exe/
imphash.rs

1//! This module only exports a single function. It's used to contain metadata used to perform
2//! the imphash algorithm.
3use std::collections::HashMap;
4use std::convert::AsRef;
5
6const WS2_32_ORDINALS: &[(u32, &'static str)] = &[
7    (1u32, "accept"),
8    (2, "bind"),
9    (3, "closesocket"),
10    (4, "connect"),
11    (5, "getpeername"),
12    (6, "getsockname"),
13    (7, "getsockopt"),
14    (8, "htonl"),
15    (9, "htons"),
16    (10, "ioctlsocket"),
17    (11, "inet_addr"),
18    (12, "inet_ntoa"),
19    (13, "listen"),
20    (14, "ntohl"),
21    (15, "ntohs"),
22    (16, "recv"),
23    (17, "recvfrom"),
24    (18, "select"),
25    (19, "send"),
26    (20, "sendto"),
27    (21, "setsockopt"),
28    (22, "shutdown"),
29    (23, "socket"),
30    (24, "GetAddrInfoW"),
31    (25, "GetNameInfoW"),
32    (26, "WSApSetPostRoutine"),
33    (27, "FreeAddrInfoW"),
34    (28, "WPUCompleteOverlappedRequest"),
35    (29, "WSAAccept"),
36    (30, "WSAAddressToStringA"),
37    (31, "WSAAddressToStringW"),
38    (32, "WSACloseEvent"),
39    (33, "WSAConnect"),
40    (34, "WSACreateEvent"),
41    (35, "WSADuplicateSocketA"),
42    (36, "WSADuplicateSocketW"),
43    (37, "WSAEnumNameSpaceProvidersA"),
44    (38, "WSAEnumNameSpaceProvidersW"),
45    (39, "WSAEnumNetworkEvents"),
46    (40, "WSAEnumProtocolsA"),
47    (41, "WSAEnumProtocolsW"),
48    (42, "WSAEventSelect"),
49    (43, "WSAGetOverlappedResult"),
50    (44, "WSAGetQOSByName"),
51    (45, "WSAGetServiceClassInfoA"),
52    (46, "WSAGetServiceClassInfoW"),
53    (47, "WSAGetServiceClassNameByClassIdA"),
54    (48, "WSAGetServiceClassNameByClassIdW"),
55    (49, "WSAHtonl"),
56    (50, "WSAHtons"),
57    (51, "gethostbyaddr"),
58    (52, "gethostbyname"),
59    (53, "getprotobyname"),
60    (54, "getprotobynumber"),
61    (55, "getservbyname"),
62    (56, "getservbyport"),
63    (57, "gethostname"),
64    (58, "WSAInstallServiceClassA"),
65    (59, "WSAInstallServiceClassW"),
66    (60, "WSAIoctl"),
67    (61, "WSAJoinLeaf"),
68    (62, "WSALookupServiceBeginA"),
69    (63, "WSALookupServiceBeginW"),
70    (64, "WSALookupServiceEnd"),
71    (65, "WSALookupServiceNextA"),
72    (66, "WSALookupServiceNextW"),
73    (67, "WSANSPIoctl"),
74    (68, "WSANtohl"),
75    (69, "WSANtohs"),
76    (70, "WSAProviderConfigChange"),
77    (71, "WSARecv"),
78    (72, "WSARecvDisconnect"),
79    (73, "WSARecvFrom"),
80    (74, "WSARemoveServiceClass"),
81    (75, "WSAResetEvent"),
82    (76, "WSASend"),
83    (77, "WSASendDisconnect"),
84    (78, "WSASendTo"),
85    (79, "WSASetEvent"),
86    (80, "WSASetServiceA"),
87    (81, "WSASetServiceW"),
88    (82, "WSASocketA"),
89    (83, "WSASocketW"),
90    (84, "WSAStringToAddressA"),
91    (85, "WSAStringToAddressW"),
92    (86, "WSAWaitForMultipleEvents"),
93    (87, "WSCDeinstallProvider"),
94    (88, "WSCEnableNSProvider"),
95    (89, "WSCEnumProtocols"),
96    (90, "WSCGetProviderPath"),
97    (91, "WSCInstallNameSpace"),
98    (92, "WSCInstallProvider"),
99    (93, "WSCUnInstallNameSpace"),
100    (94, "WSCUpdateProvider"),
101    (95, "WSCWriteNameSpaceOrder"),
102    (96, "WSCWriteProviderOrder"),
103    (97, "freeaddrinfo"),
104    (98, "getaddrinfo"),
105    (99, "getnameinfo"),
106    (101, "WSAAsyncSelect"),
107    (102, "WSAAsyncGetHostByAddr"),
108    (103, "WSAAsyncGetHostByName"),
109    (104, "WSAAsyncGetProtoByNumber"),
110    (105, "WSAAsyncGetProtoByName"),
111    (106, "WSAAsyncGetServByPort"),
112    (107, "WSAAsyncGetServByName"),
113    (108, "WSACancelAsyncRequest"),
114    (109, "WSASetBlockingHook"),
115    (110, "WSAUnhookBlockingHook"),
116    (111, "WSAGetLastError"),
117    (112, "WSASetLastError"),
118    (113, "WSACancelBlockingCall"),
119    (114, "WSAIsBlocking"),
120    (115, "WSAStartup"),
121    (116, "WSACleanup"),
122    (151, "__WSAFDIsSet"),
123    (500, "WEP"),
124];
125
126/// imphash ordinals for oleaut32.dll.
127const OLEAUT32_ORDINALS: &[(u32, &'static str)] = &[
128    (2u32, "SysAllocString"),
129    (3, "SysReAllocString"),
130    (4, "SysAllocStringLen"),
131    (5, "SysReAllocStringLen"),
132    (6, "SysFreeString"),
133    (7, "SysStringLen"),
134    (8, "VariantInit"),
135    (9, "VariantClear"),
136    (10, "VariantCopy"),
137    (11, "VariantCopyInd"),
138    (12, "VariantChangeType"),
139    (13, "VariantTimeToDosDateTime"),
140    (14, "DosDateTimeToVariantTime"),
141    (15, "SafeArrayCreate"),
142    (16, "SafeArrayDestroy"),
143    (17, "SafeArrayGetDim"),
144    (18, "SafeArrayGetElemsize"),
145    (19, "SafeArrayGetUBound"),
146    (20, "SafeArrayGetLBound"),
147    (21, "SafeArrayLock"),
148    (22, "SafeArrayUnlock"),
149    (23, "SafeArrayAccessData"),
150    (24, "SafeArrayUnaccessData"),
151    (25, "SafeArrayGetElement"),
152    (26, "SafeArrayPutElement"),
153    (27, "SafeArrayCopy"),
154    (28, "DispGetParam"),
155    (29, "DispGetIDsOfNames"),
156    (30, "DispInvoke"),
157    (31, "CreateDispTypeInfo"),
158    (32, "CreateStdDispatch"),
159    (33, "RegisterActiveObject"),
160    (34, "RevokeActiveObject"),
161    (35, "GetActiveObject"),
162    (36, "SafeArrayAllocDescriptor"),
163    (37, "SafeArrayAllocData"),
164    (38, "SafeArrayDestroyDescriptor"),
165    (39, "SafeArrayDestroyData"),
166    (40, "SafeArrayRedim"),
167    (41, "SafeArrayAllocDescriptorEx"),
168    (42, "SafeArrayCreateEx"),
169    (43, "SafeArrayCreateVectorEx"),
170    (44, "SafeArraySetRecordInfo"),
171    (45, "SafeArrayGetRecordInfo"),
172    (46, "VarParseNumFromStr"),
173    (47, "VarNumFromParseNum"),
174    (48, "VarI2FromUI1"),
175    (49, "VarI2FromI4"),
176    (50, "VarI2FromR4"),
177    (51, "VarI2FromR8"),
178    (52, "VarI2FromCy"),
179    (53, "VarI2FromDate"),
180    (54, "VarI2FromStr"),
181    (55, "VarI2FromDisp"),
