Skip to content
This repository has been archived by the owner on Jun 7, 2023. It is now read-only.

calculate_pehash throws exception for PE+ file format #5

Open
kohnakagawa opened this issue Mar 31, 2020 · 0 comments
Open

calculate_pehash throws exception for PE+ file format #5

kohnakagawa opened this issue Mar 31, 2020 · 0 comments

Comments

@kohnakagawa
Copy link

kohnakagawa commented Mar 31, 2020

According to the current implementation of calculate_pehash, "pad to 16 bits"

# pad to 16 bits
img_chars = bitstring.BitArray(bytes=img_chars.tobytes())
img_chars_xor = img_chars[0:8] ^ img_chars[8:16]
is not properly performed as its comment. If the value of exe.FILE_HEADER.Characteristics is 0x22 (e.g., PE+ EXE), upper 8bits data cannot be accessed, so "ValueError: Bitstrings must have the same length for ^ operator." exception is thrown as follows

                #pad to 16 bits
                img_chars = bitstring.BitArray(bytes=img_chars.tobytes())
-->             img_chars_xor = img_chars[0:8] ^ img_chars[8:16]

/usr/local/lib/python3.5/dist-packages/bitstring-3.1.5-py3.5.egg/bitstring.py in __xor__(self, bs)
   1128         bs = Bits(bs)
   1129         if self.len != bs.len:
-> 1130             raise ValueError("Bitstrings must have the same length "
   1131                              "for ^ operator.")
   1132         s = self._copy()

ValueError: Bitstrings must have the same length for ^ operator.

I think these lines should be fixed as follows.

        #image characteristics
        img_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Characteristics))
        #pad to 16 bits
        # img_chars = bitstring.BitArray(bytes=img_chars.tobytes()) # <- this line do not do 16bits padding
        img_chars = img_chars.bin.zfill(16) # <- correct 16bits padding
        img_chars_xor = img_chars[0:8] ^ img_chars[8:16]

Is this an intended behavior of calculate_pehash function?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant