Skip to content

Instantly share code, notes, and snippets.

@fr0gger
Last active September 30, 2024 11:08
Show Gist options
  • Save fr0gger/1263395ebdaf53e67f42c201635f256c to your computer and use it in GitHub Desktop.
Save fr0gger/1263395ebdaf53e67f42c201635f256c to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html
import lief
import os
import argparse
from PIL import Image
# Extracting first icon available
def extract_icon(exe):
binary = lief.parse(exe)
bin = binary.resources_manager
ico = bin.icons
ico = ico[0].save("peico.ico")
return
# Generate dhash on the icon previously extracted
def generate_icon_dhash(exe, hash_size = 8):
extract_icon(exe)
image = Image.open("peico.ico")
image = image.convert('L').resize(
(hash_size + 1, hash_size),
Image.ANTIALIAS,
)
difference = []
for row in range(hash_size):
for col in range(hash_size):
pixel_left = image.getpixel((col, row))
pixel_right = image.getpixel((col + 1, row))
difference.append(pixel_left > pixel_right)
decimal_value = 0
hex_string = []
for index, value in enumerate(difference):
if value:
decimal_value += 2**(index % 8)
if (index % 8) == 7:
hex_string.append(hex(decimal_value)[2:].rjust(2, '0'))
decimal_value = 0
os.remove("peico.ico")
return ''.join(hex_string)
# main function
def main():
# select arguments
parser = argparse.ArgumentParser(description='Generate icon dhash by Thomas Roccia')
parser.add_argument("-f", "--file", help="Specify the PE file", required=True)
args = parser.parse_args()
if args.file:
try:
dhash = generate_icon_dhash(args.file)
print("[+] dhash icon: %s" % dhash)
except:
print("[!] no icon available")
if __name__ == '__main__':
main()
@Still34
Copy link

Still34 commented Jul 23, 2021

I got a completely different hash (dhash=59a88d8c6a4a0118) from the latest WINWORD.exe binary (MD5=2553ac6f04ba8df339f84d46b86ebe6e), which is supposed to have the dhash 9880a5acae8e8198

@fr0gger
Copy link
Author

fr0gger commented Jul 26, 2021

This is because in some cases, VT is calculating the dhash differently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment