x0114, "VarUI4FromCy" },
{ 0x0115, "VarUI4FromStr" },
{ 0x0116, "VarUI4FromDisp" },
{ 0x0117, "VarUI4FromBool" },
{ 0x0118, "VarUI4FromI1" },
{ 0x0119, "VarUI4FromUI2" },
{ 0x011a, "VarUI4FromDec" },
{ 0x011b, "BSTR_UserSize" },
{ 0x011c, "BSTR_UserMarshal" },
{ 0x011d, "BSTR_UserUnmarshal" },
{ 0x011e, "BSTR_UserFree" },
{ 0x011f, "VARIANT_UserSize" },
{ 0x0120, "VARIANT_UserMarshal" },
{ 0x0121, "VARIANT_UserUnmarshal" },
{ 0x0122, "VARIANT_UserFree" },
{ 0x0123, "LPSAFEARRAY_UserSize" },
{ 0x0124, "LPSAFEARRAY_UserMarshal" },
{ 0x0125, "LPSAFEARRAY_UserUnmarshal" },
{ 0x0126, "LPSAFEARRAY_UserFree" },
{ 0x0127, "LPSAFEARRAY_Size" },
{ 0x0128, "LPSAFEARRAY_Marshal" },
{ 0x0129, "LPSAFEARRAY_Unmarshal" },
{ 0x012a, "VarDecCmpR8" },
{ 0x012b, "VarCyAdd" },
{ 0x012c, "DllUnregisterServer" },
{ 0x012d, "OACreateTypeLib2" },
{ 0x012f, "VarCyMul" },
{ 0x0130, "VarCyMulI4" },
{ 0x0131, "VarCySub" },
{ 0x0132, "VarCyAbs" },
{ 0x0133, "VarCyFix" },
{ 0x0134, "VarCyInt" },
{ 0x0135, "VarCyNeg" },
{ 0x0136, "VarCyRound" },
{ 0x0137, "VarCyCmp" },
{ 0x0138, "VarCyCmpR8" },
{ 0x0139, "VarBstrCat" },
{ 0x013a, "VarBstrCmp" },
{ 0x013b, "VarR8Pow" },
{ 0x013c, "VarR4CmpR8" },
{ 0x013d, "VarR8Round" },
{ 0x013e, "VarCat" },
{ 0x013f, "VarDateFromUdateEx" },
{ 0x0142, "GetRecordInfoFromGuids" },
{ 0x0143, "GetRecordInfoFromTypeInfo" },
{ 0x0145, "SetVarConversionLocaleSetting" },
{ 0x0146, "GetVarConversionLocaleSetting" },
{ 0x0147, "SetOaNoCache" },
{ 0x0149, "VarCyMulI8" },
{ 0x014a, "VarDateFromUdate" },
{ 0x014b, "VarUdateFromDate" },
{ 0x014c, "GetAltMonthNames" },
{ 0x014d, "VarI8FromUI1" },
{ 0x014e, "VarI8FromI2" },
{ 0x014f, "VarI8FromR4" },
{ 0x0150, "VarI8FromR8" },
{ 0x0151, "VarI8FromCy" },
{ 0x0152, "VarI8FromDate" },
{ 0x0153, "VarI8FromStr" },
{ 0x0154, "VarI8FromDisp" },
{ 0x0155, "VarI8FromBool" },
{ 0x0156, "VarI8FromI1" },
{ 0x0157, "VarI8FromUI2" },
{ 0x0158, "VarI8FromUI4" },
{ 0x0159, "VarI8FromDec" },
{ 0x015a, "VarI2FromI8" },
{ 0x015b, "VarI2FromUI8" },
{ 0x015c, "VarI4FromI8" },
{ 0x015d, "VarI4FromUI8" },
{ 0x0168, "VarR4FromI8" },
{ 0x0169, "VarR4FromUI8" },
{ 0x016a, "VarR8FromI8" },
{ 0x016b, "VarR8FromUI8" },
{ 0x016c, "VarDateFromI8" },
{ 0x016d, "VarDateFromUI8" },
{ 0x016e, "VarCyFromI8" },
{ 0x016f, "VarCyFromUI8" },
{ 0x0170, "VarBstrFromI8" },
{ 0x0171, "VarBstrFromUI8" },
{ 0x0172, "VarBoolFromI8" },
{ 0x0173, "VarBoolFromUI8" },
{ 0x0174, "VarUI1FromI8" },
{ 0x0175, "VarUI1FromUI8" },
{ 0x0176, "VarDecFromI8" },
{ 0x0177, "VarDecFromUI8" },
{ 0x0178, "VarI1FromI8" },
{ 0x0179, "VarI1FromUI8" },
{ 0x017a, "VarUI2FromI8" },
{ 0x017b, "VarUI2FromUI8" },
{ 0x0191, "OleLoadPictureEx" },
{ 0x0192, "OleLoadPictureFileEx" },
{ 0x019b, "SafeArrayCreateVector" },
{ 0x019c, "SafeArrayCopyData" },
{ 0x019d, "VectorFromBstr" },
{ 0x019e, "BstrFromVector" },
{ 0x019f, "OleIconToCursor" },
{ 0x01a0, "OleCreatePropertyFrameIndirect" },
{ 0x01a1, "OleCreatePropertyFrame" },
{ 0x01a2, "OleLoadPicture" },
{ 0x01a3, "OleCreatePictureIndirect" },
{ 0x01a4, "OleCreateFontIndirect" },
{ 0x01a5, "OleTranslateColor" },
{ 0x01a6, "OleLoadPictureFile" },
{ 0x01a7, "OleSavePictureFile" },
{ 0x01a8, "OleLoadPicturePath" },
{ 0x01a9, "VarUI4FromI8" },
{ 0x01aa, "VarUI4FromUI8" },
{ 0x01ab, "VarI8FromUI8" },
{ 0x01ac, "VarUI8FromI8" },
{ 0x01ad, "VarUI8FromUI1" },
{ 0x01ae, "VarUI8FromI2" },
{ 0x01af, "VarUI8FromR4" },
{ 0x01b0, "VarUI8FromR8" },
{ 0x01b1, "VarUI8FromCy" },
{ 0x01b2, "VarUI8FromDate" },
{ 0x01b3, "VarUI8FromStr" },
{ 0x01b4, "VarUI8FromDisp" },
{ 0x01b5, "VarUI8FromBool" },
{ 0x01b6, "VarUI8FromI1" },
{ 0x01b7, "VarUI8FromUI2" },
{ 0x01b8, "VarUI8FromUI4" },
{ 0x01b9, "VarUI8FromDec" },
{ 0x01ba, "RegisterTypeLibForUser" },
{ 0x01bb, "UnRegisterTypeLibForUser" },
};
}
}
}
#endif

