-
Notifications
You must be signed in to change notification settings - Fork 937
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fileformat does not generate imphash for ELF binaries #286
Comments
I was researching the ELF imphash. From what I've found, this seems like a well-specified algorithm, that is being already used (by Virustotal for example) - Telfhash |
It is certainly possible. However, in that case, I would probably vote for generating it as a separate type of a hash, which would allow us to have both imphash (similar to all file types) and telfhash (only for ELFs). Also, whether supporting telfhash is worth the effort is up to discussion. FWIW, here is a Python implementation, which internally uses tlsh (a C++ library and tools, including Python bindings). If we decide to give telfhash a try, we should consider using tlsh so that we do not have to re-implement everything by ourselves. |
Sure, we can use the telfhash algorithm to create the import string, then hash with already used hashing functions and if it's going to be worth it, implement also the tlsh or use the existing library. I am unsure if the tlsh license can be an issue. |
Solved in #936. Added hashes:
See these 2 tests for JSON structure. |
The problem with generating imphash for ELFs lies in the absence of information about imported libraries. The only information we can obtain is the name of the symbol. Since there are no library names, no imphash is generated because it relies on it. Generating imphash for ELFs requires appropriate modification of the algorithm while retaining the old behavior for PEs and Mach-Os (#285).
I propose leaving out the library name out of the hashed data together with the separator (I think it's
.
). I advise to taking care of #285 before this ticket.The text was updated successfully, but these errors were encountered: