By Waseem Akram on 11/8/2024
Today we’re going to see how real malware protect themselves from being analyzed using a technique called Api Hashing. First of all we should...
Hello hackers!
Today we’re going to see how real malware protect themselves from being analyzed using a technique called Api Hashing.
First of all we should know what the IAT of a PE file is. IAT means Import Address Table and is part of the PE (Portable Executable) structure and its components are this (Golang code):
If you don’t know too much about this you should take a look at https://0xrick.github.io/ blog, he has some fascinating posts about the different parts of PE files.
Malware analyzers and PE parsers (ab)use the IAT of files as it reveals really useful information which can determine if a PE imports some strange functions or DLLs. For example if you test this out without payload from the first Malware Development post you will see that it imports OpenProcess, VirtualAllocEx, WriteProcessMemory
and CreateRemoteThreadEx
which is a strong sign of malware. But what if we hide the imported functions in the IAT?
At this point red teamers use Api Hashing, a technique in which the function is represented as a hash, and you get its syscall to call it later so the strings can’t be analyzed. The main workflow will be something like this:
If someone looks at the source code, he/she won’t be able to know which Windows API function is trying to call as only the hash is visible. The hashing algorithm can be whatever you want, or you can create your custom encoding algorithm, in our case we’ll be using sha256
First of all we will code a simple program which will receive a string via CLI and will print it as a sha256 hash
If we test it we see that it works as expected.
Here are the function names converted to hashes:
Here are the function names converted to hashes:
In this case we’ll be using the same injection technique of the first post but replacing kernel32 functions like VirtualAlloc to native ones.
Now we have to create a function which takes care of getting all function names from ntdll.dll, converting it to sha256 and checking if hashes match. For this we use github.com/Binject/debug/pe an useful package to interact with PE files.
We also have to define the RvaToOffset() function
Once we have those functions, we have to use the syscall ID and we can do it using the hooka.Syscall() function from my own malware dev project which receives an uint16 argument (syscall) and an unlimited amout of uintptr arguments (arguments):
I won’t explain in depth the usage of the native functions arguments, but I’ve chosen them as they’re easier to use with the handles and process because the common functions like OpenProcess directly return the process handle and we can’t do that if we’re executing the functions like this so it’s better with native functions.
There are some comments along the code to help you understanding it:
Let’s test it out
Compile the golang code:
Transfer the generated .exe to a Windows machine
And finally the shellcode gets executed
Let’s see what VirusTotal say about our payload
We’ve learned that this technique is really useful as it protect our malware from being analyzed and AV/EDR can’t know what Windows API functions we are importing by directly looking at the IAT of the PE.
Source code here
This course is designed to be hands-on and beginner-friendly, so even if you’re new to the world of network security, you’ll be able to follow along with ease. By the end, you'll have a
Read MoreToday we’ll dump LSASS.EXE process memory to obtain credentials and we also will be using some evasion techniques. During red team...
Read MoreToday we’re gonna see an effective technique to mantain access in Windows systems during red team operations just by modifying a registry key...
Read MoreToday we’ll learn an advanced shellcode injection technique used by Lazarus group which uses UuidFromStringA API call. In this technique, the malware..
Read MoreInstahack is a security tool officially designed to test the password strength of Instagram accounts using termux and kali with a brute force attack...
Read MoreToday we’re gonna see a simple malware development technique, Shellcode injection via CreateRemoteThread in Golang...
Read More