IDA-Pro/plugins/flare-ida/shellcode-hashes

From aldeid
Jump to: navigation, search
You are here
Shellcode Hashes

Description

The shellcode_hashes_search_plugin.py IDA plugin implements the hash searching described here.

The shellcode_hashes directory contains the script used to create the database for the shellcode_hash_search.py script, along with a provided database.

Installation

Refer to the Flare-on installation section.

Usage

Generating a local database

Info.png
Note

There is a syntax error that you need to fix before using the make_sc_hash_db.py script:

$ python make_sc_hash_db.py
  File "make_sc_hash_db.py", line 501
    class ShellcodeDbCreator(object):
        ^
SyntaxError: invalid syntax

It can be fixed using the following patch:

$ cat make_sc_hash_db.patch 
--- make_sc_hash_db.py	2015-05-30 11:41:57.803752637 +0200
+++ make_sc_hash_db.py.patched	2015-05-30 11:42:33.239752447 +0200
@@ -492,7 +492,7 @@
     ('sll1AddHash32',           32, pseudocode_sll1AddHash32),
     ('playWith0xedb88320Hash',  32, pseudocode_playWith0xedb88320Hash),
     ('crc32',                   32, 'Standard crc32'),
-
+]
 
 ############################################################
 # Database creator
$ patch -p0 < make_sc_hash_db.patch 
patching file make_sc_hash_db.py

The plugin uses a SQLite database to pick the pre-calculated hashes. It is shipped with an initial database (sc_hashes.db) that you can use, but you can also generate your own. To do that, use the make_sc_hash_db.py python script as follows:

Usage: python make_sc_hash_db.py <db_path> <dll_dir>

Using the plugin

Given the following decoded shellcode extract:

[SNIP]
seg000:000002BF                         sub_2BF         proc near               ; CODE XREF: sub_2BF:loc_364�p
seg000:000002BF 5B                                      pop     ebx
seg000:000002C0 E8 D9 FF FF FF                          call    findKernel32Base
seg000:000002C5 89 C2                                   mov     edx, eax
seg000:000002C7 68 8E 4E 0E EC                          push    0EC0E4E8Eh
seg000:000002CC 52                                      push    edx
seg000:000002CD E8 80 FF FF FF                          call    findSymbolByHash
seg000:000002D2 89 45 FC                                mov     [ebp-4], eax
seg000:000002D5 68 C1 79 E5 B8                          push    0B8E579C1h
seg000:000002DA 52                                      push    edx
seg000:000002DB E8 72 FF FF FF                          call    findSymbolByHash
seg000:000002E0 89 45 F8                                mov     [ebp-8], eax
seg000:000002E3 68 83 B9 B5 78                          push    78B5B983h
seg000:000002E8 52                                      push    edx
seg000:000002E9 E8 64 FF FF FF                          call    findSymbolByHash
seg000:000002EE 89 45 F4                                mov     [ebp-0Ch], eax
seg000:000002F1 68 E6 17 8F 7B                          push    7B8F17E6h
seg000:000002F6 52                                      push    edx
seg000:000002F7 E8 56 FF FF FF                          call    findSymbolByHash
seg000:000002FC 89 45 F0                                mov     [ebp-10h], eax
seg000:000002FF 68 98 FE 8A 0E                          push    0E8AFE98h
seg000:00000304 52                                      push    edx
seg000:00000305 E8 48 FF FF FF                          call    findSymbolByHash
[SNIP]

The plugin will identify the hashed functions highlighted above (e.g. 0xEC0E4E8E, 0xB8E579C1, ...). To use it, go to Edit > Plugins > Shellcode Hashes and pick the database (either the initial one provided with the installation or the one that you have generated). Then, choose a transformation among the ones proposed from the list. The most common transformation is the first one (ROR13) and click OK:

Ida-pro-plugins-flare-on-shellcode-hashes-window.png

Below is our final code:

seg000:000002BF                         sub_2BF         proc near               ; CODE XREF: sub_2BF:loc_364�p
seg000:000002BF 5B                                      pop     ebx
seg000:000002C0 E8 D9 FF FF FF                          call    findKernel32Base
seg000:000002C5 89 C2                                   mov     edx, eax
seg000:000002C7 68 8E 4E 0E EC                          push    0EC0E4E8Eh      ; kernel32.dll!LoadLibraryA
seg000:000002CC 52                                      push    edx
seg000:000002CD E8 80 FF FF FF                          call    findSymbolByHash
seg000:000002D2 89 45 FC                                mov     [ebp-4], eax
seg000:000002D5 68 C1 79 E5 B8                          push    0B8E579C1h      ; kernel32.dll!GetSystemDirectoryA
seg000:000002DA 52                                      push    edx
seg000:000002DB E8 72 FF FF FF                          call    findSymbolByHash
seg000:000002E0 89 45 F8                                mov     [ebp-8], eax
seg000:000002E3 68 83 B9 B5 78                          push    78B5B983h       ; kernel32.dll!TerminateProcess
seg000:000002E8 52                                      push    edx
seg000:000002E9 E8 64 FF FF FF                          call    findSymbolByHash
seg000:000002EE 89 45 F4                                mov     [ebp-0Ch], eax
seg000:000002F1 68 E6 17 8F 7B                          push    7B8F17E6h       ; kernel32.dll!GetCurrentProcess
seg000:000002F6 52                                      push    edx
seg000:000002F7 E8 56 FF FF FF                          call    findSymbolByHash
seg000:000002FC 89 45 F0                                mov     [ebp-10h], eax
seg000:000002FF 68 98 FE 8A 0E                          push    0E8AFE98h       ; kernel32.dll!WinExec
seg000:00000304 52                                      push    edx
seg000:00000305 E8 48 FF FF FF                          call    findSymbolByHash
seg000:0000030A 89 45 EC                                mov     [ebp-14h], eax
seg000:0000030D 8D 03                                   lea     eax, [ebx]
seg000:0000030F 50                                      push    eax
seg000:00000310 FF 55 FC                                call    dword ptr [ebp-4]
seg000:00000313 68 36 1A 2F 70                          push    702F1A36h       ; urlmon.dll!URLDownloadToFileA
seg000:00000318 50                                      push    eax
seg000:00000319 E8 34 FF FF FF                          call    findSymbolByHash

As you can see, the plugin has identified the hashes.

Comments

blog comments powered by Disqus

Keywords: IDA-Pro plugins reverse-engineering shellcode hashes