182    (56, "VarI2FromBool"),
183    (57, "SafeArraySetIID"),
184    (58, "VarI4FromUI1"),
185    (59, "VarI4FromI2"),
186    (60, "VarI4FromR4"),
187    (61, "VarI4FromR8"),
188    (62, "VarI4FromCy"),
189    (63, "VarI4FromDate"),
190    (64, "VarI4FromStr"),
191    (65, "VarI4FromDisp"),
192    (66, "VarI4FromBool"),
193    (67, "SafeArrayGetIID"),
194    (68, "VarR4FromUI1"),
195    (69, "VarR4FromI2"),
196    (70, "VarR4FromI4"),
197    (71, "VarR4FromR8"),
198    (72, "VarR4FromCy"),
199    (73, "VarR4FromDate"),
200    (74, "VarR4FromStr"),
201    (75, "VarR4FromDisp"),
202    (76, "VarR4FromBool"),
203    (77, "SafeArrayGetVartype"),
204    (78, "VarR8FromUI1"),
205    (79, "VarR8FromI2"),
206    (80, "VarR8FromI4"),
207    (81, "VarR8FromR4"),
208    (82, "VarR8FromCy"),
209    (83, "VarR8FromDate"),
210    (84, "VarR8FromStr"),
211    (85, "VarR8FromDisp"),
212    (86, "VarR8FromBool"),
213    (87, "VarFormat"),
214    (88, "VarDateFromUI1"),
215    (89, "VarDateFromI2"),
216    (90, "VarDateFromI4"),
217    (91, "VarDateFromR4"),
218    (92, "VarDateFromR8"),
219    (93, "VarDateFromCy"),
220    (94, "VarDateFromStr"),
221    (95, "VarDateFromDisp"),
222    (96, "VarDateFromBool"),
223    (97, "VarFormatDateTime"),
224    (98, "VarCyFromUI1"),
225    (99, "VarCyFromI2"),
226    (100, "VarCyFromI4"),
227    (101, "VarCyFromR4"),
228    (102, "VarCyFromR8"),
229    (103, "VarCyFromDate"),
230    (104, "VarCyFromStr"),
231    (105, "VarCyFromDisp"),
232    (106, "VarCyFromBool"),
233    (107, "VarFormatNumber"),
234    (108, "VarBstrFromUI1"),
235    (109, "VarBstrFromI2"),
236    (110, "VarBstrFromI4"),
237    (111, "VarBstrFromR4"),
238    (112, "VarBstrFromR8"),
239    (113, "VarBstrFromCy"),
240    (114, "VarBstrFromDate"),
241    (115, "VarBstrFromDisp"),
242    (116, "VarBstrFromBool"),
243    (117, "VarFormatPercent"),
244    (118, "VarBoolFromUI1"),
245    (119, "VarBoolFromI2"),
246    (120, "VarBoolFromI4"),
247    (121, "VarBoolFromR4"),
248    (122, "VarBoolFromR8"),
249    (123, "VarBoolFromDate"),
250    (124, "VarBoolFromCy"),
251    (125, "VarBoolFromStr"),
252    (126, "VarBoolFromDisp"),
253    (127, "VarFormatCurrency"),
254    (128, "VarWeekdayName"),
255    (129, "VarMonthName"),
256    (130, "VarUI1FromI2"),
257    (131, "VarUI1FromI4"),
258    (132, "VarUI1FromR4"),
259    (133, "VarUI1FromR8"),
260    (134, "VarUI1FromCy"),
261    (135, "VarUI1FromDate"),
262    (136, "VarUI1FromStr"),
263    (137, "VarUI1FromDisp"),
264    (138, "VarUI1FromBool"),
265    (139, "VarFormatFromTokens"),
266    (140, "VarTokenizeFormatString"),
267    (141, "VarAdd"),
268    (142, "VarAnd"),
269    (143, "VarDiv"),
270    (144, "DllCanUnloadNow"),
271    (145, "DllGetClassObject"),
272    (146, "DispCallFunc"),
273    (147, "VariantChangeTypeEx"),
274    (148, "SafeArrayPtrOfIndex"),
275    (149, "SysStringByteLen"),
