Table of Contents

Class TypeReferenceHash

Namespace
AsmResolver.PE.DotNet.Metadata.Tables
Assembly
AsmResolver.PE.dll

Provides an implementation for the Type Reference Hash (TRH) as introduced by GData. This hash is used as an alternative to the ImpHash to identify malware families based on the type references imported by the .NET image.

Reference: https://www.gdatasoftware.com/blog/2020/06/36164-introducing-the-typerefhash-trh

public static class TypeReferenceHash
Inheritance
TypeReferenceHash
Inherited Members

Methods

GetTypeReferenceHash(MetadataDirectory)

Computes the Type Reference Hash (TRH) as introduced by GData to identify malware based on its imported type references.

public static byte[] GetTypeReferenceHash(this MetadataDirectory metadata)

Parameters

metadata MetadataDirectory

The metadata directory to get the TRH from.

Returns

byte[]

The hash.

Exceptions

ArgumentException

Occurs when the provided image does not contain .NET metadata.

GetTypeReferenceHash(PEImage)

If the provided image is a .NET image, computes the Type Reference Hash (TRH) as introduced by GData to identify malware based on its imported type references.

public static byte[] GetTypeReferenceHash(this PEImage image)

Parameters

image PEImage

The image to get the TRH from.

Returns

byte[]

The hash.

Exceptions

ArgumentException

Occurs when the provided image does not contain .NET metadata.