152
src/PE/utils/ordinals_lookup_tables_std/ws2_32_dll_lookup.hpp Normal file

@ -0,0 +1,152 @@
/* Copyright 2017 - 2021 R. Thomas
* Copyright 2017 - 2021 Quarkslab
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef LIEF_PE_WS2_32_DLL_LOOKUP_STD_H_
#define LIEF_PE_WS2_32_DLL_LOOKUP_STD_H_
#include <map>
#include <cinttypes>
namespace LIEF {
namespace PE {
namespace imphashstd {
// From pefile: https://github.com/erocarrera/pefile/blob/09264be6f731bf8578aee8638cc4046154e03abf/ordlookup/ws2_32.py
static const std::map<uint32_t, const char*> ws2_32_dll_lookup {
{ 0x0001, "accept" },
{ 0x0002, "bind" },
{ 0x0003, "closesocket" },
{ 0x0004, "connect" },
{ 0x0005, "getpeername" },
{ 0x0006, "getsockname" },
{ 0x0007, "getsockopt" },
{ 0x0008, "htonl" },
{ 0x0009, "htons" },
{ 0x000a, "ioctlsocket" },
{ 0x000b, "inet_addr" },
{ 0x000c, "inet_ntoa" },
{ 0x000d, "listen" },
{ 0x000e, "ntohl" },
{ 0x000f, "ntohs" },
{ 0x0010, "recv" },
{ 0x0011, "recvfrom" },
{ 0x0012, "select" },
{ 0x0013, "send" },
{ 0x0014, "sendto" },
{ 0x0015, "setsockopt" },
{ 0x0016, "shutdown" },
{ 0x0017, "socket" },
{ 0x0018, "GetAddrInfoW" },
{ 0x0019, "GetNameInfoW" },
{ 0x001a, "WSApSetPostRoutine" },
{ 0x001b, "FreeAddrInfoW" },
{ 0x001c, "WPUCompleteOverlappedRequest" },
{ 0x001d, "WSAAccept" },
{ 0x001e, "WSAAddressToStringA" },
{ 0x001f, "WSAAddressToStringW" },
{ 0x0020, "WSACloseEvent" },
{ 0x0021, "WSAConnect" },
{ 0x0022, "WSACreateEvent" },
{ 0x0023, "WSADuplicateSocketA" },
{ 0x0024, "WSADuplicateSocketW" },
{ 0x0025, "WSAEnumNameSpaceProvidersA" },
{ 0x0026, "WSAEnumNameSpaceProvidersW" },
{ 0x0027, "WSAEnumNetworkEvents" },
{ 0x0028, "WSAEnumProtocolsA" },
{ 0x0029, "WSAEnumProtocolsW" },
{ 0x002a, "WSAEventSelect" },
{ 0x002b, "WSAGetOverlappedResult" },
{ 0x002c, "WSAGetQOSByName" },
{ 0x002d, "WSAGetServiceClassInfoA" },
{ 0x002e, "WSAGetServiceClassInfoW" },
{ 0x002f, "WSAGetServiceClassNameByClassIdA"},
{ 0x0030, "WSAGetServiceClassNameByClassIdW"},
{ 0x0031, "WSAHtonl" },
{ 0x0032, "WSAHtons" },
{ 0x0033, "gethostbyaddr" },
{ 0x0034, "gethostbyname" },
{ 0x0035, "getprotobyname" },
{ 0x0036, "getprotobynumber" },
{ 0x0037, "getservbyname" },
{ 0x0038, "getservbyport" },
{ 0x0039, "gethostname" },
{ 0x003a, "WSAInstallServiceClassA" },
{ 0x003b, "WSAInstallServiceClassW" },
{ 0x003c, "WSAIoctl" },
{ 0x003d, "WSAJoinLeaf" },
{ 0x003e, "WSALookupServiceBeginA" },
{ 0x003f, "WSALookupServiceBeginW" },
{ 0x0040, "WSALookupServiceEnd" },
