A small utility to deal with malware embedded hashes.

Overview

Uchihash

Uchihash is a small utility that can save malware analysts the time of dealing with embedded hash values used for various things such as:

  • Dynamically importing APIs (especially in shellcode)
  • Checking running process used by analysts (Anti-Analysis)
  • Checking VM or Antivirus artifacts (Anti-Analysis)

Uchihash can generate hashes with your own custom hashing algorithm, search for a list of hashes in an already generated hashmap and also it can generate an IDAPython script to annotate the hashes with their corresponding values for easier analysis.

Installation

$ git clone https://github.com/N1ght-W0lf/Uchihash.git
$ pip install -r requirements.txt

Usage

usage: uchihash.py [-h] [--algo ALGO] [--apis] [--keywords] [--list LIST] [--script SCRIPT] [--search SEARCH] [--hashes HASHES] [--ida]

optional arguments:
  -h, --help       show this help message and exit
  --algo ALGO      Hashing algorithm
  --apis           Calculate hashes of APIs
  --keywords       Calculate hashes of keywords
  --list LIST      Calculate hashes of your own word list
  --script SCRIPT  Script file containing your custom hashing algorithm
  --search SEARCH  Search a JSON File containing hashes mapped to words
  --hashes HASHES  File containing list of hashes to search for
  --ida            Generate an IDAPython script to annotate hash values

Examples:
    * python uchihash.py --algo crc32 --apis
    * python uchihash.py --algo murmur3 --list mywords.txt
    * python uchihash.py --search hashmap.txt --hashes myhashes.txt

Notes

  • --algo: One of the available hashing algorithms

  • --apis: Hashes a huge list of windows APIs (see data/apis_list.txt)

  • --keywords: Hashes a list of common keywords used by malware families such as Analysis tools and VM/Antivirus/EDR artifacts (see data/keywords_list.txt)

  • --list : Words are separated by a newline (see examples/mywords.txt)

  • --script: Hashing function must be called hashme() and the return value must be in hex format 0xDEADBEEF (see examples/custom_algo.txt)

  • --search: File to search must be in JSON format (see examples/searchme.txt)

  • --hashes: Hash values are separated by a newline and they must be in hex format (see examples/myhashes.txt)

see examples folder for more clarification

Available Hashing Algorithms

  • md4
  • md5
  • sha1
  • sha224
  • sha256
  • sha384
  • sha512
  • ripemd160
  • whirlpool
  • crc8
  • crc16
  • crc32
  • crc64
  • djb2
  • sdbm
  • loselose
  • fnv1_32
  • fnv1a_32
  • fnv1_64
  • fnv1a_64
  • murmur3

Example

Let's take an examples with a real malware family, in this case we have BuerLoader which is using hash values to dynamically import APIs and it's using a custom hashing algorithm.

First we need to implement the hashing algorithm in python:

def ROR4(val, bits, bit_size=32):
    return ((val & (2 ** bit_size - 1)) >> bits % bit_size) | \
           (val << (bit_size - (bits % bit_size)) & (2 ** bit_size - 1))
    
def hashme(s):
    res = 0
    for c in s:
        v3 = ROR4(res, 13)
        v4 = c - 32
        if c < 97:
            v4 = c
        res = v4 + v3
    return hex(res)

Then we calculate the hashes of all APIs:

$ python uchihash.py --script custom_algo.py --apis

Finally we search for the hash values that BuerLoader is using in the generated hashmap, we can also generate an IDAPython script to annotate those hash values with their corresponding API names:

$ python uchihash.py --search output/hashmap.txt --hashes buer_hashes.txt --ida

We should get 2 output files, one is "output/search_hashmap.txt" which maps BuerLoader's hash values to API names:

{
  "0x8a8b468c": "LoadLibraryW",
  "0x302ebe1c": "VirtualAlloc",
  "0x1803b7e3": "VirtualProtect",
  "0xe183277b": "VirtualFree",
  "0x24e2968d": "GetComputerNameW",
  "0xab489125": "GetNativeSystemInfo",
  .......
}

The other file is "output/ida_script.py" which will add the comments to your idb:

Owner
Abdallah Elshinbary
Abdallah Elshinbary
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

2.4k Jan 07, 2023
Python APK Reverser & Patcher Tool

DTL-X An Advanced Python APK Reverser and Patcher Tool. --rmads1: target=AndroidManifest.xml,replace=com.google.android.gms.ad --rmads2: No Internet (

DedSecTL 10 Oct 31, 2022
TightVNC Vulnerability.

