I am analyzing a windows executable (C:\Windows\System32\xcopy.exe). The Imphash value calculated with Python is different from the one shown with PE studio. How can Imphash for a same file be different when computed using two different tools?
What's missing here ?
Imphash Python: 1effe65a4f251e4ae9fa8551f9fcdabb
Imphash PeStudio: 370E0F2A87317776FEB42A7B32DD037B
On 64-bit systems, the path C:\Windows\System32 is virtualized – 64-bit processes can access it directly, but 32-bit processes are magically redirected to C:\Windows\SysWow64 instead.
Your "pestudio" tool is 32-bit, so it is actually seeing the 32-bit version of xcopy.exe rather than the 64-bit one.
Python 3.9.4 [MSC v.1928 64 bit (AMD64)]
>>> pefile.PE(r"C:\Windows\System32\xcopy.exe").get_imphash()
'1effe65a4f251e4ae9fa8551f9fcdabb'
>>> pefile.PE(r"C:\Windows\SysWow64\xcopy.exe").get_imphash()
'370e0f2a87317776feb42a7b32dd037b'