{ 0x0041, "WSALookupServiceNextA" },
{ 0x0042, "WSALookupServiceNextW" },
{ 0x0043, "WSANSPIoctl" },
{ 0x0044, "WSANtohl" },
{ 0x0045, "WSANtohs" },
{ 0x0046, "WSAProviderConfigChange" },
{ 0x0047, "WSARecv" },
{ 0x0048, "WSARecvDisconnect" },
{ 0x0049, "WSARecvFrom" },
{ 0x004a, "WSARemoveServiceClass" },
{ 0x004b, "WSAResetEvent" },
{ 0x004c, "WSASend" },
{ 0x004d, "WSASendDisconnect" },
{ 0x004e, "WSASendTo" },
{ 0x004f, "WSASetEvent" },
{ 0x0050, "WSASetServiceA" },
{ 0x0051, "WSASetServiceW" },
{ 0x0052, "WSASocketA" },
{ 0x0053, "WSASocketW" },
{ 0x0054, "WSAStringToAddressA" },
{ 0x0055, "WSAStringToAddressW" },
{ 0x0056, "WSAWaitForMultipleEvents" },
{ 0x0057, "WSCDeinstallProvider" },
{ 0x0058, "WSCEnableNSProvider" },
{ 0x0059, "WSCEnumProtocols" },
{ 0x005a, "WSCGetProviderPath" },
{ 0x005b, "WSCInstallNameSpace" },
{ 0x005c, "WSCInstallProvider" },
{ 0x005d, "WSCUnInstallNameSpace" },
{ 0x005e, "WSCUpdateProvider" },
{ 0x005f, "WSCWriteNameSpaceOrder" },
{ 0x0060, "WSCWriteProviderOrder" },
{ 0x0061, "freeaddrinfo" },
{ 0x0062, "getaddrinfo" },
{ 0x0063, "getnameinfo" },
{ 0x0065, "WSAAsyncSelect" },
{ 0x0066, "WSAAsyncGetHostByAddr" },
{ 0x0067, "WSAAsyncGetHostByName" },
{ 0x0068, "WSAAsyncGetProtoByNumber" },
{ 0x0069, "WSAAsyncGetProtoByName" },
{ 0x006a, "WSAAsyncGetServByPort" },
{ 0x006b, "WSAAsyncGetServByName" },
{ 0x006c, "WSACancelAsyncRequest" },
{ 0x006d, "WSASetBlockingHook" },
{ 0x006e, "WSAUnhookBlockingHook" },
{ 0x006f, "WSAGetLastError" },
{ 0x0070, "WSASetLastError" },
{ 0x0071, "WSACancelBlockingCall" },
{ 0x0072, "WSAIsBlocking" },
{ 0x0073, "WSAStartup" },
{ 0x0074, "WSACleanup" },
{ 0x0097, "__WSAFDIsSet" },
{ 0x01f4, "WEP" },
};
}
}
}
#endif

12
tests/pe/test_imphash.py

@ -190,6 +190,18 @@ class TestImphash(TestCase):
self.assertNotEqual(lief.PE.get_imphash(binary_lhs), lief.PE.get_imphash(binary_rhs))
def test_pefile(self):
"""
Check that we can reproduce pefile output
"""
s1 = lief.parse(get_sample("PE/PE64_x86-64_binary_notepad.exe"))
self.assertEqual(lief.PE.get_imphash(s1, lief.PE.IMPHASH_MODE.PEFILE), "38934ee4aaaaa8dab7c73508bc6715ca")
s2 = lief.parse(get_sample("PE/PE32_x86_binary_PGO-PGI.exe"))
self.assertEqual(lief.PE.get_imphash(s2, lief.PE.IMPHASH_MODE.PEFILE), "4d7ac2eefa8a35d9c445d71412e8e71c")

7
tests/pe/test_pe.py

@ -138,13 +138,6 @@ class TestPe(TestCase):
except Exception as e:
self.logger.error(e)
if __name__ == '__main__':
root_logger = logging.getLogger()