276    (150, "SysAllocStringByteLen"),
277    (151, "DllRegisterServer"),
278    (152, "VarEqv"),
279    (153, "VarIdiv"),
280    (154, "VarImp"),
281    (155, "VarMod"),
282    (156, "VarMul"),
283    (157, "VarOr"),
284    (158, "VarPow"),
285    (159, "VarSub"),
286    (160, "CreateTypeLib"),
287    (161, "LoadTypeLib"),
288    (162, "LoadRegTypeLib"),
289    (163, "RegisterTypeLib"),
290    (164, "QueryPathOfRegTypeLib"),
291    (165, "LHashValOfNameSys"),
292    (166, "LHashValOfNameSysA"),
293    (167, "VarXor"),
294    (168, "VarAbs"),
295    (169, "VarFix"),
296    (170, "OaBuildVersion"),
297    (171, "ClearCustData"),
298    (172, "VarInt"),
299    (173, "VarNeg"),
300    (174, "VarNot"),
301    (175, "VarRound"),
302    (176, "VarCmp"),
303    (177, "VarDecAdd"),
304    (178, "VarDecDiv"),
305    (179, "VarDecMul"),
306    (180, "CreateTypeLib2"),
307    (181, "VarDecSub"),
308    (182, "VarDecAbs"),
309    (183, "LoadTypeLibEx"),
310    (184, "SystemTimeToVariantTime"),
311    (185, "VariantTimeToSystemTime"),
312    (186, "UnRegisterTypeLib"),
313    (187, "VarDecFix"),
314    (188, "VarDecInt"),
315    (189, "VarDecNeg"),
316    (190, "VarDecFromUI1"),
317    (191, "VarDecFromI2"),
318    (192, "VarDecFromI4"),
319    (193, "VarDecFromR4"),
320    (194, "VarDecFromR8"),
321    (195, "VarDecFromDate"),
322    (196, "VarDecFromCy"),
323    (197, "VarDecFromStr"),
324    (198, "VarDecFromDisp"),
325    (199, "VarDecFromBool"),
326    (200, "GetErrorInfo"),
327    (201, "SetErrorInfo"),
328    (202, "CreateErrorInfo"),
329    (203, "VarDecRound"),
330    (204, "VarDecCmp"),
331    (205, "VarI2FromI1"),
332    (206, "VarI2FromUI2"),
333    (207, "VarI2FromUI4"),
334    (208, "VarI2FromDec"),
335    (209, "VarI4FromI1"),
336    (210, "VarI4FromUI2"),
337    (211, "VarI4FromUI4"),
338    (212, "VarI4FromDec"),
339    (213, "VarR4FromI1"),
340    (214, "VarR4FromUI2"),
341    (215, "VarR4FromUI4"),
342    (216, "VarR4FromDec"),
343    (217, "VarR8FromI1"),
344    (218, "VarR8FromUI2"),
345    (219, "VarR8FromUI4"),
346    (220, "VarR8FromDec"),
347    (221, "VarDateFromI1"),
348    (222, "VarDateFromUI2"),
349    (223, "VarDateFromUI4"),
350    (224, "VarDateFromDec"),
351    (225, "VarCyFromI1"),
352    (226, "VarCyFromUI2"),
353    (227, "VarCyFromUI4"),
354    (228, "VarCyFromDec"),
355    (229, "VarBstrFromI1"),
356    (230, "VarBstrFromUI2"),
357    (231, "VarBstrFromUI4"),
358    (232, "VarBstrFromDec"),
359    (233, "VarBoolFromI1"),
360    (234, "VarBoolFromUI2"),
361    (235, "VarBoolFromUI4"),
362    (236, "VarBoolFromDec"),
363    (237, "VarUI1FromI1"),
364    (238, "VarUI1FromUI2"),
365    (239, "VarUI1FromUI4"),
366    (240, "VarUI1FromDec"),
367    (241, "VarDecFromI1"),
368    (242, "VarDecFromUI2"),
369    (243, "VarDecFromUI4"),
370    (244, "VarI1FromUI1"),
371    (245, "VarI1FromI2"),
372    (246, "VarI1FromI4"),
