Skip to content

Commit f7e3457

Browse files
dmexdmex
committed
peview: Add prodid case for exports, Add hashing improvements, Add hashing error messages
1 parent 4e73013 commit f7e3457

File tree

5 files changed

+246
-74
lines changed

5 files changed

+246
-74
lines changed

tools/peview/hashprp.c

Lines changed: 133 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,30 @@ typedef struct _PVP_HASH_CONTEXT
3636
PVOID Hash;
3737
} PVP_HASH_CONTEXT, *PPVP_HASH_CONTEXT;
3838

39+
typedef enum _PV_HASHLIST_CATEGORY
40+
{
41+
PV_HASHLIST_CATEGORY_FILEHASH,
42+
PV_HASHLIST_CATEGORY_IMPORTHASH,
43+
PV_HASHLIST_CATEGORY_FUZZYHASH,
44+
PV_HASHLIST_CATEGORY_MAXIMUM
45+
} PV_HASHLIST_CATEGORY;
46+
47+
typedef enum _PV_HASHLIST_INDEX
48+
{
49+
PV_HASHLIST_INDEX_CRC32,
50+
PV_HASHLIST_INDEX_MD5,
51+
PV_HASHLIST_INDEX_SHA1,
52+
PV_HASHLIST_INDEX_SHA256,
53+
PV_HASHLIST_INDEX_SHA348,
54+
PV_HASHLIST_INDEX_SHA512,
55+
PV_HASHLIST_INDEX_AUTHENTIHASH,
56+
PV_HASHLIST_INDEX_IMPHASH,
57+
PV_HASHLIST_INDEX_IMPHASHMSFT,
58+
PV_HASHLIST_INDEX_SSDEEP,
59+
PV_HASHLIST_INDEX_TLSH,
60+
PV_HASHLIST_INDEX_MAXIMUM
61+
} PV_HASHLIST_INDEX;
62+
3963
NTSTATUS fuzzy_hash_file(
4064
_In_ HANDLE FileHandle,
4165
_Out_ PPH_STRING* HashResult
@@ -446,8 +470,8 @@ VOID PvpPeEnumFileHashes(
446470
)
447471
{
448472
ULONG count = 0;
449-
INT lvItemIndex;
450473
HANDLE fileHandle;
474+
INT lvItemIndex;
451475
PPH_STRING crc32HashString = NULL;
452476
PPH_STRING md5HashString = NULL;
453477
PPH_STRING sha1HashString = NULL;
@@ -462,9 +486,9 @@ VOID PvpPeEnumFileHashes(
462486
WCHAR number[PH_PTR_STR_LEN_1];
463487

464488
ListView_EnableGroupView(ListViewHandle, TRUE);
465-
PhAddListViewGroup(ListViewHandle, 0, L"File hashes");
466-
PhAddListViewGroup(ListViewHandle, 1, L"Import hashes");
467-
PhAddListViewGroup(ListViewHandle, 2, L"Fuzzy hashes");
489+
PhAddListViewGroup(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, L"File hashes");
490+
PhAddListViewGroup(ListViewHandle, PV_HASHLIST_CATEGORY_IMPORTHASH, L"Import hashes");
491+
PhAddListViewGroup(ListViewHandle, PV_HASHLIST_CATEGORY_FUZZYHASH, L"Fuzzy hashes");
468492

469493
if (NT_SUCCESS(PhCreateFileWin32(
470494
&fileHandle,
@@ -473,7 +497,7 @@ VOID PvpPeEnumFileHashes(
473497
FILE_ATTRIBUTE_NORMAL,
474498
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
475499
FILE_OPEN,
476-
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT
500+
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY
477501
)))
478502
{
479503
impMsftHashString = PvpGetMappedImageImphashMsft(fileHandle);
@@ -488,136 +512,179 @@ VOID PvpPeEnumFileHashes(
488512
&sha512HashString
489513
);
490514

