Fix bug while calculating the imphash in PE files.

When the file imported DLLs that contained a dot (.) in its name, like `glib-2.0.dll`, the file extension was not properly removed, causing the the imphash to be wrong.
VirusTotal · Nov 17, 2023 · 01032a6 · 01032a6
1 parent aa0d7a2
commit 01032a6
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 1 deletion.
diff --git a/libyara/modules/pe/pe.c b/libyara/modules/pe/pe.c
@@ -2730,7 +2730,7 @@ define_function(imphash)
 
     // If extension is 'ocx', 'sys' or 'dll', chop it.
 
-    char* ext = strstr(dll->name, ".");
+    char* ext = strrchr(dll->name, '.');
 
     if (ext &&
         (strncasecmp(ext, ".ocx", 4) == 0 || strncasecmp(ext, ".sys", 4) == 0 ||

diff --git a/tests/BUILD.bazel b/tests/BUILD.bazel
@@ -119,6 +119,7 @@ cc_test(
         "data/ChipTune.efi",
         "data/c6f9709feccf42f2d9e22057182fe185f177fb9daaa2649b4669a24f2ee7e3ba_0h_410h",
         "data/ca21e1c32065352d352be6cde97f89c141d7737ea92434831f998080783d5386",
+        "data/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345",
         "data/mtxex.dll",
         "data/mtxex_modified_rsrc_rva.dll",
         "data/pe_imports",

diff --git a/tests/data/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345 b/tests/data/e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345
diff --git a/tests/test-pe.c b/tests/test-pe.c
@@ -276,6 +276,15 @@ int main(int argc, char** argv)
       }",
       "tests/data/tiny_empty_import_name");
 
+  assert_true_rule_file(
+      "import \"pe\" \
+      rule test { \
+        condition: \
+          pe.imphash() == \"d49b7870cb53f29ec3f42b11cc8bea8b\" \
+      }",
+      "tests/data/"
+      "e3d45a2865818756068757d7e319258fef40dad54532ee4355b86bc129f27345");
+
 #endif
 
 #if defined(HAVE_LIBCRYPTO)