Mirrors/ioc-collection
6
0
Fork 0
mirror of https://github.com/avast/ioc synced 2024-06-30 18:51:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
620551c0d6
ioc-collection/CobaltStrike/api_hashes/generate_hash.py
avast-ti 182b952a63
Add files via upload
2021-07-08 01:31:29 +02:00

63 lines
2.0 KiB
Python
Raw Blame History

import sys
import pefile
from pathlib import Path
def ROR(data, bits):
return (data >> bits | data << (32 - bits)) & 0xFFFFFFFF
def hash_api(dll_name, api_name):
# normalize api name
api = bytes(api_name,'utf-8') + b'\x00'
# normalize dll name
dll = dll_name.upper().encode('utf-16')[2:] + b'\x00\x00'
# compute api hash
api_hash = 0
for i in range(len(api)):
api_hash = ROR(api_hash,0x0d) + api[i]
# compute dll hash
dll_hash = 0
for i in range(len(dll)):
dll_hash = ROR(dll_hash,0x0d) + dll[i]
# compute final hash
final_hash = (api_hash + dll_hash) & 0xFFFFFFFF
print('0x%08x,%s_%s' % (final_hash, dll_name, api_name))
def compute_dir(p,file_type='dll'):
for fp in p.iterdir():
if fp.is_file() and fp.name.endswith(file_type):
pe = pefile.PE(fp)
try:
for export in pe.DIRECTORY_ENTRY_EXPORT.symbols:
if export.name != None:
hash_api(fp.name, export.name.decode('utf-8'))
except:
pass
def main():
if len(sys.argv) < 3:
print('Usage:\ngenerate_hash.py -i <dll_name,api_name>\ngenerate_hash.py -d <path_to_directory>')
sys.exit()
if sys.argv[1] == '-i':
try:
dll_name,api_name = sys.argv[2].split(',')
hash_api(dll_name,api_name)
except ValueError:
print('Wrong input format.\nPlease use: dll_name,api_name\nExample: generate_hash.py -i kernel32.dll,VirtualAlloc')
sys.exit()
elif sys.argv[1] == '-d':
p = Path(sys.argv[2])
if p.is_dir():
compute_dir(p)
else:
print('Wrong path. Please input valid path to directory.')
sys.exit()
else:
print('Usage:\ngenerate_hash.py -i <dll_name,api_name>\ngenerate_hash.py -d <path_to_directory>')
sys.exit()
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink