Mandiant’s imphash convention requires the following: Resolving ordinals to function names when they appear. Converting both DLL names and function names to all lowercase. Removing the file extensions from imported module names. Building and storing the lowercased strings in an ordered list. Generating the MD5 hash of the ordered list. oleaut32, ws2_32 and wsock32 can resolve ordinals to functions names. The implementation is equal to the python module "pefile" 1.2.10-139 https://code.google.com/p/pefile/