So, while doing IT support for quite a few customers, I occasionally come across workstations infected different kinds of malware. Usually I clean up those infections. I know “Don’t do that, wipe it and reinstall” you say. But most small companies won’t pay or can’t afford that. So I remove those more or less nasty things.

Every now and then I put a copy of the malware on my thumbdrive to reverse engineer it. While doing that sometimes I come across a piece of malware that loads most of its imports at runtime. Some of those use hashes for the names of windows api functions. Instead of using LoadLibrary and GetProcAddress they use LoadLibrary (some also use the PEB for kernel32 or ntdll) to load libraries and calculate hashes on the exported functions.

CalculateProcHash

This is quite a common one which I come across more often when dealing with malware loading imports at runtime. Sometimes you can find the hashes of common windows api functions using google but most of the times you don’t find all of them that way. So some time ago I built a small tool I called APIhasher. You just specify the path to a dll-file. It then writes all exported function names and their hash-values to an output file in the current directory. I thought someone might find use for it so I put it online. You can download it here. It’s written in masm32 and a radasm-project source included.

Also here are some of the output files I had use for:

advapi32.dll

gdi32.dll

iphlpapi.dll

kernel32.dll

nspr4.dll

ntdll.dll

ole32.dll

oleaut32.dll

setupapi.dll

shell32.dll

shlwapi.dll

urlmon.dll

user32.dll

version.dll

wininet.dll

ws2_32.dll

wsock32.dll

wtsapi32.dll

Leave a Reply

You must be logged in to post a comment.