Uchihash - A Small Utility To Deal With Malware Embedded Hashes

3 years ago 173
BOOK THIS SPACE FOR AD
ARTICLE AD

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as:

Dynamically importing APIs (especially in shellcode) Checking running process used by analysts (Anti-Analysis) Checking VM or Antivirus artifacts (Anti-Analysis)

Uchihash can generate hashes with your own custom hashing algorithm, search for a list of hashes in an already generated hashmap and also it can generate an IDAPython script to annotate the hashes with their corresponding values for easier analysis.

Installation

$ git clone https://github.com/N1ght-W0lf/Uchihash.git
$ pip install -r requirements.txt

Usage

Hashing algorithm --apis Calculate hashes of APIs --keywords Calculate hashes of keywords --list LIST Calculate hashes of your own word list --script SCRIPT Script file containing your custom hashing algorithm --search SEARCH Search a JSON File containing hashes mapped to words --hashes HASHES File containing list of hashes to search for --ida Generate an IDAPython script to annotate hash values Examples: * python uchihash.py --algo crc32 --apis * python uchihash.py --algo murmur3 --list mywords.txt * python uchihash.py --search hashmap.txt --hashes myhashes.txt ">

usage: uchihash.py [-h] [--algo ALGO] [--apis] [--keywords] [--list LIST] [--script SCRIPT] [--search SEARCH] [--hashes HASHES] [--ida]

optional arguments:
-h, --help show this help message and exit
--algo ALGO Hashing algorithm
--apis Calculate hashes of APIs
--keywords Calculate hashes of keywords
--list LIST Calculate hashes of your own word list
--script SCRIPT Script file containing your custom hashing algorithm
--search SEARCH Search a JSON File containing hashes mapped to words
--hashes HASHES File containing list of hashes to search for
--ida Generate an IDAPython script to annotate hash values

Examples:
* python uchihash.py --algo crc32 --apis
* python uchihash.py --algo murmur3 --list mywords.txt
* python uchihash.py --search hashmap.txt --hashes myhashes.txt

Notes

--algo: One of the available hashing algorithms

--apis: Hashes a huge list of windows APIs (see data/apis_list.txt)

--keywords: Hashes a list of common keywords used by malware families such as Analysis tools and VM/Antivirus/EDR artifacts (see data/keywords_list.txt)

--list : Words are separated by a newline (see examples/mywords.txt)

--script: Hashing function must be called hashme() and the return value must be in hex format 0xDEADBEEF (see examples/custom_algo.txt)

--search: File to search must be in JSON format (see examples/searchme.txt)

--hashes: Hash values are separated by a newline and they must be in hex format (see examples/myhashes.txt)

see examples folder for more clarification

Available Hashing Algorithms

md4 md5 sha1 sha224 sha256 sha384 sha512 ripemd160 whirlpool crc8 crc16 crc32 crc64 djb2 sdbm loselose fnv1_32 fnv1a_32 fnv1_64 fnv1a_64 murmur3

Example

Let's take an examples with a real malware family, in this case we have BuerLoader which is using hash values to dynamically import APIs and it's using a custom hashing algorithm.

First we need to implement the hashing algorithm in python:

def ROR4(val, bits, bit_size=32):
return ((val & (2 ** bit_size - 1)) >> bits % bit_size) | \
(val << (bit_size - (bits % bit_size)) & (2 ** bit_size - 1))

def hashme(s):
res = 0
for c in s:
v3 = ROR4(res, 13)
v4 = c - 32
if c < 97:
v4 = c
res = v4 + v3
return hex(res)

Then we calculate the hashes of all APIs:

$ python uchihash.py --script custom_algo.py --apis

Finally we search for the hash values that BuerLoader is using in the generated hashmap, we can also generate an IDAPython script to annotate those hash values with their corresponding API names:

$ python uchihash.py --search output/hashmap.txt --hashes buer_hashes.txt --ida

We should get 2 output files, one is "output/search_hashmap.txt" which maps BuerLoader's hash values to API names:

{
"0x8a8b468c": "LoadLibraryW",
"0x302ebe1c": "VirtualAlloc",
"0x1803b7e3": "VirtualProtect",
"0xe183277b": "VirtualFree",
"0x24e2968d": "GetComputerNameW",
"0xab489125": "GetNativeSystemInfo",
.......
}

The other file is "output/ida_script.py" which will add the comments to your idb:

Uchihash - A Small Utility To Deal With Malware Embedded Hashes Uchihash - A Small Utility To Deal With Malware Embedded Hashes Reviewed by Zion3R on 5:30 PM Rating: 5

Read Entire Article