Skip to content

Instantly share code, notes, and snippets.

@fr0gger
Last active Sep 4, 2021
Embed
What would you like to do?
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia | IconDhash.py
# pip3 install lief
# pip3 install pillow
# resource: https://www.hackerfactor.com/blog/?/archives/529-Kind-of-Like-That.html
import lief
import os
import argparse
from PIL import Image
# Extracting first icon available
def extract_icon(exe):
binary = lief.parse(exe)
bin = binary.resources_manager
ico = bin.icons
ico = ico[0].save("peico.ico")
return
# Generate dhash on the icon previously extracted
def generate_icon_dhash(exe, hash_size = 8):
extract_icon(exe)
image = Image.open("peico.ico")
image = image.convert('L').resize(
(hash_size + 1, hash_size),
Image.ANTIALIAS,
)
difference = []
for row in range(hash_size):
for col in range(hash_size):
pixel_left = image.getpixel((col, row))
pixel_right = image.getpixel((col + 1, row))
difference.append(pixel_left > pixel_right)
decimal_value = 0
hex_string = []
for index, value in enumerate(difference):
if value:
decimal_value += 2**(index % 8)
if (index % 8) == 7:
hex_string.append(hex(decimal_value)[2:].rjust(2, '0'))
decimal_value = 0
os.remove("peico.ico")
return ''.join(hex_string)
# main function
def main():
# select arguments
parser = argparse.ArgumentParser(description='Generate icon dhash by Thomas Roccia')
parser.add_argument("-f", "--file", help="Specify the PE file", required=True)
args = parser.parse_args()
if args.file:
try:
dhash = generate_icon_dhash(args.file)
print("[+] dhash icon: %s" % dhash)
except:
print("[!] no icon available")
if __name__ == '__main__':
main()
@Still34

This comment has been minimized.

Copy link

@Still34 Still34 commented Jul 23, 2021

pixels = list(image.getdata()) is unused?

@fr0gger

This comment has been minimized.

Copy link
Owner Author

@fr0gger fr0gger commented Jul 23, 2021

Correct it was for my test.

@Still34

This comment has been minimized.

Copy link

@Still34 Still34 commented Jul 23, 2021

I got a completely different hash (dhash=59a88d8c6a4a0118) from the latest WINWORD.exe binary (MD5=2553ac6f04ba8df339f84d46b86ebe6e), which is supposed to have the dhash 9880a5acae8e8198

@fr0gger

This comment has been minimized.

Copy link
Owner Author

@fr0gger fr0gger commented Jul 26, 2021

This is because in some cases, VT is calculating the dhash differently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment