or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

data-access.mddebug.mdhashing.mdimport-export.mdindex.mdmemory.mdordinal-lookups.mdpacker-detection.mdpe-parsing.mdresources.mdsections.md

hashing.mddocs/

0
# Hash and Verification
1


2
Checksum verification and various hash calculation methods for file integrity and identification. These functions provide cryptographic and structural hashes for PE files.
3


4
## Capabilities
5


6
### Checksum Operations
7


8
Verify and generate PE file checksums for integrity validation.
9


10
```python { .api }
11
def verify_checksum(self):
12
    """
13
    Verify PE file checksum against calculated checksum.
14
    
15
    Returns:
16
        bool: True if checksum is valid, False otherwise
17
        
18
    Note:
19
        Compares the checksum in the optional header with the
20
        calculated checksum of the entire file.
21
    """
22


23
def generate_checksum(self):
24
    """
25
    Calculate PE file checksum.
26
    
27
    Returns:
28
        int: Calculated checksum value
29
        
30
    Note:
31
        Uses the standard PE checksum algorithm which sums
32
        all words in the file while excluding the checksum field.
33
    """
34
```
35


36
### Rich Header Hashing
37


38
Generate hash of Rich header for compiler identification.
39


40
```python { .api }
41
def get_rich_header_hash(self, algorithm="md5"):
42
    """
43
    Get hash of Rich header data.
44
    
45
    Args:
46
        algorithm (str): Hash algorithm to use ("md5", "sha1", "sha256")
47
        
48
    Returns:
49
        str: Hex-encoded hash of Rich header, or None if no Rich header
50
        
51
    Note:
52
        Rich header contains compiler and linker information.
53
        Hash can be used to identify build toolchain.
54
    """
55
```
56


57
## Usage Examples
58


59
### Checksum Verification
60


61
```python
62
import pefile
63


64
with pefile.PE('executable.exe') as pe:
65
    # Get stored checksum
66
    stored_checksum = pe.OPTIONAL_HEADER.CheckSum
67
    print(f"Stored checksum: 0x{stored_checksum:08x}")
68
    
69
    # Calculate actual checksum
70
    calculated_checksum = pe.generate_checksum()
71
    print(f"Calculated checksum: 0x{calculated_checksum:08x}")
72
    
73
    # Verify checksum
74
    is_valid = pe.verify_checksum()
75
    print(f"Checksum valid: {is_valid}")
76
    
77
    if not is_valid:
78
        print("Warning: File checksum is invalid!")
79
        print("This could indicate file corruption or modification.")
80
```
81


82
### Rich Header Analysis
83


84
```python
85
import pefile
86


87
with pefile.PE('executable.exe') as pe:
88
    # Check if Rich header is present
89
    if hasattr(pe, 'RICH_HEADER'):
90
        print("Rich Header Analysis:")
91
        print("-" * 30)
92
        
93
        rich_header = pe.RICH_HEADER
94
        
95
        # Display Rich header information
96
        if hasattr(rich_header, 'checksum'):
97
            print(f"Checksum: 0x{rich_header.checksum:08x}")
98
        
99
        if hasattr(rich_header, 'values'):
100
            print(f"Number of entries: {len(rich_header.values)}")
101
            
102
            print("\nCompiler/Tool Information:")
103
            for i, entry in enumerate(rich_header.values):
104
                if hasattr(entry, 'id') and hasattr(entry, 'version') and hasattr(entry, 'times'):
105
                    print(f"  Entry {i}: ID=0x{entry.id:04x}, Version={entry.version}, Count={entry.times}")
106
        
107
        # Generate Rich header hashes
108
        hash_algorithms = ['md5', 'sha1', 'sha256']
109
        print("\nRich Header Hashes:")
110
        
111
        for algorithm in hash_algorithms:
112
            try:
113
                hash_value = pe.get_rich_header_hash(algorithm)
114
                if hash_value:
115
                    print(f"  {algorithm.upper()}: {hash_value}")
116
                else:
117
                    print(f"  {algorithm.upper()}: Not available")
118
            except Exception as e:
119
                print(f"  {algorithm.upper()}: Error - {e}")
120
    else:
121
        print("No Rich header found")
122
```
123


