Skip to content

Instantly share code, notes, and snippets.

Last active November 30, 2023 11:36
  • Star 16 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save fr0gger/1263395ebdaf53e67f42c201635f256c to your computer and use it in GitHub Desktop.
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Thomas Roccia |
# pip3 install lief
# pip3 install pillow
# resource:
import lief
import os
import argparse
from PIL import Image
# Extracting first icon available
def extract_icon(exe):
binary = lief.parse(exe)
bin = binary.resources_manager
ico = bin.icons
ico = ico[0].save("peico.ico")
# Generate dhash on the icon previously extracted
def generate_icon_dhash(exe, hash_size = 8):
image ="peico.ico")
image = image.convert('L').resize(
(hash_size + 1, hash_size),
difference = []
for row in range(hash_size):
for col in range(hash_size):
pixel_left = image.getpixel((col, row))
pixel_right = image.getpixel((col + 1, row))
difference.append(pixel_left > pixel_right)
decimal_value = 0
hex_string = []
for index, value in enumerate(difference):
if value:
decimal_value += 2**(index % 8)
if (index % 8) == 7:
hex_string.append(hex(decimal_value)[2:].rjust(2, '0'))
decimal_value = 0
return ''.join(hex_string)
# main function
def main():
# select arguments
parser = argparse.ArgumentParser(description='Generate icon dhash by Thomas Roccia')
parser.add_argument("-f", "--file", help="Specify the PE file", required=True)
args = parser.parse_args()
if args.file:
dhash = generate_icon_dhash(args.file)
print("[+] dhash icon: %s" % dhash)
print("[!] no icon available")
if __name__ == '__main__':
Copy link

Still34 commented Jul 23, 2021

pixels = list(image.getdata()) is unused?

Copy link

fr0gger commented Jul 23, 2021

Correct it was for my test.

Copy link

Still34 commented Jul 23, 2021

I got a completely different hash (dhash=59a88d8c6a4a0118) from the latest WINWORD.exe binary (MD5=2553ac6f04ba8df339f84d46b86ebe6e), which is supposed to have the dhash 9880a5acae8e8198

Copy link

fr0gger commented Jul 26, 2021

This is because in some cases, VT is calculating the dhash differently.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment