Imphashes.

By King’ori Mathenge.

Imphashes (Import Hashes) are hash values calculated for the import tables in Portable Executable (PE) files. PE files are any files that store executable code or essential data required to run a program. Their extensions are .exe, .dll which are the most common and the focus in this excerpt. Executable files require functions which allow them (the executables) to interact with the host operating system. These functions are held in a sort of library which hold the required functions. Working in this way, executable files are less bulky i.e. they do not have to embed such functions as they can borrow (import) said functions. It also allows for a level of standardization. The creators of Windows operating system or any other O/S have these libraries standard such that developers create programs that they are certain can work across multiple computer systems with the same underlying Operating System.

All executable files including malware require such functions for them to work seamlessly. Of much interest is the imphash. This as mentioned before is the hash of the Import Address Table (IAT).  Consider a program written in a high level language. If we were to view its source code, we would view a syntax of different functions displayed in the particular format of said language. The source code details a series of processes that have to take place and may even involve the importation of other functions from without the program itself. These functions have to be imported in a systematic manner as the source code has laid it out. It is this systematic manner by which libraries are to be accessed and functions imported that form the Import Address Table. The imphash therefore consists of both the functions imported and the order in which they are imported.

Why is the hashing of IATs important?

Normal hashing of files is the norm and is more commonly known. However, if we were to hash two executable files with the same functionality and importing the same libraries and functions but written in different styles or languages, their hashes would be different. Yet, they do import the same functions.

Therefore IAT hashing is important in malware analysis in the identification of executables with the same level of functionality. Platforms like virus total already provide a way to calculate imphashes.

For organizations, companies that maintain databases for known malware by their hash values, imphashes can be an additional data set that can be checked against.