Last active
September 30, 2024 11:08
-
-
Save fr0gger/1263395ebdaf53e67f42c201635f256c to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# Thomas Roccia | IconDhash.py | |
# pip3 install lief | |
# pip3 install pillow | |
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html | |
import lief | |
import os | |
import argparse | |
from PIL import Image | |
# Extracting first icon available | |
def extract_icon(exe): | |
binary = lief.parse(exe) | |
bin = binary.resources_manager | |
ico = bin.icons | |
ico = ico[0].save("peico.ico") | |
return | |
# Generate dhash on the icon previously extracted | |
def generate_icon_dhash(exe, hash_size = 8): | |
extract_icon(exe) | |
image = Image.open("peico.ico") | |
image = image.convert('L').resize( | |
(hash_size + 1, hash_size), | |
Image.ANTIALIAS, | |
) | |
difference = [] | |
for row in range(hash_size): | |
for col in range(hash_size): | |
pixel_left = image.getpixel((col, row)) | |
pixel_right = image.getpixel((col + 1, row)) | |
difference.append(pixel_left > pixel_right) | |
decimal_value = 0 | |
hex_string = [] | |
for index, value in enumerate(difference): | |
if value: | |
decimal_value += 2**(index % 8) | |
if (index % 8) == 7: | |
hex_string.append(hex(decimal_value)[2:].rjust(2, '0')) | |
decimal_value = 0 | |
os.remove("peico.ico") | |
return ''.join(hex_string) | |
# main function | |
def main(): | |
# select arguments | |
parser = argparse.ArgumentParser(description='Generate icon dhash by Thomas Roccia') | |
parser.add_argument("-f", "--file", help="Specify the PE file", required=True) | |
args = parser.parse_args() | |
if args.file: | |
try: | |
dhash = generate_icon_dhash(args.file) | |
print("[+] dhash icon: %s" % dhash) | |
except: | |
print("[!] no icon available") | |
if __name__ == '__main__': | |
main() |
I got a completely different hash (dhash=59a88d8c6a4a0118) from the latest WINWORD.exe binary (MD5=2553ac6f04ba8df339f84d46b86ebe6e), which is supposed to have the dhash 9880a5acae8e8198
This is because in some cases, VT is calculating the dhash differently.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Correct it was for my test.