491-
//LARGE_INTEGER filePosition;
492-
//filePosition.QuadPart = 0;
493-
//PhSetFilePosition(fileHandle, &filePosition);
494-
//
495-
//fuzzy_hash_file(fileHandle, &ssdeepHashString);
496-
497-
fuzzy_hash_buffer(
498-
PvMappedImage.ViewBase,
499-
PvMappedImage.Size,
500-
&ssdeepHashString
501-
);
515+
PhSetFilePosition(fileHandle, NULL);
516+
fuzzy_hash_file(fileHandle, &ssdeepHashString);
502517

503-
PvGetTlshBufferHash(
504-
PvMappedImage.ViewBase,
505-
PvMappedImage.Size,
506-
&tlshHashString
507-
);
518+
PhSetFilePosition(fileHandle, NULL);
519+
PvGetTlshFileHash(fileHandle, &tlshHashString);
508520

509521
NtClose(fileHandle);
510522
}
511523

512-
if (!PhIsNullOrEmptyString(crc32HashString))
524+
if (PhIsNullOrEmptyString(ssdeepHashString))
513525
{
514-
PhPrintUInt32(number, ++count);
515-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 0, MAXINT, number, NULL);
526+
fuzzy_hash_buffer(PvMappedImage.ViewBase, PvMappedImage.Size, &ssdeepHashString);
527+
}
528+
529+
if (PhIsNullOrEmptyString(tlshHashString))
530+
{
531+
PvGetTlshBufferHash(PvMappedImage.ViewBase, PvMappedImage.Size, &tlshHashString);
532+
}
516533

517-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"CRC32");
534+
PhPrintUInt32(number, ++count);
535+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, PV_HASHLIST_INDEX_CRC32, number, NULL);
536+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"CRC32");
537+
538+
if (!PhIsNullOrEmptyString(crc32HashString))
539+
{
518540
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(crc32HashString));
519541
PhDereferenceObject(crc32HashString);
520542
}
543+
else
544+
{
545+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
546+
}
547+
548+
PhPrintUInt32(number, ++count);
549+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, PV_HASHLIST_INDEX_MD5, number, NULL);
550+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"MD5");
521551

522552
if (!PhIsNullOrEmptyString(md5HashString))
523553
{
524-
PhPrintUInt32(number, ++count);
525-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 0, MAXINT, number, NULL);
526-
527-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"MD5");
528554
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(md5HashString));
529555
PhDereferenceObject(md5HashString);
530556
}
557+
else
558+
{
559+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
560+
}
561+
562+
PhPrintUInt32(number, ++count);
563+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, PV_HASHLIST_INDEX_SHA1, number, NULL);
564+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-1");
531565

532566
if (!PhIsNullOrEmptyString(sha1HashString))
533567
{
534-
PhPrintUInt32(number, ++count);
535-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 0, MAXINT, number, NULL);
536-
537-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-1");
538568
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(sha1HashString));
539569
PhDereferenceObject(sha1HashString);
540570
}
571+
else
572+
{
573+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
574+
}
575+
576+
PhPrintUInt32(number, ++count);
577+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, PV_HASHLIST_INDEX_SHA256, number, NULL);
578+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-256");
541579

542580
if (!PhIsNullOrEmptyString(sha2HashString))
543581
{
544-
PhPrintUInt32(number, ++count);
545-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 0, MAXINT, number, NULL);
546-
547-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-256");
548582
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(sha2HashString));
549583
PhDereferenceObject(sha2HashString);
550584
}
585+
else
586+
{
587+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
588+
}
589+
590+
PhPrintUInt32(number, ++count);
591+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, PV_HASHLIST_INDEX_SHA348, number, NULL);
592+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-384");
551593

552594
if (!PhIsNullOrEmptyString(sha384HashString))
553595
{
554-
PhPrintUInt32(number, ++count);
555-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 0, MAXINT, number, NULL);
556-
557-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-384");
558596
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(sha384HashString));
559597
PhDereferenceObject(sha384HashString);
560598
}
599+
else
600+
{
601+
602+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
603+
}
604+
605+
PhPrintUInt32(number, ++count);
606+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, PV_HASHLIST_INDEX_SHA512, number, NULL);
607+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-512");
561608

