├── .gitignore
├── goodimps.db
├── README.txt
└── imphash-gen.py


/.gitignore:
--------------------------------------------------------------------------------
1 | goodimps - Copy.db


--------------------------------------------------------------------------------
/goodimps.db:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/7h3rAm/ImpHash-Generator/master/goodimps.db


--------------------------------------------------------------------------------
/README.txt:
--------------------------------------------------------------------------------
 1 | #
 2 | # IMPHash Generator
 3 | # by Florian Roth
 4 | # February 2014
 5 | #
 6 | 
 7 | This tool generates "PE import hashes" for all executables it finds in the given
 8 | directory and marks every import hash as unusable that can also be found in the
 9 | goodware-hash-database.
10 | 
11 | The goodware hash database contains hash values from:
12 | - Windows 7 64bit system folder
13 | - Cygwin 32 bit
14 | - Office 2012
15 | - Python 2.7
16 | 
17 | Typical use cases:
18 | ================================================================================
19 | 
20 | Scan a directory and generate the PE import hashes for all executables in this 
21 | directory 
22 | 
23 |     python imphash-gen.py -p X:\MAL\Virus1
24 | 
25 | Generate a goodware hash database from my Windows directory:
26 | 
27 |     python imphash-gen.py --createdb -r -p C:\Windows
28 | 
29 | Update the goodware hash database with PE import hashes generated from 
30 | executables from the programs folder.
31 | 
32 |     python imphash-gen.py --updatedb -r -p "C:\Program Files"


