API Hashing is one of the malware technique to hide its needed API from static analysis and from API rules detection. so I decided to use IDA python to resolve those API hash to help me for my static analysis.
The sample I used in this blog is the challenge #4 of flare2017.
using IDA we can directly see that the said file is using the API hashing technique to parse its needed API during the execution of its code.
 |
| fig. 1 API hash |
and the below screenshot is the algorithm how it compute the hash of each API in the export table of "Kernel32.dll" and other library it needed to import.
 |
| fig. 2 Hashing algorithm |
the conversion of the algorithm in python code.
 |
| fig. 3 python hasher |
the file get the "kernel32.dll" by locating it in PEB and walk through the export table of it to look for its needed API but for me I just located "kernel32.dll" in %systemroot%/system32 and parse it manually using python script.
 |
| fig. 4 Parsing the Export table |
 |
| fig. 5 API list output |
Now we we will resolve the following API hash with its actual API name by adding Enum member to IDA .
 |
| fig. 6 adding enum member |
|
 |
| fig. 7 resolve hash |
then if we combined those function together and execute it as IDA Python plugin it will resolve the following hash and will make the code more easier to read during static analysis.
 |
| fig. 8 resolved hash value |
 |
| fig. 9 added enum member |
now it is much easier to navigate to the following hash value with dynamically debugging the file. ENJOY!!!