373    (247, "VarI1FromR4"),
374    (248, "VarI1FromR8"),
375    (249, "VarI1FromDate"),
376    (250, "VarI1FromCy"),
377    (251, "VarI1FromStr"),
378    (252, "VarI1FromDisp"),
379    (253, "VarI1FromBool"),
380    (254, "VarI1FromUI2"),
381    (255, "VarI1FromUI4"),
382    (256, "VarI1FromDec"),
383    (257, "VarUI2FromUI1"),
384    (258, "VarUI2FromI2"),
385    (259, "VarUI2FromI4"),
386    (260, "VarUI2FromR4"),
387    (261, "VarUI2FromR8"),
388    (262, "VarUI2FromDate"),
389    (263, "VarUI2FromCy"),
390    (264, "VarUI2FromStr"),
391    (265, "VarUI2FromDisp"),
392    (266, "VarUI2FromBool"),
393    (267, "VarUI2FromI1"),
394    (268, "VarUI2FromUI4"),
395    (269, "VarUI2FromDec"),
396    (270, "VarUI4FromUI1"),
397    (271, "VarUI4FromI2"),
398    (272, "VarUI4FromI4"),
399    (273, "VarUI4FromR4"),
400    (274, "VarUI4FromR8"),
401    (275, "VarUI4FromDate"),
402    (276, "VarUI4FromCy"),
403    (277, "VarUI4FromStr"),
404    (278, "VarUI4FromDisp"),
405    (279, "VarUI4FromBool"),
406    (280, "VarUI4FromI1"),
407    (281, "VarUI4FromUI2"),
408    (282, "VarUI4FromDec"),
409    (283, "BSTR_UserSize"),
410    (284, "BSTR_UserMarshal"),
411    (285, "BSTR_UserUnmarshal"),
412    (286, "BSTR_UserFree"),
413    (287, "VARIANT_UserSize"),
414    (288, "VARIANT_UserMarshal"),
415    (289, "VARIANT_UserUnmarshal"),
416    (290, "VARIANT_UserFree"),
417    (291, "LPSAFEARRAY_UserSize"),
418    (292, "LPSAFEARRAY_UserMarshal"),
419    (293, "LPSAFEARRAY_UserUnmarshal"),
420    (294, "LPSAFEARRAY_UserFree"),
421    (295, "LPSAFEARRAY_Size"),
422    (296, "LPSAFEARRAY_Marshal"),
423    (297, "LPSAFEARRAY_Unmarshal"),
424    (298, "VarDecCmpR8"),
425    (299, "VarCyAdd"),
426    (300, "DllUnregisterServer"),
427    (301, "OACreateTypeLib2"),
428    (303, "VarCyMul"),
429    (304, "VarCyMulI4"),
430    (305, "VarCySub"),
431    (306, "VarCyAbs"),
432    (307, "VarCyFix"),
433    (308, "VarCyInt"),
434    (309, "VarCyNeg"),
435    (310, "VarCyRound"),
436    (311, "VarCyCmp"),
437    (312, "VarCyCmpR8"),
438    (313, "VarBstrCat"),
439    (314, "VarBstrCmp"),
440    (315, "VarR8Pow"),
441    (316, "VarR4CmpR8"),
442    (317, "VarR8Round"),
443    (318, "VarCat"),
444    (319, "VarDateFromUdateEx"),
445    (322, "GetRecordInfoFromGuids"),
446    (323, "GetRecordInfoFromTypeInfo"),
447    (325, "SetVarConversionLocaleSetting"),
448    (326, "GetVarConversionLocaleSetting"),
449    (327, "SetOaNoCache"),
450    (329, "VarCyMulI8"),
451    (330, "VarDateFromUdate"),
452    (331, "VarUdateFromDate"),
453    (332, "GetAltMonthNames"),
454    (333, "VarI8FromUI1"),
455    (334, "VarI8FromI2"),
456    (335, "VarI8FromR4"),
457    (336, "VarI8FromR8"),
458    (337, "VarI8FromCy"),
459    (338, "VarI8FromDate"),
460    (339, "VarI8FromStr"),
461    (340, "VarI8FromDisp"),
462    (341, "VarI8FromBool"),
463    (342, "VarI8FromI1"),
464    (343, "VarI8FromUI2"),
