hashdb-ghidra

This is a Ghidra plugin for HashDB. It allows you to compile a list of API hashes and then to query the HashDB web service for possible matching strings. It collects these associations into an enum or a struct. From there on, you are on your own.

Installation

Two options:

Copy HashDB.java to your ghidra_script directory.
Add the location where HashDB.java is located to your script directory search path in Ghidra's ScriptManager.

We recommend to bind the HashDB.java script's execution to a hotkey, preferably F3.

Usage

The plugin consists of a single window containing a table showing the "currently collected" hashes. You can bring up the window by executing the script (i.e. hitting F3). In addition to opening the window (or showing it, if it was hidden) the script will do different things depending on where your cursor is:

If the cursor is on an immediate or constant, it will add that value as a hash to the table.
If you selected a memory region, it will interpret it as a list of hashes.
Otherwise, it will assume that you want to scan for parameters to the currently opened function.

The GUI is actually perfect and completely intuitive to use with a great UX. But since we are also amazing at documentation, we include the following guidance:

The plugin allows to transform the hash before lookup. You can put a JavaScript expression into the "Hash Transformation" input field. See the REvil example below.
When you hit the "Query!" button, the script will use the HashDB web API to list all known and matching hashing algorithms. If there's only one, it will also just resolve all hashes. Otherwise, you have to select the correct algorithm in the "Hash Algorithm" field. Pretty much the same is true for the "String Permutation" field. tl;dr: just click "Query!".
You can check the "Resolve Entire module" checkbox if you not only want to add all hashes from the table but also all other hashes from the parent DLLs.
The "Scan Function" tab allows you to specify a function name and a parameter location. The script will crawl all function calls and add the corresponding argument to the table.
Depending on the different switches and toggles in the "Output"-tab (which is very well-designed), the script will create one or two enums or structs. The order of fields in the resulting structs is the same as in the table. Structs are always overwritten, enums are always merged.

Example Workflow: Netwalker

Consider the sample with the following SHA256 hash

de04d2402154f676f757cf1380671f396f3fc9f7dbb683d9461edd2718c4e09d

and navigate to the function at 0x00401360. The code will look like the following:

iVar1 = FUN_00401220(0x84c05e40);
if (iVar1 != 0) {
  pcVar2 = (code *)FUN_00401000(iVar1,-0x5e2ba68c);
  if (pcVar2 != (code *)0x0) {
    uVar6 = 0x254;
    uVar5 = 8;
    uVar3 = FUN_00406a40();
    DAT_00417194 = (int *)(*pcVar2)(uVar3,uVar5,uVar6);
    if (DAT_00417194 != (int *)0x0) {
      iVar4 = FUN_00401000(iVar1,-0x5e2ba68c);
      *DAT_00417194 = iVar4;
      iVar4 = FUN_00401000(iVar1,-0x50ee43dc);
      DAT_00417194[1] = iVar4;
      iVar4 = FUN_00401000(iVar1,-0x468c4724);
      DAT_00417194[2] = iVar4;
      iVar4 = FUN_00401000(iVar1,-0x7b9c69f6);
/* ... */

You can either click on 0x84C05E40, hit F3; click on -0x5E2BA68C, hit F3, and so on and so forth, until you are ready to "Query!". Alternatively you can double click FUN_00401000 and then hit F3 to bring up the scan function tab. Confirm that the pre-populated value in the "Parameter" field is correct, hit "Scan" and grab a cold cup of water.

Example Workflow: REvil

Consider the sample with the following SHA256 hash

5f56d5748940e4039053f85978074bde16d64bd5ba97f6f0026ba8172cb29e93

and navigate to the memory region 0x004113F8 and convert it to an array of 140 DWORDs and hit F3. This memory region contains all API hashes. Our goal is to create a struct that has the corresponding API function pointers in the exact same location. This way, changing the type of this global constant to the struct will make the code all pretty.

REvil's API hashing requires that you figure out a transformation that it applies to the hash. For this sample, the transformation is the following:

((((X ^ 0x76C7) << 0x10) ^ X) ^ 0xAFB9) & 0x1FFFFF /*REvil*/

It will be different for other REvil samples. Make sure to select "Generate Struct" in the "Output" tab and "Query!". When it is done, change the type of 0x004113F8 to HashDB. Happy times.

Contributors

Jesko Hüttenhain @huettenhain
Lars Wallenborn @larsborn

or join the OALabs Discord oalabs-dev channel.

Comments

Simple XOR transformation not detected as self-inverse

The transformation string X ^ 0x43013fcc /* XOR */ is to my knowledge a self-inverse transformation, where the inverse would be X ^ 0x43013fcc /* XOR */

When using this transformation string the "[HashDB] You lied. This transformation is not invertible. I fixed it for you." debug message shows up and the "transformation not invertible" checkbox is checked.

Perhaps worth checking if there is a casing or datatype mismatch between the original X value and the scriptengine output
bug

opened by michaeljgoodman 4
Some hashes not resolving via plugin, but are confirmed present in hashdb
When processing some hashes from a sample, only half the hashes get hits when using the script. When testing, a number of these have been confirmed to be present in hashdb. example:

hash: 7B334076h algorithm: add_ror13 transformation: X ^ 0x43013fcc

result in plugin: nothing found, 0 enums added

steps of manual check for reference: hash hex to dec: 2066956406 xor key hex to dec: 1124155340 xor result: 94283359 [GET] call to hashdb api: https://hashdb.openanalysis.net/hash/add_ror13/942833594

result:

{ "hashes": [ { "hash": 942833594, "string": { "string": "ole32.dll", "is_api": false } } ] }
bug
opened by michaeljgoodman 3
Use selected function _call_ to populate the "Scan"-tab

Right now, we only support scanning for calls of the function currently open in the Decompiler. We should also allow to populate the name by the currently selected function call.
ux

opened by larsborn 0
Close struct-editor windows before creating the struct

We resolved hashes are supposed to populate a struct, we will first check if a struct with the same name already exists and remove it. If this struct is open in an Editor, Ghidra raises an exception.
bug

opened by larsborn 0