Breaking Imphash

TL;DR

This paper introduces a novel algorithm that creates derivative PE files with different imphashes, effectively bypassing signature-based detection methods that rely on imphash for identifying PE files.

Contribution

The paper presents a new algorithm to generate PE file derivatives with altered imphashes, challenging the assumption that imphash modification is computationally expensive.

Findings

The algorithm successfully produces PE files with different imphashes from original files.

It defeats existing signature-based detection relying on imphash.

The approach is straightforward and feasible for practical use.

Abstract

There are numerous schemes to generically signature artifacts. We specifically consider how to circumvent signatures based on imphash. Imphash is used to signature Portable Executable (PE) files and an imphash of a PE file is an MD5 digest over all the symbols that PE file imports. Imphash has been used in numerous cases to accurately tie a PE file seen in one environment to PE files in other environments, although each of these PE files' contents was different. An argument made for imphash is that alteration of imphashes of derived PE file artifacts is unlikely since it is an expensive process, such that you will need to either modify the source code and recompile or relink in a different order. Nevertheless, we present a novel algorithm that generates derivative PE files such that its imphash is different from the original PE file. This straightforward algorithm produces feasible solutions that defeat approaches relying on the impash algorithm to signature PE files.