124
### File Integrity Check
125


126
```python
127
import pefile
128
import hashlib
129


130
def comprehensive_hash_analysis(filename):
131
    """Perform comprehensive hash analysis of PE file."""
132
    print(f"Hash Analysis: {filename}")
133
    print("=" * 50)
134
    
135
    # Read file data
136
    with open(filename, 'rb') as f:
137
        file_data = f.read()
138
    
139
    # Calculate file hashes
140
    print("File Hashes:")
141
    print("-" * 20)
142
    print(f"MD5: {hashlib.md5(file_data).hexdigest()}")
143
    print(f"SHA1: {hashlib.sha1(file_data).hexdigest()}")
144
    print(f"SHA256: {hashlib.sha256(file_data).hexdigest()}")
145
    
146
    # PE-specific hashes
147
    with pefile.PE(filename) as pe:
148
        print(f"\nPE Checksum: 0x{pe.OPTIONAL_HEADER.CheckSum:08x}")
149
        print(f"Calculated Checksum: 0x{pe.generate_checksum():08x}")
150
        print(f"Checksum Valid: {pe.verify_checksum()}")
151
        
152
        # Import/Export hashes
153
        imphash = pe.get_imphash()
154
        if imphash:
155
            print(f"Import Hash: {imphash}")
156
        
157
        exphash = pe.get_exphash()
158
        if exphash:
159
            print(f"Export Hash: {exphash}")
160
        
161
        # Rich header hash
162
        rich_hash = pe.get_rich_header_hash()
163
        if rich_hash:
164
            print(f"Rich Header Hash: {rich_hash}")
165
        
166
        # Section hashes
167
        print(f"\nSection Hashes:")
168
        print("-" * 20)
169
        for section in pe.sections:
170
            name = section.Name.decode('utf-8').strip('\x00')
171
            sha256 = section.get_hash_sha256()
172
            print(f"{name:<10}: {sha256}")
173


174
# Usage
175
comprehensive_hash_analysis('executable.exe')
176
```
177


178
### Malware Family Identification
179


180
```python
181
import pefile
182
from collections import defaultdict
183


184
def analyze_malware_hashes(file_list):
185
    """Group files by similar hash characteristics."""
186
    hash_groups = defaultdict(list)
187
    
188
    print("Malware Hash Analysis:")
189
    print("=" * 40)
190
    
191
    for filename in file_list:
192
        try:
193
            with pefile.PE(filename) as pe:
194
                # Get various hashes
195
                imphash = pe.get_imphash()
196
                rich_hash = pe.get_rich_header_hash()
197
                
198
                # Create hash signature
199
                signature = f"{imphash or 'None'}:{rich_hash or 'None'}"
200
                hash_groups[signature].append(filename)
201
                
202
                print(f"\n{filename}:")
203
                print(f"  Import Hash: {imphash or 'None'}")
204
                print(f"  Rich Header Hash: {rich_hash or 'None'}")
205
                
206
        except Exception as e:
207
            print(f"Error analyzing {filename}: {e}")
208
    
209
    # Display potential families
210
    print(f"\n\nPotential Malware Families:")
211
    print("-" * 30)
212
    
213
    for signature, files in hash_groups.items():
214
        if len(files) > 1:  # Only show groups with multiple files
215
            imphash, rich_hash = signature.split(':')
216
            print(f"\nFamily (Import: {imphash}, Rich: {rich_hash}):")
217
            for filename in files:
218
                print(f"  - {filename}")
219


220
# Usage example
221
malware_files = [
222
    'sample1.exe', 
223
    'sample2.exe', 
224
    'sample3.exe'
225
]
226
analyze_malware_hashes(malware_files)
227
```