CVE-2022-23967 In TightVNC 1.3.10, there is an integer signedness error and resultant heap-based buffer overflow in InitialiseRFBConnection in rfbprot

MaherAzzouzi 15 Jul 11, 2022
CVE-2021-26855 SSRF Exchange Server

CVE-2021-26855 Brute Force EMail Exchange Server Timeline: Monday, March 8, 2021: Update Dumping content...(I'm not done, can u guy help me done this

lulz 117 Nov 28, 2022
Generate obfuscated meterpreter shells

Generator Evade AV with obfuscated payloads Installation must install dotnet prior to running the script with net45 Running ./generator.py -ip Your-I

Fawaz Al-Mutairi 219 Nov 28, 2022
A security system to warn you when people enter your room πŸŽ₯

Get Out My Room v0.1 I hate people coming in my room when i'm not there. Get Out My Room is a simple security system that sends notifications with vid

ScriptLine 1 Jan 11, 2022
BurpSuite Extension: Log4j RCE Scanner

BurpSuite Extension: Log4j RCE Scanner

1 Dec 16, 2021
WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user.

WinRemoteEnum WinRemoteEnum is a module-based collection of operations achievable by a low-privileged domain user, sharing the goal of remotely gather

Simon 9 Nov 09, 2022
π™Ύπš™πšŽπš— πš‚πš˜πšžπš›πšŒπšŽ πš‚πšŒπš›πš’πš™πš - π™½πš˜ π™²πš˜πš™πš’πš›πš’πšπš‘πš - πšƒπšŽπšŠπš– πš†πš˜πš›πš” - πš‚πš’πš–πš™πš•πšŽ π™Ώπš’πšπš‘πš˜πš— π™Ώπš›πš˜πš“πšŽπšŒπš - π™²πš›πšŽπšŠπšπšŽπš π™±πš’ : π™°πš•πš• πšƒπšŽπšŠπš– - π™²πš˜πš™πš’π™ΏπšŠπšœπš π™²πšŠπš— π™½πš˜πš π™ΌπšŠπš”πšŽ 𝚈𝚘𝚞 πšπšŽπšŠπš• π™Ώπš›πš˜πšπš›πšŠπš–πš–πšŽπš›

π™Ύπš™πšŽπš— πš‚πš˜πšžπš›πšŒπšŽ πš‚πšŒπš›πš’πš™πš - π™½πš˜ π™²πš˜πš™πš’πš›πš’πšπš‘πš - πšƒπšŽπšŠπš– πš†πš˜πš›πš” - πš‚πš’πš–πš™πš•πšŽ π™Ώπš’πšπš‘πš˜πš— π™Ώπš›πš˜πš“πšŽπšŒπš - π™²πš›πšŽπšŠπšπšŽπš π™±πš’ : π™°πš•πš• πšƒπšŽπšŠπš– - π™²πš˜πš™πš’π™ΏπšŠπšœπš π™²πšŠπš— π™½πš˜πš π™ΌπšŠπš”πšŽ 𝚈𝚘𝚞 πšπšŽπšŠπš• π™Ώπš›πš˜πšπš›πšŠπš–πš–πšŽπš›

CodeX-ID 2 Oct 27, 2022
Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries

Binary check tool to identify command injection and format string vulnerabilities in blackbox binaries. Using xrefs to commonly injected and format string'd files, it will scan binaries faster than F

Christopher Roberts 3 Nov 16, 2021
Installation of hacking tools

Tools-Spartan This is a program that makes it easy for you to download and install tools used in Kali Linux, there are tons of tools available.

1 Nov 10, 2021
IDA plugin for quickly copying disassembly as encoded hex bytes

HexCopy IDA plugin for quickly copying disassembly as encoded hex bytes. This whole plugin just saves you two extra clicks... but if you are frequentl

OALabs 46 Oct 30, 2022
This is a keylogger in python for Windows, Mac and Linux!

Python-Keylogger This is a keylogger in python for Windows, Mac and Linux! #How to use it by downloading the zip file? Download the zip file first The

Zeus_Dxvxm 2 Nov 12, 2021
IDAPatternSearch adds a capability of finding functions according to bit-patterns into the well-known IDA Pro disassembler based on Ghidra’s function patterns format.

IDA Pattern Search by Argus Cyber Security Ltd. The IDA Pattern Search plugin adds a capability of finding functions according to bit-patterns into th

David Lazar 48 Dec 29, 2022
HTTP security headers for Flask

Talisman: HTTP security headers for Flask Talisman is a small Flask extension that handles setting HTTP headers that can help protect against a few co

Google Cloud Platform 854 Dec 30, 2022
Advanced subdomain scanner, any domain hidden subdomains

little advanced subdomain scanner made in python, works very quick and has options to change the port u want it to connect for

Nano 5 Nov 23, 2021
Gmail Accounts Hacking

gmail-hack Gmail Accounts Hacking Gemail-Hack python script for Hack gmail account brute force What is brute force attack? In brute force attack,scrip

Aryan 25 Nov 10, 2022
Bypass ReCaptcha: A Python script for dealing with recaptcha

Bypass ReCaptcha Bypass ReCaptcha is a Python script for dealing with recaptcha.

Marcos Camargo 1 Jan 11, 2022
DNS hijacking via dead records automation tool

DeadDNS Multi-threaded DNS hijacking via dead records automation tool How it works 1) Dig provided subdomains file for dead DNS records. 2) Dig the fo

45 Dec 20, 2022
Keystroke logging, often referred to as keylogging or keyboard capturing

Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware

Harsha G 2 Jan 11, 2022