New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: PE rich header hash #2522

Open

kevross33 opened this issue Mar 14, 2025 · 2 comments

Contributor

kevross33 commented Mar 14, 2025

Within pefile a rich header hash could be implemented for PEs.

It is an interesting pivot point and is supported in VirusTotal (with the MD5 hash of the rich header hash). It can be used as a pivot to find similar authored/created malware https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/, https://www.giac.org/paper/grem/6321/leveraging-pe-rich-header-static-alware-etection-linking/169729

A simple demonstration of this is:

import pefile
binary = pefile.PE("FILENAME.exe")
binary.get_rich_header_hash('md5')
binary.get_rich_header_hash('sha256')

Collaborator

doomedraven commented Mar 14, 2025

"rh_hash": self.get_rh_hash(),

https://github.com/kevoreilly/CAPEv2/blob/master/lib/cuckoo/common/objects.py#L644

Collaborator

doomedraven commented Apr 7, 2025

so does current implementation works for you?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment