Brent Cook
153 lines
5.7 KiB
Python
Executable File
153 lines
5.7 KiB
Python
Executable File
#!/usr/bin/env python3
|
|
#=============================================================================#
|
|
# This script can detect hash collisions between exported API functions in
|
|
# multiple modules by either scanning a directory tree or just a single module.
|
|
# This script can also just output the correct hash value for any single API
|
|
# function for use with the 'api_call' function in 'block_api.asm'.
|
|
#
|
|
# Example: Detect fatal collisions against all modules in the C drive:
|
|
# >hash.py /dir c:\
|
|
#
|
|
# Example: List the hashes for all exports from kernel32.dll (As found in 'c:\windows\system32\')
|
|
# >hash.py /mod c:\windows\system32\ kernel32.dll
|
|
#
|
|
# Example: Simply print the correct hash value for the function kernel32.dll!WinExec
|
|
# >hash.py kernel32.dll WinExec
|
|
#
|
|
# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
|
|
#=============================================================================#
|
|
import pefile
|
|
from sys import path
|
|
import os
|
|
import time
|
|
import sys
|
|
|
|
# Modify this path to pefile to suit your machine...
|
|
pefile_path = 'D:\\Development\\Frameworks\\pefile\\'
|
|
|
|
path.append(pefile_path)
|
|
collisions = [(0x006B8029, 'ws2_32.dll!WSAStartup'),
|
|
(0xE0DF0FEA, 'ws2_32.dll!WSASocketA'),
|
|
(0x6737DBC2, 'ws2_32.dll!bind'),
|
|
(0xFF38E9B7, 'ws2_32.dll!listen'),
|
|
(0xE13BEC74, 'ws2_32.dll!accept'),
|
|
(0x614D6E75, 'ws2_32.dll!closesocket'),
|
|
(0x6174A599, 'ws2_32.dll!connect'),
|
|
(0x5FC8D902, 'ws2_32.dll!recv'),
|
|
(0x5F38EBC2, 'ws2_32.dll!send'),
|
|
|
|
(0x5BAE572D, 'kernel32.dll!WriteFile'),
|
|
(0x4FDAF6DA, 'kernel32.dll!CreateFileA'),
|
|
(0x13DD2ED7, 'kernel32.dll!DeleteFileA'),
|
|
(0xE449F330, 'kernel32.dll!GetTempPathA'),
|
|
(0x528796C6, 'kernel32.dll!CloseHandle'),
|
|
(0x863FCC79, 'kernel32.dll!CreateProcessA'),
|
|
(0xE553A458, 'kernel32.dll!VirtualAlloc'),
|
|
(0x300F2F0B, 'kernel32.dll!VirtualFree'),
|
|
(0x0726774C, 'kernel32.dll!LoadLibraryA'),
|
|
(0x7802F749, 'kernel32.dll!GetProcAddress'),
|
|
(0x601D8708, 'kernel32.dll!WaitForSingleObject'),
|
|
(0x876F8B31, 'kernel32.dll!WinExec'),
|
|
(0x9DBD95A6, 'kernel32.dll!GetVersion'),
|
|
(0xEA320EFE, 'kernel32.dll!SetUnhandledExceptionFilter'),
|
|
(0x56A2B5F0, 'kernel32.dll!ExitProcess'),
|
|
(0x0A2A1DE0, 'kernel32.dll!ExitThread'),
|
|
|
|
(0x6F721347, 'ntdll.dll!RtlExitUserThread'),
|
|
|
|
(0x23E38427, 'advapi32.dll!RevertToSelf')
|
|
]
|
|
|
|
collisions_detected = {}
|
|
modules_scanned = 0
|
|
functions_scanned = 0
|
|
|
|
def ror(dword, bits):
|
|
return (dword >> bits | dword << (32 - bits)) & 0xFFFFFFFF
|
|
|
|
def unicode(string, uppercase=True):
|
|
result = ''
|
|
if uppercase:
|
|
string = string.upper()
|
|
for c in string:
|
|
result += c + '\x00'
|
|
return result
|
|
|
|
def hash(module, function, bits=13, print_hash=True):
|
|
module_hash = 0
|
|
function_hash = 0
|
|
for c in unicode(module + '\x00'):
|
|
module_hash = ror(module_hash, bits)
|
|
module_hash += ord(c)
|
|
for c in str(function + b'\x00'):
|
|
function_hash = ror(function_hash, bits)
|
|
function_hash += ord(c)
|
|
h = module_hash + function_hash & 0xFFFFFFFF
|
|
if print_hash:
|
|
print('[+] 0x%08X = %s!%s' % (h, module.lower(), function))
|
|
return h
|
|
|
|
def scan(dll_path, dll_name, print_hashes=False, print_collisions=True):
|
|
global modules_scanned
|
|
global functions_scanned
|
|
dll_name = dll_name.lower()
|
|
modules_scanned += 1
|
|
pe = pefile.PE(os.path.join(dll_path, dll_name))
|
|
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
|
|
if export.name is None:
|
|
continue
|
|
h = hash(dll_name, export.name, print_hash=print_hashes)
|
|
for (col_hash, col_name) in collisions:
|
|
if col_hash == h and col_name != '%s!%s' % (dll_name, export.name):
|
|
if h not in collisions_detected.keys():
|
|
collisions_detected[h] = []
|
|
collisions_detected[h].append(
|
|
(dll_path, dll_name, export.name))
|
|
break
|
|
functions_scanned += 1
|
|
|
|
def scan_directory(dir):
|
|
for dot, dirs, files in os.walk(dir):
|
|
for file_name in files:
|
|
if file_name[-4:] == '.dll': # or file_name[-4:] == ".exe":
|
|
scan(dot, file_name)
|
|
print('\n[+] Found %d Collisions.\n' % (len(collisions_detected)))
|
|
for h in collisions_detected.keys():
|
|
for (col_hash, col_name) in collisions:
|
|
if h == col_hash:
|
|
detected_name = col_name
|
|
break
|
|
print('[!] Collision detected for 0x%08X (%s):' % (h, detected_name))
|
|
for (collided_dll_path, collided_dll_name, collided_export_name) in collisions_detected[h]:
|
|
print('\t%s!%s (%s)' %
|
|
(collided_dll_name, collided_export_name, collided_dll_path))
|
|
print('\n[+] Scanned %d exported functions via %d modules.\n' %
|
|
(functions_scanned, modules_scanned))
|
|
|
|
def usage():
|
|
print(
|
|
'Usage: hash.py [/dir <path>] | [/mod <path> <module.dll>] | [<module.dll> <function>]')
|
|
|
|
|
|
def main(argv=None):
|
|
if not argv:
|
|
argv = sys.argv
|
|
if len(argv) == 1:
|
|
usage()
|
|
else:
|
|
print('[+] Ran on %s\n' % (time.asctime(time.localtime())))
|
|
if argv[1] == '/dir':
|
|
print("[+] Scanning directory '%s' for collisions..." % argv[2])
|
|
scan_directory(argv[2])
|
|
elif argv[1] == '/mod':
|
|
print("[+] Scanning module '%s' in directory '%s'..." %
|
|
(argv[3], argv[2]))
|
|
scan(argv[2], argv[3], print_hashes=True)
|
|
elif len(argv) < 3:
|
|
usage()
|
|
else:
|
|
hash(argv[1], argv[2])
|
|
|
|
if __name__ == '__main__':
|
|
main()
|