This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# Thomas Roccia | IconDhash.py | |
# pip3 install lief | |
# pip3 install pillow | |
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html | |
import lief | |
import os | |
import argparse | |
from PIL import Image | |
# Extracting first icon available | |
def extract_icon(exe): | |
binary = lief.parse(exe) | |
bin = binary.resources_manager | |
ico = bin.icons | |
ico = ico[0].save("peico.ico") | |
return | |
# Generate dhash on the icon previously extracted | |
def generate_icon_dhash(exe, hash_size = 8): | |
extract_icon(exe) | |
image = Image.open("peico.ico") | |
image = image.convert('L').resize( | |
(hash_size + 1, hash_size), | |
Image.ANTIALIAS, | |
) | |
difference = [] | |
for row in range(hash_size): | |
for col in range(hash_size): | |
pixel_left = image.getpixel((col, row)) | |
pixel_right = image.getpixel((col + 1, row)) | |
difference.append(pixel_left > pixel_right) | |
decimal_value = 0 | |
hex_string = [] | |
for index, value in enumerate(difference): | |
if value: | |
decimal_value += 2**(index % 8) | |
if (index % 8) == 7: | |
hex_string.append(hex(decimal_value)[2:].rjust(2, '0')) | |
decimal_value = 0 | |
os.remove("peico.ico") | |
return ''.join(hex_string) | |
# main function | |
def main(): | |
# select arguments | |
parser = argparse.ArgumentParser(description='Generate icon dhash by Thomas Roccia') | |
parser.add_argument("-f", "--file", help="Specify the PE file", required=True) | |
args = parser.parse_args() | |
if args.file: | |
try: | |
dhash = generate_icon_dhash(args.file) | |
print("[+] dhash icon: %s" % dhash) | |
except: | |
print("[!] no icon available") | |
if __name__ == '__main__': | |
main() |
Correct it was for my test.
I got a completely different hash (dhash=59a88d8c6a4a0118) from the latest WINWORD.exe binary (MD5=2553ac6f04ba8df339f84d46b86ebe6e), which is supposed to have the dhash 9880a5acae8e8198
This is because in some cases, VT is calculating the dhash differently.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
pixels = list(image.getdata())
is unused?