465    (344, "VarI8FromUI4"),
466    (345, "VarI8FromDec"),
467    (346, "VarI2FromI8"),
468    (347, "VarI2FromUI8"),
469    (348, "VarI4FromI8"),
470    (349, "VarI4FromUI8"),
471    (360, "VarR4FromI8"),
472    (361, "VarR4FromUI8"),
473    (362, "VarR8FromI8"),
474    (363, "VarR8FromUI8"),
475    (364, "VarDateFromI8"),
476    (365, "VarDateFromUI8"),
477    (366, "VarCyFromI8"),
478    (367, "VarCyFromUI8"),
479    (368, "VarBstrFromI8"),
480    (369, "VarBstrFromUI8"),
481    (370, "VarBoolFromI8"),
482    (371, "VarBoolFromUI8"),
483    (372, "VarUI1FromI8"),
484    (373, "VarUI1FromUI8"),
485    (374, "VarDecFromI8"),
486    (375, "VarDecFromUI8"),
487    (376, "VarI1FromI8"),
488    (377, "VarI1FromUI8"),
489    (378, "VarUI2FromI8"),
490    (379, "VarUI2FromUI8"),
491    (401, "OleLoadPictureEx"),
492    (402, "OleLoadPictureFileEx"),
493    (411, "SafeArrayCreateVector"),
494    (412, "SafeArrayCopyData"),
495    (413, "VectorFromBstr"),
496    (414, "BstrFromVector"),
497    (415, "OleIconToCursor"),
498    (416, "OleCreatePropertyFrameIndirect"),
499    (417, "OleCreatePropertyFrame"),
500    (418, "OleLoadPicture"),
501    (419, "OleCreatePictureIndirect"),
502    (420, "OleCreateFontIndirect"),
503    (421, "OleTranslateColor"),
504    (422, "OleLoadPictureFile"),
505    (423, "OleSavePictureFile"),
506    (424, "OleLoadPicturePath"),
507    (425, "VarUI4FromI8"),
508    (426, "VarUI4FromUI8"),
509    (427, "VarI8FromUI8"),
510    (428, "VarUI8FromI8"),
511    (429, "VarUI8FromUI1"),
512    (430, "VarUI8FromI2"),
513    (431, "VarUI8FromR4"),
514    (432, "VarUI8FromR8"),
515    (433, "VarUI8FromCy"),
516    (434, "VarUI8FromDate"),
517    (435, "VarUI8FromStr"),
518    (436, "VarUI8FromDisp"),
519    (437, "VarUI8FromBool"),
520    (438, "VarUI8FromI1"),
521    (439, "VarUI8FromUI2"),
522    (440, "VarUI8FromUI4"),
523    (441, "VarUI8FromDec"),
524    (442, "RegisterTypeLibForUser"),
525    (443, "UnRegisterTypeLibForUser"),
526];
527
528/// Resolve the given ordinal and DLL name according to the imphash algorithm.
529pub fn imphash_resolve<S: AsRef<str>>(dll_name: S, ordinal: u32) -> String {
530    let dll = dll_name.as_ref().to_string().to_ascii_lowercase();
531
532    if dll == "ws2_32.dll" || dll == "wsock32.dll" {
533        return match WS2_32_ORDINALS.iter().cloned().collect::<HashMap<u32, &'static str>>().get(&ordinal) {
534            None => format!("ord{}", ordinal).to_string(),
535            Some(s) => s.to_string(),
536        };
537    }
538    else if dll == "oleaut32.dll" {
539        return match OLEAUT32_ORDINALS.iter().cloned().collect::<HashMap<u32, &'static str>>().get(&ordinal) {
540            None => format!("ord{}", ordinal).to_string(),
541            Some(s) => s.to_string(),
542        };
543    }
544
545    format!("ord{}", ordinal).to_string()
546}
exe/imphash.rs

exe/
imphash.rs
