Disclaimer

Tuesday, January 9, 2018

Resolving API Hash using IDA Python

API Hashing is one of the malware technique to hide its needed API from static analysis and from API rules detection. so I decided to use IDA python to resolve those API hash to help me for my static analysis.

The sample I used in this blog is the challenge #4 of flare2017.

using IDA we can directly see that the said file is using the API hashing technique to parse its needed API during the execution of its code.

fig. 1 API hash

 and the below screenshot is the algorithm how it compute the hash of each API in the export table of "Kernel32.dll" and other library it needed to import.

fig. 2 Hashing algorithm

the conversion of the algorithm in python code.


fig. 3 python hasher

the file get the "kernel32.dll" by locating it in PEB and walk through the export table of it to look for its needed API but for me I just located "kernel32.dll" in %systemroot%/system32 and parse it manually using python script.

fig. 4 Parsing the Export table


fig. 5  API list output

Now we we will resolve the following API hash with its actual API name by adding Enum member to IDA .

fig. 6 adding enum member

fig. 7 resolve hash

then if we combined those function together and execute it as IDA Python plugin it will resolve the following hash and will make the code more easier to read during static analysis.

fig. 8 resolved hash value

fig. 9 added enum member

now it is much easier to navigate to the following hash value with dynamically debugging the file. ENJOY!!!

"Reg Restore" Odyssey: Journey to Persistence And Evasion

The Windows Registry, a fundamental component of the Windows Operating System, empowers users to fine-tune system policies and manipulate lo...