This repository was archived by the owner on Jun 7, 2023. It is now read-only.
This repository was archived by the owner on Jun 7, 2023. It is now read-only.
calculate_pehash throws exception for PE+ file format #5
Description
According to the current implementation of calculate_pehash, "pad to 16 bits"
viper-modules/pehash/pehasher.py
Lines 25 to 28 in d21d555
exe.FILE_HEADER.Characteristics is 0x22 (e.g., PE+ EXE), upper 8bits data cannot be accessed, so "ValueError: Bitstrings must have the same length for ^ operator." exception is thrown as follows
#pad to 16 bits
img_chars = bitstring.BitArray(bytes=img_chars.tobytes())
--> img_chars_xor = img_chars[0:8] ^ img_chars[8:16]
/usr/local/lib/python3.5/dist-packages/bitstring-3.1.5-py3.5.egg/bitstring.py in __xor__(self, bs)
1128 bs = Bits(bs)
1129 if self.len != bs.len:
-> 1130 raise ValueError("Bitstrings must have the same length "
1131 "for ^ operator.")
1132 s = self._copy()
ValueError: Bitstrings must have the same length for ^ operator.
I think these lines should be fixed as follows.
#image characteristics
img_chars = bitstring.BitArray(hex(exe.FILE_HEADER.Characteristics))
#pad to 16 bits
# img_chars = bitstring.BitArray(bytes=img_chars.tobytes()) # <- this line do not do 16bits padding
img_chars = img_chars.bin.zfill(16) # <- correct 16bits padding
img_chars_xor = img_chars[0:8] ^ img_chars[8:16]Is this an intended behavior of calculate_pehash function?