{"id":8299,"date":"2022-12-03T22:43:03","date_gmt":"2022-12-03T22:43:03","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8299"},"modified":"2022-12-03T22:43:03","modified_gmt":"2022-12-03T22:43:03","slug":"using-make_sc_hash_db-py-to-create-api-hashing-dbs","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2022\/12\/03\/using-make_sc_hash_db-py-to-create-api-hashing-dbs\/","title":{"rendered":"Using make_sc_hash_db.py to create API hashing DBs"},"content":{"rendered":"\n<p>If you ever used <em><a href=\"https:\/\/github.com\/mandiant\/flare-ida\/blob\/master\/plugins\/shellcode_hashes_search_plugin.py\">shellcode_hashes<\/a><\/em> IDA plugin from Mandiant, you probably have also used <em>make_sc_hash_db.py<\/em> before. But, if you haven&#8217;t, this post is for you. <\/p>\n\n\n\n<p>The focus of the article is on the the <em>make_sc_hash_db.py<\/em> script &#8211; it is used to generate a SQLite database <em>sc_hashes.db<\/em> that in turn is used by <em>shellcode_hashes_search_plugin.py<\/em> (used from IDA GUI) to identify immediate values that could be hashes of known APIs inside the decompiled binary. It&#8217;s fast and superhandy for position independent code analysis, including inline and implanted PE file loaders that rely on such API hashing functionality (multiple API hashing algos are supported).<\/p>\n\n\n\n<p>As per the <em>readme.md<\/em>, the <em>make_sc_hash_db.py<\/em> can be called with the following arguments:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">python make_sc_hash_db.py &lt;database name> &lt;dll directory><\/pre>\n\n\n\n<p>The best is of course to run it on a subset of the c:\\windows\\system32 directory, with a focus on the most common libraries and the <em>sc_hashes.db<\/em> speaks to that directly, including only API hashes for the following libraries:<\/p>\n\n\n\n<ul><li>advapi32.dll<\/li><li>advpack.dll<\/li><li>chrome.dll<\/li><li>comctl32.dll<\/li><li>comdlg32.dll<\/li><li>crypt32.dll<\/li><li>dnsapi.dll<\/li><li>gdi32.dll<\/li><li>hal.dll<\/li><li>imagehlp.dll<\/li><li>IPHLPAPI.DLL<\/li><li>kernel32.dll<\/li><li>lsass.exe<\/li><li>mpr.dll<\/li><li>msvcrt.dll<\/li><li>netapi32.dll<\/li><li>nss3.dll<\/li><li>ntdll.dll<\/li><li>ntoskrnl.exe<\/li><li>odbc32.dll<\/li><li>ole32.dll<\/li><li>oleaut32.dll<\/li><li>psapi.dll<\/li><li>shell32.dll<\/li><li>shfolder.dll<\/li><li>shlwapi.dll<\/li><li>termdd.sys<\/li><li>urlmon.dll<\/li><li>user32.dll<\/li><li>userenv.dll<\/li><li>winhttp.dll<\/li><li>wininet.dll<\/li><li>winmm.dll<\/li><li>winsta.dll<\/li><li>ws2_32.dll<\/li><li>wship6.dll<\/li><li>wsock32.dll<\/li><\/ul>\n\n\n\n<p>BUT<\/p>\n\n\n\n<p>it&#8217;s also handy to have a larger data set available. <\/p>\n\n\n\n<p>When I played with it a few years ago, I generated all hashes from the whole C:\\windows\\system32 directory. <\/p>\n\n\n\n<p>Why? <\/p>\n\n\n\n<p>Because you never know when you will stumble upon a hash value that is not represented inside the <em>sc_hashes.db<\/em>.<\/p>\n\n\n\n<p>Now, you may think that replacing default <em>sc_hashes.db<\/em> with your <em>full_blown_system32_dataset.db<\/em> is the best idea ever, but it&#8217;s not. The <em>sc_hashes.db<\/em> is 50MB file, and the the <em>full_blown<\/em> one is ~600MB. SQLite is fast, but Ida+python+SQLite, not so much. So, you have been warned.<\/p>\n\n\n\n<p>The bottom line: <\/p>\n\n\n\n<p>Use default <em>sc_hashes.db<\/em> for all your cases first, and only if you find hashes outside of this set, try to look for the hash inside the <em>full_blown<\/em> one (either via SQLIte interface, or via grep\/rg on a text export). Finally, if you discover which DLL the API hash belongs to, you can always generate a new SQLite DB set based on that single DLL (just needs to be copied to a working directory for the <em>make_sc_hash_db.py<\/em> script to process it).<\/p>\n\n\n\n<p>And if you don&#8217;t understand any of it, just download this <a href=\"https:\/\/hexacorn.com\/d\/full_blown_limited_output.zip\">full_blown_limited_output.zip<\/a> file (45MB warning). It includes many hashes and many APIs. You can simply grep it for unknown API hash. Who knows, maybe you will get lucky&#8230;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you ever used shellcode_hashes IDA plugin from Mandiant, you probably have also used make_sc_hash_db.py before. But, if you haven&#8217;t, this post is for you. The focus of the article is on the the make_sc_hash_db.py script &#8211; it is used &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2022\/12\/03\/using-make_sc_hash_db-py-to-create-api-hashing-dbs\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8299"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8299"}],"version-history":[{"count":1,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8299\/revisions"}],"predecessor-version":[{"id":8300,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8299\/revisions\/8300"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8299"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8299"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8299"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}