Last active
March 22, 2023 06:17
-
-
Save fr0gger/55d74305423e3e6d00e5757d9af3fbc9 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ''' | |
| Simple POC for calculating the Export Table Hash by Thomas Roccia | @fr0gger_ | |
| Similarly as ImpHash, the Export Hash is calculated by extracting the function names from the export table and hashing them. | |
| Exported function names are extracted in order, then all characters are converted to lowercase. | |
| The function names are then joined together and hashed using SHA256. | |
| The hash is dubbed "ExpHash". | |
| Example: | |
| python .\exphash.py .\AppXDeploymentClient.dll | |
| ExpHash: 50644ab76c9421984137aadca2ba9b2883763f0189daf4010a699c490d263a86 | |
| ''' | |
| import pefile | |
| import sys | |
| from hashlib import sha256 | |
| def get_exphash(pe): | |
| explist = [] | |
| try: | |
| for export in pe.DIRECTORY_ENTRY_EXPORT.symbols: | |
| if export.address is not None: | |
| name = ("None") | |
| if export.name: | |
| funcname = export.name.decode() | |
| explist.append("%s" % (funcname.lower())) | |
| except AttributeError as e: | |
| return e | |
| exphash = sha256(",".join(explist).encode()).hexdigest() | |
| return exphash, explist | |
| def main(): | |
| pe = pefile.PE(sys.argv[1]) | |
| exphash, explist = get_exphash(pe) | |
| print("ExpHash: %s" % exphash) | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment