So, while doing IT support for quite a few customers, I occasionally come across workstations infected different kinds of malware. Usually I clean up those infections. I know “Don’t do that, wipe it and reinstall” you say. But most small companies won’t pay or can’t afford that. So I remove those more or less nasty things.
Every now and then I put a copy of the malware on my thumbdrive to reverse engineer it. While doing that sometimes I come across a piece of malware that loads most of its imports at runtime. Some of those use hashes for the names of windows api functions. Instead of using LoadLibrary and GetProcAddress they use LoadLibrary (some also use the PEB for kernel32 or ntdll) to load libraries and calculate hashes on the exported functions.
This is quite a common one which I come across more often when dealing with malware loading imports at runtime. Sometimes you can find the hashes of common windows api functions using google but most of the times you don’t find all of them that way. So some time ago I built a small tool I called APIhasher. You just specify the path to a dll-file. It then writes all exported function names and their hash-values to an output file in the current directory. I thought someone might find use for it so I put it online. You can download it here. It’s written in masm32 and a radasm-project source included.
Also here are some of the output files I had use for:
Leave a Reply
You must be logged in to post a comment.