Malware string hash lookup plugin for IDA Pro. This plugin connects to the OALABS HashDB Lookup Service.
The hash algorithm database is open source and new algorithms can be added on GitHub here. Pull requests are mostly automated and as long as our automated tests pass the new algorithm will be usable on HashDB within minutes.
Using HashDB
HashDB can be used to look up strings that have been hashed in malware by right-clicking on the hash constant in the IDA disassembly view and launching the HashDB Lookup client.
Settings
Before the plugin can be used to look up hashes the HashDB settings must be configured. The settings window can be launched from the plugins menu Edit->Plugins->HashDB.
Hash Algorithms
Click Refresh Algorithms to pull a list of supported hash algorithms from the HashDB API, then select the algorithm used in the malware you are analyzing.
Optional XOR
There is also an option to enable XOR with each hash value as this is a common technique used by malware authors to further obfuscate hashes.
API URL
The default API URL for the HashDB Lookup Service is https://hashdb.openanalysis.net/. If you are using your own internal server this URL can be changed to point to your server.
Enum Name
When a new hash is identified by HashDB the hash and its associated string are added to an enum in IDA. This enum can then be used to convert hash constants in IDA to their corresponding enum name. The enum name is configurable from the settings in the event that there is a conflict with an existing enum.
Hash Lookup
Once the plugin settings have been configured you can right-click on any constant in the IDA disassembly window and look up the constant as a hash. The right-click also provides a quick way to set the XOR value if needed.
Bulk Import
If a hash is part of a module a prompt will ask if you want to import all the hashes from that module. This is a quick way to pull hashes in bulk. For example, if one of the hashes identified is Sleep from the kernel32 module, HashDB can then pull all the hashed exports from kernel32.
Algorithm Search
HashDB also includes a basic algorithm search that will attempt to identify the hash algorithm based on a hash value. The search will return all algorithms that contain the hash value, it is up to the analyst to decide which (if any) algorithm is correct. To use this functionality right-click on the hash constant and select HashDB Hunt Algorithm.
All algorithms that contain this hash will be displayed in a chooser box. The chooser box can be used to directly select the algorithm for HashDB to use. If Cancel is selected no algorithm will be selected.
Instead of resolving API hashes individually (inline in code) some malware developers will create a block of import hashes in memory. These hashes are then all resolved within a single function creating a dynamic import address table which is later referenced in the code. In these scenarios the HashDB Scan IAT function can be used.
Simply select the import hash block, right-click and choose HashDB Scan IAT. HashDB will attempt to resolve each individual integer type (DWORD/QWORD) in the selected range.
Installing HashDB
Before using the plugin you must install the python requests module in your IDA environment. The simplest way to do this is to use pip from a shell outside of IDA.
pip install requests
Once you have the requests module installed simply copy the latest release of hashdb.py into your IDA plugins directory and you are ready to start looking up hashes!
The HashDB plugin has been developed for use with the IDA 7+ and Python 3 it is not backwards compatible.
More info
- Pentest Reporting Tools
- Hacker Tools Mac
- Hacking Tools Pc
- Pentest Tools
- Hack Tools Pc
- Pentest Tools Free
- Tools Used For Hacking
- Hak5 Tools
- Hack Website Online Tool
- Hack Tools Online
- Hack Tools For Mac
- Pentest Tools Github
- Computer Hacker
- Pentest Tools
- Hacker Search Tools
- Hacking Tools
- Hacking Tools For Kali Linux
- Hacking Tools For Windows 7
- Install Pentest Tools Ubuntu
- Wifi Hacker Tools For Windows
- Pentest Tools Open Source
- Growth Hacker Tools
- Tools For Hacker
- Pentest Tools For Android
- How To Hack
- Pentest Tools Website Vulnerability
- Hacking Tools Usb
- Hacker Tools List
- Hacking Tools Free Download
- Pentest Tools Open Source
- Hacking Tools Kit
- Hack Apps
- Pentest Tools Website Vulnerability
- Hack Tools
- Hacker Techniques Tools And Incident Handling
- Hacking Tools Online
- Hacker
- Pentest Tools For Mac
- Pentest Tools Apk
- Hack Tools For Ubuntu
- How To Hack
- Nsa Hacker Tools
- Hackrf Tools
- Kik Hack Tools
- Hacker Hardware Tools
- Easy Hack Tools
- Hacker Search Tools
- Hacker Tools For Ios
- Pentest Tools Free
- Hacker Techniques Tools And Incident Handling
- Hackers Toolbox
- What Is Hacking Tools
- Hacker Tools For Pc
- Pentest Tools Free
- Hak5 Tools
- Hacker Tools Mac
- Pentest Tools Free
- Hacking Tools Hardware
- Hack And Tools
- Hacker Tools
- Hacker Tools Online
- Hack Tools Download
- Hacking Tools Download
- Hack Tools For Windows
- Hacking App
- Pentest Tools Url Fuzzer
- Pentest Tools Free
- Hacking Tools For Kali Linux
- Hacker Tools For Windows
- Hacker Tools Free Download
- Pentest Tools Tcp Port Scanner
- Ethical Hacker Tools
- Hacking Tools Windows 10
- Top Pentest Tools
- Hacker
- Hacker Tools Windows
- Pentest Recon Tools
- Hak5 Tools
- Pentest Tools Find Subdomains
- Hacker Search Tools
- Hack Tool Apk
- Hacker Tools Free Download
- Pentest Tools Free
- Pentest Tools For Mac
- Pentest Tools Windows
- Usb Pentest Tools
- Hack And Tools
- Hacker Tools List
- Hacker Tools 2020
- Hacking Tools For Windows 7
- Hack Tools
- Hackrf Tools
- Pentest Tools Open Source
- Hacker Tools Mac
- What Is Hacking Tools
- Pentest Tools Bluekeep
No comments:
Post a Comment