562609
if (!PhIsNullOrEmptyString(sha512HashString))
563610
{
564-
PhPrintUInt32(number, ++count);
565-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 0, MAXINT, number, NULL);
566-
567-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SHA-512");
568611
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(sha512HashString));
569612
PhDereferenceObject(sha512HashString);
570613
}
614+
else
615+
{
616+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
617+
}
618+
619+
PhPrintUInt32(number, ++count);
620+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FILEHASH, PV_HASHLIST_INDEX_AUTHENTIHASH, number, NULL);
621+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"Authentihash");
571622

572623
if (authentihashString = PvpGetMappedImageAuthentihash())
573624
{
574-
PhPrintUInt32(number, ++count);
575-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 0, MAXINT, number, NULL);
576-
577-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"Authentihash");
578625
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(authentihashString));
579626
PhDereferenceObject(authentihashString);
580627
}
581-
582-
if (imphashString = PvpGetMappedImageImphash())
628+
else
583629
{
584-
PhPrintUInt32(number, ++count);
585-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 1, MAXINT, number, NULL);
630+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
631+
}
586632

587-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"Imphash");
633+
PhPrintUInt32(number, ++count);
634+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_IMPORTHASH, PV_HASHLIST_INDEX_IMPHASH, number, NULL);
635+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"Imphash");
636+
637+
if (imphashString = PvpGetMappedImageImphash())
638+
{
588639
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(imphashString));
589640
PhDereferenceObject(imphashString);
590641
}
642+
else
643+
{
644+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
645+
}
646+
647+
PhPrintUInt32(number, ++count);
648+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_IMPORTHASH, PV_HASHLIST_INDEX_IMPHASHMSFT, number, NULL);
649+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"Imphash (msft)");
591650

592651
if (!PhIsNullOrEmptyString(impMsftHashString))
593652
{
594-
PhPrintUInt32(number, ++count);
595-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 1, MAXINT, number, NULL);
596-
597-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"Imphash (msft)");
598653
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(impMsftHashString));
599654
PhDereferenceObject(impMsftHashString);
600655
}
656+
else
657+
{
658+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
659+
}
660+
661+
PhPrintUInt32(number, ++count);
662+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FUZZYHASH, PV_HASHLIST_INDEX_SSDEEP, number, NULL);
663+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SSDEEP");
601664

602665
if (!PhIsNullOrEmptyString(ssdeepHashString))
603666
{
604-
PhPrintUInt32(number, ++count);
605-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 2, MAXINT, number, NULL);
606-
607-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"SSDEEP");
608667
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(ssdeepHashString));
609668
PhDereferenceObject(ssdeepHashString);
610669
}
670+
else
671+
{
672+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
673+
}
674+
675+
PhPrintUInt32(number, ++count);
676+
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, PV_HASHLIST_CATEGORY_FUZZYHASH, PV_HASHLIST_INDEX_TLSH, number, NULL);
677+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"TLSH");
611678

612679
if (!PhIsNullOrEmptyString(tlshHashString))
613680
{
614-
PhPrintUInt32(number, ++count);
615-
lvItemIndex = PhAddListViewGroupItem(ListViewHandle, 2, MAXINT, number, NULL);
616-
617-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, L"TLSH");
618681
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(tlshHashString));
619682
PhDereferenceObject(tlshHashString);
620683
}
684+
else
685+
{
686+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, L"ERROR");
687+
}
621688
}
622689

623690
typedef struct _PV_PE_HASH_CONTEXT

tools/peview/richprp.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,8 @@ PWSTR PvpGetProductIdComponent(
6060
{
6161
switch (ProductId)
6262
{
63+
case prodidUnknown: // linker generated unnamed ordinal export stubs with RVAs of zero?
64+
return L"Linker generated export object";
6365
case prodidImport0:
6466
return L"Linker generated import object";
6567
case prodidResource:

tools/peview/ssdeep/fuzzy.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -690,7 +690,7 @@ NTSTATUS fuzzy_hash_filename(
690690
FILE_ATTRIBUTE_NORMAL,
691691
FILE_SHARE_READ | FILE_SHARE_WRITE,
692692
FILE_OPEN,
693-
FILE_SYNCHRONOUS_IO_NONALERT
693+
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY
694694
);
695695

696696
if (NT_SUCCESS(status))

0 commit comments

Comments
 (0)