--------------------------------------------------------------------------------
/imphash-gen.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python
  2 | # -*- coding: iso-8859-1 -*-
  3 | # -*- coding: utf-8 -*-
  4 | #
  5 | # ImpHash Generator
  6 | # A Simple PE Import Hash Generator
  7 | #
  8 | # Florian Roth
  9 | # February 2014
 10 | # v0.1
 11 | 
 12 | import os
 13 | import sys
 14 | import argparse
 15 | import traceback
 16 | import pefile
 17 | import shelve
 18 | from hashlib import md5
 19 | 
 20 | def getFiles(dir, recursive):
 21 | 	# Recursive
 22 | 	if recursive:
 23 | 		for root, directories, files in os.walk (dir, followlinks=False):
 24 | 			for filename in files:
 25 | 				filePath = os.path.join(root,filename)
 26 | 				yield filePath
 27 | 	# Non recursive
 28 | 	else:
 29 | 		for filename in os.listdir(dir):
 30 | 			filePath = os.path.join(dir,filename)
 31 | 			yield filePath		
 32 | 
 33 | def createGoodImps(dir, recursive=False):
 34 | 	imps = []
 35 | 	for filePath in getFiles(dir, recursive):
 36 | 		# print filePath
 37 | 		try:
 38 | 			p = pefile.PE(filePath)
 39 | 			imphash = p.get_imphash()
 40 | 				
 41 | 			imps.append(imphash)
 42 | 			sys.stdout.write(".")
 43 | 			
 44 | 		except Exception, e:
 45 | 			# traceback.print_exc()
 46 | 			pass
 47 | 
 48 | 	return imps
 49 | 			
 50 | def getMd5(filePath):
 51 | 	md5sum = "-"
 52 | 	try:
 53 | 		f = open(filePath, 'rb')
 54 | 		filedata = f.read()
 55 | 		f.close()
 56 | 		# Generate md5
 57 | 		md5sum = md5(filedata).hexdigest()
 58 | 		return md5sum
 59 | 	except Exception, e:
 60 | 		print traceback.print_exc()
 61 | 		return "-"
 62 | 		pass
 63 | 	return md5sum
 64 | 			
 65 | def parseDir(dir, goodimps, recursive ):
 66 | 	
 67 | 	imps = {}
 68 | 	implist = []
 69 | 	
 70 | 	for filePath in getFiles(dir, recursive):
 71 | 		# print filePath
 72 | 		try:
 73 | 			p = pefile.PE(filePath)
 74 | 			imphash = p.get_imphash()
 75 | 			
 76 | 			print "IMP: %s MD5: %s FILE: %s" % ( imphash, getMd5(filePath), filePath )
 77 | 			
 78 | 			if imphash in goodimps:
 79 | 				print "GOOD IMPS - do not use -------------------------------------------"
 80 | 			
 81 | 			# If already known
 82 | 			if imphash in implist:
 83 | 				# Check for imphash in list
 84 | 				for file in imps:
 85 | 					# print imps[file]," ",imphash
 86 | 					if imps[file] == imphash:
 87 | 						md5 = getMd5(file)
 88 | 						print "   MATCH with MD5: %s FILE: %s" % ( md5, file )
 89 | 			else:			
 90 | 				# Add to list
 91 | 				# print "add"
 92 | 				implist.append(imphash)
 93 | 				# print implist
 94 | 				
 95 | 			imps[filePath] = imphash
 96 | 			
 97 | 		except Exception, e:
 98 | 			# traceback.print_exc()
 99 | 			pass
100 | 	
101 | 	
102 | def isAscii(b):
103 | 	if ord(b)<127 and ord(b)>31 :
104 | 		return 1 
105 | 	return 0
106 | 
107 | def printWelcome():
108 | 	print "###############################################################################"
109 | 	print " "
110 | 	print "  IMPHASH Generator"
111 | 	print "  by Florian Roth"
112 | 	print "  January 2014"
113 | 	print "  Version 0.6.1"
114 | 	print " "
115 | 	print "###############################################################################"                               
116 | 
117 | # MAIN ################################################################
118 | if __name__ == '__main__':
119 | 	
120 | 	# Parse Arguments
121 | 	parser = argparse.ArgumentParser(description='ImpHash Generator')
122 | 	parser.add_argument('-p', help='Path to scan', metavar='path-to-scan', required=True)
123 | 	parser.add_argument('-d', help='Imphash Database File (default: goodimps.db)', metavar='dbfile', default="goodimps.db")
124 | 	parser.add_argument('-r', action='store_true', default=False, help='recursive scan')	
125 | 	parser.add_argument('--createdb', action='store_true', default=False, help='Create good imphashes database')
126 | 	parser.add_argument('--updatedb', action='store_true', default=False, help='Update good imphashes database')
127 | 	parser.add_argument('--debug', action='store_true', default=False, help='Debug output')
128 | 	
129 | 	args = parser.parse_args()
130 | 	
131 | 	# Print Welcome
132 | 	printWelcome()
133 | 	
134 | 	# Create DB with good imphashes
135 | 	if args.createdb and args.p:
136 | 		imps = createGoodImps(args.p, args.r)
137 | 		
138 | 		goodimps_shelve = shelve.open(args.d)
139 | 		goodimps_shelve["imps"] = imps
140 | 		print "New DB item count: %s" % str(len(imps))
141 | 		goodimps_shelve.sync()
142 | 		goodimps_shelve.close()
143 | 
144 | 	# Update DB with good imphashes
145 | 	if args.updatedb and args.p:
146 | 		imps = createGoodImps(args.p, args.r)
147 | 		
148 | 		goodimps_shelve = shelve.open(args.d)
149 | 		old_imps = goodimps_shelve["imps"]
150 | 		print "Old DB item count: %s" % str(len(old_imps))
151 | 		
152 | 		new_imps = old_imps + imps
153 | 		
154 | 		goodimps_shelve["imps"] = new_imps
155 | 		print "New DB item count: %s" % str(len(new_imps))
156 | 		
157 | 		goodimps_shelve.sync()
158 | 		goodimps_shelve.close()
159 | 		
160 | 	# Create useful Import hashes
161 | 	else:	
162 | 		# Read Good Imps
163 | 		goodimps_shelve = shelve.open(args.d)
164 | 		goodimps = goodimps_shelve["imps"]
165 | 		
166 | 		print "Reading DB: %s imphashes found" % str(len(goodimps))
167 | 
168 | 		# Parse Directory
169 | 		parseDir(args.p, goodimps, args.r)
170 | 	


--------------------------------------------------------------------------------