@@ -284,6 +284,8 @@ struct cl_engine {

     struct cli_matcher *hm_hdb;

     /* hash matcher for MD5 sigs for PE sections */

     struct cli_matcher *hm_mdb;

+    /* hash matcher for MD5 sigs for PE import tables */

+    struct cli_matcher *hm_ith;

     /* hash matcher for whitelist db */

     struct cli_matcher *hm_fp;

@@ -2354,12 +2354,13 @@ static inline int scan_pe_impfuncs(cli_ctx *ctx, void *md5ctx, struct pe_image_i

 }

 static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct cli_exe_section *exe_sections, uint16_t nsections, uint32_t hdr_size, int pe_plus) {

+    struct cli_matcher *ith = ctx->engine->hm_ith;

     struct pe_image_data_dir *datadir = &(dirs[1]);

     struct pe_image_import_descriptor *image;

     fmap_t *map = *ctx->fmap;

     size_t left, fsize = map->len;

     uint32_t impoff, offset;

-    const char *impdes, *buffer;

+    const char *impdes, *buffer, *virname;

     void *md5ctx;

     uint8_t digest[16] = {0};

     char *dstr;

@@ -2420,7 +2421,7 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c

             /* JSON TOMFOOLERY */

         }

-        /* DLL function handling - inline function */

+        /* DLL function handling - inline function TODO - dconf this */

         ret = scan_pe_impfuncs(ctx, md5ctx, image, dllname, exe_sections, nsections, hdr_size, pe_plus, &first);

         if (dllname)

             free(dllname);

@@ -2437,12 +2438,16 @@ static int scan_pe_imptbl(cli_ctx *ctx, struct pe_image_data_dir *dirs, struct c

     /* send off for md5 comparison - use ret */

     cl_finish_hash(md5ctx, digest);

     dstr = cli_str2hex(digest, sizeof(digest));

-    cli_errmsg("IMPHASH: %s\n", (char *)dstr);

+    cli_dbgmsg("IMPHASH: %s\n", (char *)dstr);

 #if HAVE_JSON

     if (ctx->wrkproperty)

         cli_jsonstr(ctx->wrkproperty, "Imphash", dstr);

 #endif

     free(dstr);

+

+    if (ith && (ret = cli_hm_scan_wild(digest, &virname, ith, CLI_HASH_MD5)) == CL_VIRUS)

+        cli_append_virus(ctx, virname);

+

     return ret;

 }

@@ -3367,7 +3372,6 @@ int cli_scanpe(cli_ctx *ctx)

             /* intentional fall-through */

         case CL_BREAK:

             free(exe_sections);

-            cli_bytecode_context_destroy(bc_ctx);

             return ret == CL_VIRUS ? CL_VIRUS : CL_CLEAN;

     }

     /* Attempt to detect some popular polymorphic viruses */

@@ -2380,6 +2380,7 @@ static int cli_loadign(FILE *fs, struct cl_engine *engine, unsigned int options,

 #define MD5_HDB	    0

 #define MD5_MDB	    1

 #define MD5_FP	    2

+#define MD5_ITH	    3

 #define MD5_TOKENS 5

 static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo, unsigned int mode, unsigned int options, struct cli_dbio *dbio, const char *dbname)

@@ -2400,6 +2401,8 @@ static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo,

 	db = engine->hm_mdb;

     } else if(mode == MD5_HDB)

 	db = engine->hm_hdb;

+    else if(mode == MD5_ITH)

+	db = engine->hm_ith;

     else

 	db = engine->hm_fp;

@@ -2413,6 +2416,8 @@ static int cli_loadhash(FILE *fs, struct cl_engine *engine, unsigned int *signo,

 	    engine->hm_hdb = db;

 	else if(mode == MD5_MDB)

 	    engine->hm_mdb = db;

+	else if(mode == MD5_ITH)

+	    engine->hm_ith = db;

 	else

 	    engine->hm_fp = db;

     }

@@ -4280,6 +4285,8 @@ int cli_load(const char *filename, struct cl_engine *engine, unsigned int *signo

 	ret = cli_loadhash(fs, engine, signo, MD5_FP, options, dbio, dbname);

     } else if(cli_strbcasestr(dbname, ".mdb") || cli_strbcasestr(dbname, ".msb")) {

 	ret = cli_loadhash(fs, engine, signo, MD5_MDB, options, dbio, dbname);

+    } else if(cli_strbcasestr(dbname, ".ith")) {

+	ret = cli_loadhash(fs, engine, signo, MD5_ITH, options, dbio, dbname);

     } else if(cli_strbcasestr(dbname, ".mdu") || cli_strbcasestr(dbname, ".msu")) {

 	if(options & CL_DB_PUA)