So, while doing IT support for quite a few customers, I occasionally come across workstations infected different kinds of malware. Usually I clean up those infections. I know “Don’t do that, wipe it and reinstall” you say. But most small companies won’t pay or can’t afford that. So I remove those more or less nasty things.

Every now and then I put a copy of the malware on my thumbdrive to reverse engineer it. While doing that sometimes I come across a piece of malware that loads most of its imports at runtime. Some of those use hashes for the names of windows api functions. Instead of using LoadLibrary and GetProcAddress they use LoadLibrary (some also use the PEB for kernel32 or ntdll) to load libraries and calculate hashes on the exported functions.

 

CalculateProcHash

 

This is quite a common one which I come across more often when dealing with malware loading imports at runtime. Sometimes you can find the hashes of common windows api functions using google but most of the times you don’t find all of them that way. So some time ago I built a small tool I called APIhasher. You just specify the path to a dll-file. It then writes all exported function names and their hash-values to an output file in the current directory. I thought someone might find use for it so I put it online. You can download it here. It’s written in masm32 and a radasm-project source included.

Also here are some of the output files I had use for:
advapi32.dll
gdi32.dll
iphlpapi.dll
kernel32.dll
nspr4.dll
ntdll.dll
ole32.dll
oleaut32.dll
setupapi.dll
shell32.dll
shlwapi.dll
urlmon.dll
user32.dll
version.dll
wininet.dll
ws2_32.dll
wsock32.dll
wtsapi32.dll

 

Leave a Reply

You must be logged in to post a comment.