IDA-Pro/plugins/flare-ida/shellcode-hashes
| You are here | Shellcode Hashes
|
Description
The shellcode_hashes_search_plugin.py IDA plugin implements the hash searching described here.
The shellcode_hashes directory contains the script used to create the database for the shellcode_hash_search.py script, along with a provided database.
Installation
Refer to the Flare-on installation section.
Usage
Generating a local database
There is a syntax error that you need to fix before using the make_sc_hash_db.py script:
$ python make_sc_hash_db.py
File "make_sc_hash_db.py", line 501
class ShellcodeDbCreator(object):
^
SyntaxError: invalid syntax
It can be fixed using the following patch:
$ cat make_sc_hash_db.patch
--- make_sc_hash_db.py 2015-05-30 11:41:57.803752637 +0200
+++ make_sc_hash_db.py.patched 2015-05-30 11:42:33.239752447 +0200
@@ -492,7 +492,7 @@
('sll1AddHash32', 32, pseudocode_sll1AddHash32),
('playWith0xedb88320Hash', 32, pseudocode_playWith0xedb88320Hash),
('crc32', 32, 'Standard crc32'),
-
+]
############################################################
# Database creator
$ patch -p0 < make_sc_hash_db.patch patching file make_sc_hash_db.py
The plugin uses a SQLite database to pick the pre-calculated hashes. It is shipped with an initial database (sc_hashes.db) that you can use, but you can also generate your own. To do that, use the make_sc_hash_db.py python script as follows:
Usage: python make_sc_hash_db.py <db_path> <dll_dir>
Using the plugin
Given the following decoded shellcode extract:
[SNIP]
seg000:000002BF sub_2BF proc near ; CODE XREF: sub_2BF:loc_364�p
seg000:000002BF 5B pop ebx
seg000:000002C0 E8 D9 FF FF FF call findKernel32Base
seg000:000002C5 89 C2 mov edx, eax
seg000:000002C7 68 8E 4E 0E EC push 0EC0E4E8Eh
seg000:000002CC 52 push edx
seg000:000002CD E8 80 FF FF FF call findSymbolByHash
seg000:000002D2 89 45 FC mov [ebp-4], eax
seg000:000002D5 68 C1 79 E5 B8 push 0B8E579C1h
seg000:000002DA 52 push edx
seg000:000002DB E8 72 FF FF FF call findSymbolByHash
seg000:000002E0 89 45 F8 mov [ebp-8], eax
seg000:000002E3 68 83 B9 B5 78 push 78B5B983h
seg000:000002E8 52 push edx
seg000:000002E9 E8 64 FF FF FF call findSymbolByHash
seg000:000002EE 89 45 F4 mov [ebp-0Ch], eax
seg000:000002F1 68 E6 17 8F 7B push 7B8F17E6h
seg000:000002F6 52 push edx
seg000:000002F7 E8 56 FF FF FF call findSymbolByHash
seg000:000002FC 89 45 F0 mov [ebp-10h], eax
seg000:000002FF 68 98 FE 8A 0E push 0E8AFE98h
seg000:00000304 52 push edx
seg000:00000305 E8 48 FF FF FF call findSymbolByHash
[SNIP]
The plugin will identify the hashed functions highlighted above (e.g. 0xEC0E4E8E, 0xB8E579C1, ...). To use it, go to Edit > Plugins > Shellcode Hashes and pick the database (either the initial one provided with the installation or the one that you have generated). Then, choose a transformation among the ones proposed from the list. The most common transformation is the first one (ROR13) and click OK:
Below is our final code:
seg000:000002BF sub_2BF proc near ; CODE XREF: sub_2BF:loc_364�p
seg000:000002BF 5B pop ebx
seg000:000002C0 E8 D9 FF FF FF call findKernel32Base
seg000:000002C5 89 C2 mov edx, eax
seg000:000002C7 68 8E 4E 0E EC push 0EC0E4E8Eh ; kernel32.dll!LoadLibraryA
seg000:000002CC 52 push edx
seg000:000002CD E8 80 FF FF FF call findSymbolByHash
seg000:000002D2 89 45 FC mov [ebp-4], eax
seg000:000002D5 68 C1 79 E5 B8 push 0B8E579C1h ; kernel32.dll!GetSystemDirectoryA
seg000:000002DA 52 push edx
seg000:000002DB E8 72 FF FF FF call findSymbolByHash
seg000:000002E0 89 45 F8 mov [ebp-8], eax
seg000:000002E3 68 83 B9 B5 78 push 78B5B983h ; kernel32.dll!TerminateProcess
seg000:000002E8 52 push edx
seg000:000002E9 E8 64 FF FF FF call findSymbolByHash
seg000:000002EE 89 45 F4 mov [ebp-0Ch], eax
seg000:000002F1 68 E6 17 8F 7B push 7B8F17E6h ; kernel32.dll!GetCurrentProcess
seg000:000002F6 52 push edx
seg000:000002F7 E8 56 FF FF FF call findSymbolByHash
seg000:000002FC 89 45 F0 mov [ebp-10h], eax
seg000:000002FF 68 98 FE 8A 0E push 0E8AFE98h ; kernel32.dll!WinExec
seg000:00000304 52 push edx
seg000:00000305 E8 48 FF FF FF call findSymbolByHash
seg000:0000030A 89 45 EC mov [ebp-14h], eax
seg000:0000030D 8D 03 lea eax, [ebx]
seg000:0000030F 50 push eax
seg000:00000310 FF 55 FC call dword ptr [ebp-4]
seg000:00000313 68 36 1A 2F 70 push 702F1A36h ; urlmon.dll!URLDownloadToFileA
seg000:00000318 50 push eax
seg000:00000319 E8 34 FF FF FF call findSymbolByHash
As you can see, the plugin has identified the hashes.
Comments
Keywords: IDA-Pro plugins reverse-engineering shellcode hashes